Mock InitDrbdHelper's output in unittests

[ganeti-github.git] / NEWS

News
====


Version 2.15.2
--------------

*(Released Wed, 16 Dec 2015)*

Important changes and security notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS
implementation is vulnerable to DoS attacks via client-initiated SSL
parameter renegotiation. While the interface is not meant to be exposed
publicly, due to the fact that it binds to all interfaces, we believe
some users might be exposing it unintentionally and are vulnerable. A
DoS attack can consume resources meant for Ganeti daemons and instances
running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing
functionality needed to disable client-side renegotiation. Instead, we
offer instructions on how to control RAPI's exposure, along with info
on how RAPI can be setup alongside an HTTPS proxy in case users still
want or need to expose the RAPI interface. The instructions are
outlined in Ganeti's security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job
results after an instance information job reveals the secret. With the
DRBD secret, access to the local cluster network, and ARP poisoning,
an attacker can impersonate a Ganeti node and clone the disks of a
DRBD-based instance. While an attacker with access to the cluster
network is already capable of accessing any data written as DRBD
traffic is unencrypted, having the secret expedites the process and
allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed
via the RAPI. The DRBD secret can be changed by converting an instance
to plain and back to DRBD, generating a new secret, but redundancy will
be lost until the process completes.
Since attackers with node access are capable of accessing some and
potentially all data even without the secret, we do not recommend that
the secret be changed for existing instances.

Minor changes
~~~~~~~~~~~~~

- Allow disk aittachment to diskless instances
- Reduce memory footprint: Compute lock allocation strictly
- Calculate correct affected nodes set in InstanceChangeGroup
  (Issue 1144)
- Reduce memory footprint: Don't keep input for error messages
- Use bulk-adding of keys in renew-crypto
- Reduce memory footprint: Send answers strictly
- Reduce memory footprint: Store keys as ByteStrings
- Reduce memory footprint: Encode UUIDs as ByteStrings
- Do not retry all requests after connection timeouts to prevent
  repeated job submission
- Fix reason trails of expanding opcodes
- Make lockConfig call retryable
- Extend timeout for gnt-cluster renew-crypto
- Return the correct error code in the post-upgrade script
- Make OpenSSL refrain from DH altogether
- Fix faulty iallocator type check
- Improve cfgupgrade output in case of errors
- Fix upgrades of instances with missing creation time
- Support force option for deactivate disks on RAPI
- Make htools tolerate missing "dtotal" and "dfree" on luxi
- Fix default for --default-iallocator-params
- Renew-crypto: stop daemons on master node first
- Don't warn about broken SSH setup of offline nodes (Issue 1131)
- Fix computation in network blocks
- At IAlloc backend guess state from admin state
- Set node tags in iallocator htools backend
- Only search for Python-2 interpreters
- Handle Xen 4.3 states better
- Improve xl socat migrations


Version 2.15.1
--------------

*(Released Mon, 7 Sep 2015)*

New features
~~~~~~~~~~~~

- The ext template now allows userspace-only disks to be used

Bugfixes
~~~~~~~~

- Fixed the silently broken 'gnt-instance replace-disks --ignore-ipolicy'
  command.
- User shutdown reporting can now be disabled on Xen using the
  '--user-shutdown' flag.
- Remove falsely reported communication NIC error messages on instance start.
- Fix 'gnt-node migrate' behavior when no instances are present on a node.
- Fix the multi-allocation functionality for non-DRBD instances.


Version 2.15.0
--------------

*(Released Wed, 29 Jul 2015)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- In order to improve allocation efficiency when using DRBD, the cluster
  metric now takes the total reserved memory into account. A consequence
  of this change is that the best possible cluster metric is no longer 0.
  htools(1) interprets minimal cluster scores to be offsets of the theoretical
  lower bound, so only users interpreting the cluster score directly should
  be affected.
- This release contains a fix for the problem that different encodings in
  SSL certificates can break RPC communication (issue 1094). The fix makes
  it necessary to rerun 'gnt-cluster renew-crypto --new-node-certificates'
  after the cluster is fully upgraded to 2.14.1

New features
~~~~~~~~~~~~

- On dedicated clusters, hail will now favour allocations filling up
  nodes efficiently over balanced allocations.

New dependencies
~~~~~~~~~~~~~~~~

- The indirect dependency on Haskell package 'case-insensitive' is now
  explicit.


Version 2.15.0 rc1
------------------

*(Released Wed, 17 Jun 2015)*

This was the first release candidate in the 2.15 series. All important
changes are listed in the latest 2.15 entry.

Known issues:
~~~~~~~~~~~~~

- Issue 1094: differences in encodings in SSL certificates due to
  different OpenSSL versions can result in rendering a cluster
  uncommunicative after a master-failover.


Version 2.15.0 beta1
--------------------

*(Released Thu, 30 Apr 2015)*

This was the second beta release in the 2.15 series. All important changes
are listed in the latest 2.15 entry.


Version 2.14.2
--------------

*(Released Tue, 15 Dec 2015)*

Important changes and security notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS
implementation is vulnerable to DoS attacks via client-initiated SSL
parameter renegotiation. While the interface is not meant to be exposed
publicly, due to the fact that it binds to all interfaces, we believe
some users might be exposing it unintentionally and are vulnerable. A
DoS attack can consume resources meant for Ganeti daemons and instances
running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing
functionality needed to disable client-side renegotiation. Instead, we
offer instructions on how to control RAPI's exposure, along with info
on how RAPI can be setup alongside an HTTPS proxy in case users still
want or need to expose the RAPI interface. The instructions are
outlined in Ganeti's security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job
results after an instance information job reveals the secret. With the
DRBD secret, access to the local cluster network, and ARP poisoning,
an attacker can impersonate a Ganeti node and clone the disks of a
DRBD-based instance. While an attacker with access to the cluster
network is already capable of accessing any data written as DRBD
traffic is unencrypted, having the secret expedites the process and
allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed
via the RAPI. The DRBD secret can be changed by converting an instance
to plain and back to DRBD, generating a new secret, but redundancy will
be lost until the process completes.
Since attackers with node access are capable of accessing some and
potentially all data even without the secret, we do not recommend that
the secret be changed for existing instances.

Minor changes
~~~~~~~~~~~~~

- Allow disk attachment to diskless instances
- Calculate correct affected nodes set in InstanceChangeGroup
  (Issue 1144)
- Do not retry all requests after connection timeouts to prevent
  repeated job submission
- Fix reason trails of expanding opcodes
- Make lockConfig call retryable
- Extend timeout for gnt-cluster renew-crypto
- Return the correct error code in the post-upgrade script
- Make OpenSSL refrain from DH altogether
- Fix faulty iallocator type check
- Improve cfgupgrade output in case of errors
- Fix upgrades of instances with missing creation time
- Make htools tolerate missing "dtotal" and "dfree" on luxi
- Fix default for --default-iallocator-params
- Renew-crypto: stop daemons on master node first
- Don't warn about broken SSH setup of offline nodes (Issue 1131)
- At IAlloc backend guess state from admin state
- Set node tags in iallocator htools backend
- Only search for Python-2 interpreters
- Handle Xen 4.3 states better
- Improve xl socat migrations
- replace-disks: fix --ignore-ipolicy
- Fix disabling of user shutdown reporting
- Allow userspace-only disk templates
- Fix instance failover in case of DTS_EXT_MIRROR
- Fix operations on empty nodes by accepting allocation of 0 jobs
- Fix instance multi allocation for non-DRBD disks
- Redistribute master key on downgrade
- Allow more failover options when using the --no-disk-moves flag


Version 2.14.1
--------------

*(Released Fri, 10 Jul 2015)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- The SSH security changes reduced the number of nodes which can SSH into
  other nodes. Unfortunately enough, the Ganeti implementation of migration
  for the xl stack of Xen required SSH to be able to migrate the instance,
  leading to a situation where full movement of an instance around the cluster
  was not possible. This version fixes the issue by using socat to transfer
  instance data. While socat is less secure than SSH, it is about as secure as
  xm migrations, and occurs over the secondary network if present. As a
  consequence of this change, Xen instance migrations using xl cannot occur
  between nodes running 2.14.0 and 2.14.1.
- This release contains a fix for the problem that different encodings in
  SSL certificates can break RPC communication (issue 1094). The fix makes
  it necessary to rerun 'gnt-cluster renew-crypto --new-node-certificates'
  after the cluster is fully upgraded to 2.14.1

Other Changes
~~~~~~~~~~~~~

- The ``htools`` now properly work also on shared-storage clusters.
- Instance moves now work properly also for the plain disk template.
- Filter-evaluation for run-time data filter was fixed (issue 1100).
- Various improvements to the documentation have been added.


Version 2.14.0
--------------

*(Released Tue, 2 Jun 2015)*

New features
~~~~~~~~~~~~

- The build system now enforces external Haskell dependencies to lie in
  a supported range as declared by our new ganeti.cabal file.
- Basic support for instance reservations has been added. Instance addition
  supports a --forthcoming option telling Ganeti to only reserve the resources
  but not create the actual instance. The instance can later be created with
  by passing the --commit option to the instance addition command.
- Node tags starting with htools:nlocation: now have a special meaning to htools(1).
  They control between which nodes migration is possible, e.g., during hypervisor
  upgrades. See hbal(1) for details.
- The node-allocation lock as been removed for good, thus speeding up parallel
  instance allocation and creation.
- The external storage interface has been extended by optional ``open``
  and ``close`` scripts.

New dependencies
~~~~~~~~~~~~~~~~

- Building the Haskell part of Ganeti now requires Cabal and cabal-install.

Known issues
~~~~~~~~~~~~

- Under certain conditions instance doesn't get unpaused after live
  migration (issue #1050)

Since 2.14.0 rc1
~~~~~~~~~~~~~~~~

- The call to the IAllocator in 'gnt-node evacuate' has been fixed.
- In opportunistic locking, only ask for those node resource locks where
  the node lock is held.
- Lock requests are repeatable now; this avoids failure of a job in a
  race condition with a signal sent to the job.
- Various improvements to the QA.


Version 2.14.0 rc2
------------------

*(Released Tue, 19 May 2015)*

This was the second release candidate in the 2.14 series. All important
changes are listed in the 2.14.0 entry.

Since 2.14.0 rc1
~~~~~~~~~~~~~~~~

- private parameters are now properly exported to instance create scripts
- unnecessary config unlocks and upgrades have been removed, improving
  performance, in particular of cluster verification
- some rarely occuring file-descriptor leaks have been fixed
- The checks for orphan and lost volumes have been fixed to also work
  correctly when multiple volume groups are used.


Version 2.14.0 rc1
------------------

*(Released Wed, 29 Apr 2015)*

This was the first release candidate in the 2.14 series. All important
changes are listed in the latest 2.14 entry.

Since 2.14.0 beta2
~~~~~~~~~~~~~~~~~~

The following issue has been fixed:

- A race condition where a badly timed kill of WConfD could lead to
  an incorrect configuration.

Fixes inherited from the 2.12 branch:

- Upgrade from old versions (2.5 and 2.6) was failing (issues 1070, 1019).
- gnt-network info outputs wrong external reservations (issue 1068)
- Refuse to demote master from master capability (issue 1023)

Fixes inherited from the 2.13 branch:

- bugs related to ssh-key handling of master candidate (issues 1045, 1046, 1047)


Version 2.14.0 beta2
--------------------

*(Released Thu, 26 Mar 2015)*

This was the second beta release in the 2.14 series. All important changes
are listed in the latest 2.14 entry.

Since 2.14.0 beta1
~~~~~~~~~~~~~~~~~~

The following issues have been fixed:

- Issue 1018: Cluster init (and possibly other jobs) occasionally fail to start

The extension of the external storage interface was not present in 2.14.0 beta1.


Version 2.14.0 beta1
--------------------

*(Released Fri, 13 Feb 2015)*

This was the first beta release of the 2.14 series. All important changes
are listed in the latest 2.14 entry.


Version 2.13.3
--------------

*(Released Mon, 14 Dec 2015)*

Important changes and security notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS
implementation is vulnerable to DoS attacks via client-initiated SSL
parameter renegotiation. While the interface is not meant to be exposed
publicly, due to the fact that it binds to all interfaces, we believe
some users might be exposing it unintentionally and are vulnerable. A
DoS attack can consume resources meant for Ganeti daemons and instances
running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing
functionality needed to disable client-side renegotiation. Instead, we
offer instructions on how to control RAPI's exposure, along with info
on how RAPI can be setup alongside an HTTPS proxy in case users still
want or need to expose the RAPI interface. The instructions are
outlined in Ganeti's security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job
results after an instance information job reveals the secret. With the
DRBD secret, access to the local cluster network, and ARP poisoning,
an attacker can impersonate a Ganeti node and clone the disks of a
DRBD-based instance. While an attacker with access to the cluster
network is already capable of accessing any data written as DRBD
traffic is unencrypted, having the secret expedites the process and
allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed
via the RAPI. The DRBD secret can be changed by converting an instance
to plain and back to DRBD, generating a new secret, but redundancy will
be lost until the process completes.
Since attackers with node access are capable of accessing some and
potentially all data even without the secret, we do not recommend that
the secret be changed for existing instances.

Minor changes
~~~~~~~~~~~~~

- Calculate correct affected nodes set in InstanceChangeGroup
  (Issue 1144)
- Do not retry all requests after connection timeouts to prevent
  repeated job submission
- Fix reason trails of expanding opcodes
- Make lockConfig call retryable
- Extend timeout for gnt-cluster renew-crypto
- Return the correct error code in the post-upgrade script
- Make OpenSSL refrain from DH altogether
- Fix upgrades of instances with missing creation time
- Make htools tolerate missing "dtotal" and "dfree" on luxi
- Fix default for --default-iallocator-params
- Renew-crypto: stop daemons on master node first
- Don't warn about broken SSH setup of offline nodes (Issue 1131)
- At IAlloc backend guess state from admin state
- Only search for Python-2 interpreters
- Handle Xen 4.3 states better
- Improve xl socat migrations
- replace-disks: fix --ignore-ipolicy
- Fix disabling of user shutdown reporting
- Fix operations on empty nodes by accepting allocation of 0 jobs
- Fix instance multi allocation for non-DRBD disks
- Redistribute master key on downgrade
- Allow more failover options when using the --no-disk-moves flag


Version 2.13.2
--------------

*(Released Mon, 13 Jul 2015)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- This release contains a fix for the problem that different encodings in
  SSL certificates can break RPC communication (issue 1094). The fix makes
  it necessary to rerun 'gnt-cluster renew-crypto --new-node-certificates'
  after the cluster is fully upgraded to 2.13.2

Other fixes and known issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Inherited from 2.12:

- Fixed Issue #1115: Race between starting WConfD and updating the config
- Fixed Issue #1114: Binding RAPI to a specific IP makes the watcher
  restart the RAPI
- Fixed Issue #1100: Filter-evaluation for run-time data filter
- Better handling of the "crashed" Xen state
- The watcher can be instructed to skip disk verification
- Reduce amount of logging on successful requests
- Prevent multiple communication NICs being created for instances
- The ``htools`` now properly work also on shared-storage clusters
- Instance moves now work properly also for the plain disk template
- Various improvements to the documentation have been added

Known issues:
- Issue #1104: gnt-backup: dh key too small


Version 2.13.1
--------------

*(Released Tue, 16 Jun 2015)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- The SSH security changes reduced the number of nodes which can SSH into
  other nodes. Unfortunately enough, the Ganeti implementation of migration
  for the xl stack of Xen required SSH to be able to migrate the instance,
  leading to a situation where full movement of an instance around the cluster
  was not possible. This version fixes the issue by using socat to transfer
  instance data. While socat is less secure than SSH, it is about as secure as
  xm migrations, and occurs over the secondary network if present. As a
  consequence of this change, Xen instance migrations using xl cannot occur
  between nodes running 2.13.0 and 2.13.1.

Other fixes and known issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Inherited from 2.12:

- Fixed Issue #1082: RAPI is unresponsive after master-failover
- Fixed Issue #1083: Cluster verify reports existing instance disks on
  non-default VGs as missing
- Fixed Issue #1101: Modifying the storage directory for the shared-file disk
  template doesn't work
- Fixed a possible file descriptor leak when forking jobs
- Fixed missing private parameters in the environment for OS scripts
- Fixed a performance regression when handling configuration
  (only upgrade it if it changes)
- Adapt for compilation with GHC7.8 (compiles with warnings;
  cherrypicked from 2.14)

Known issues:
- Issue #1094: Mismatch in SSL encodings breaks RPC communication
- Issue #1104: Export fails: key is too small


Version 2.13.0
--------------

*(Released Tue, 28 Apr 2015)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Ganeti now internally retries the instance creation opcode if opportunistic
  locking did not acquire nodes with enough free resources. The internal retry
  will not use opportunistic locking. In particular, instance creation, even
  if opportunistic locking is set, will never fail with ECODE_TEMP_NORES.
- The handling of SSH security had undergone a significant change. From
  this version on, each node has an individual SSH key pair instead of
  sharing one with all nodes of the cluster. From now on, we also
  restrict SSH access to master candidates. This means that only master
  candidates can ssh into other cluster nodes and all
  non-master-candidates cannot. Refer to the UPGRADE notes
  for further instructions on the creation and distribution of the keys.
- Ganeti now checks hypervisor version compatibility before trying an instance
  migration. It errors out if the versions are not compatible. Add the option
  --ignore-hvversions to restore the old behavior of only warning.
- Node tags starting with htools:migration: or htools:allowmigration: now have
  a special meaning to htools(1). See hbal(1) for details.
- The LXC hypervisor code has been repaired and improved. Instances cannot be
  migrated and cannot have more than one disk, but should otherwise work as with
  other hypervisors. OS script changes should not be necessary. LXC version
  1.0.0 or higher required.

New features
~~~~~~~~~~~~

- A new job filter rules system allows to define iptables-like rules for the
  job scheduler, making it easier to (soft-)drain the job queue, perform
  maintenance, and rate-limit selected job types. See gnt-filter(8) for
  details.
- Ganeti jobs can now be ad-hoc rate limited via the reason trail.
  For a set of jobs queued with "--reason=rate-limit:n:label", the job
  scheduler ensures that not more than n will be scheduled to run at the same
  time. See ganeti(7), section "Options", for details.
- The monitoring daemon has now variable sleep times for the data
  collectors. This currently means that the granularity of cpu-avg-load
  can be configured.
- The 'gnt-cluster verify' command now has the option
  '--verify-ssh-clutter', which verifies whether Ganeti (accidentally)
  cluttered up the 'authorized_keys' file.
- Instance disks can now be converted from one disk template to another for many
  different template combinations. When available, more efficient conversions
  will be used, otherwise the disks are simply copied over.

New dependencies
~~~~~~~~~~~~~~~~

- The monitoring daemon uses the PSQueue library. Be sure to install it
  if you use Mond.
- The formerly optional regex-pcre is now an unconditional dependency because
  the new job filter rules have regular expressions as a core feature.

Since 2.13.0 rc1
~~~~~~~~~~~~~~~~~~

The following issues have been fixed:

- Bugs related to ssh-key handling of master candidates (issues 1045,
  1046, 1047)

Fixes inherited from the 2.12 branch:

- Upgrade from old versions (2.5 and 2.6) was failing (issues 1070, 1019).
- gnt-network info outputs wrong external reservations (issue 1068)
- Refuse to demote master from master capability (issue 1023)


Version 2.13.0 rc1
------------------

*(Released Wed, 25 Mar 2015)*

This was the first release candidate of the 2.13 series.
All important changes are listed in the latest 2.13 entry.

Since 2.13.0 beta1
~~~~~~~~~~~~~~~~~~

The following issues have been fixed:

- Issue 1018: Cluster init (and possibly other jobs) occasionally fail to start


Version 2.13.0 beta1
--------------------

*(Released Wed, 14 Jan 2015)*

This was the first beta release of the 2.13 series. All important changes
are listed in the latest 2.13 entry.


Version 2.12.6
--------------

*(Released Mon, 14 Dec 2015)*

Important changes and security notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS
implementation is vulnerable to DoS attacks via client-initiated SSL
parameter renegotiation. While the interface is not meant to be exposed
publicly, due to the fact that it binds to all interfaces, we believe
some users might be exposing it unintentionally and are vulnerable. A
DoS attack can consume resources meant for Ganeti daemons and instances
running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing
functionality needed to disable client-side renegotiation. Instead, we
offer instructions on how to control RAPI's exposure, along with info
on how RAPI can be setup alongside an HTTPS proxy in case users still
want or need to expose the RAPI interface. The instructions are
outlined in Ganeti's security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job
results after an instance information job reveals the secret. With the
DRBD secret, access to the local cluster network, and ARP poisoning,
an attacker can impersonate a Ganeti node and clone the disks of a
DRBD-based instance. While an attacker with access to the cluster
network is already capable of accessing any data written as DRBD
traffic is unencrypted, having the secret expedites the process and
allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed
via the RAPI. The DRBD secret can be changed by converting an instance
to plain and back to DRBD, generating a new secret, but redundancy will
be lost until the process completes.
Since attackers with node access are capable of accessing some and
potentially all data even without the secret, we do not recommend that
the secret be changed for existing instances.

Minor changes
~~~~~~~~~~~~~

- Calculate correct affected nodes set in InstanceChangeGroup
  (Issue 1144)
- Do not retry all requests after connection timeouts to prevent
  repeated job submission
- Fix reason trails of expanding opcodes
- Make lockConfig call retryable
- Return the correct error code in the post-upgrade script
- Make OpenSSL refrain from DH altogether
- Fix upgrades of instances with missing creation time
- Make htools tolerate missing "dtotal" and "dfree" on luxi
- Fix default for --default-iallocator-params
- At IAlloc backend guess state from admin state
- Only search for Python-2 interpreters
- Handle Xen 4.3 states better
- replace-disks: fix --ignore-ipolicy
- Fix disabling of user shutdown reporting
- Fix operations on empty nodes by accepting allocation of 0 jobs
- Fix instance multi allocation for non-DRBD disks
- Allow more failover options when using the --no-disk-moves flag


Version 2.12.5
--------------

*(Released Mon, 13 Jul 2015)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- This release contains a fix for the problem that different encodings in
  SSL certificates can break RPC communication (issue 1094). The fix makes
  it necessary to rerun 'gnt-cluster renew-crypto --new-node-certificates'
  after the cluster is fully upgraded to 2.12.5.

Fixed and improvements
~~~~~~~~~~~~~~~~~~~~~~

- Fixed Issue #1030: GlusterFS support breaks at upgrade to 2.12 -
  switches back to shared-file
- Fixed Issue #1094 (see the notice in Incompatible/important changes):
  Differences in encodings of SSL certificates can render a cluster
  uncommunicative after a master-failover
- Fixed Issue #1098: Support for ECDSA SSH keys
- Fixed Issue #1100: Filter-evaluation for run-time data filter
- Fixed Issue #1101: Modifying the storage directory for the shared-file
  disk template doesn't work
- Fixed Issue #1108: Spurious "NIC name already used" errors during
  instance creation
- Fixed Issue #1114: Binding RAPI to a specific IP makes the watcher
  restart the RAPI
- Fixed Issue #1115: Race between starting WConfD and updating the config
- Better handling of the "crashed" Xen state
- The ``htools`` now properly work also on shared-storage clusters
- Various improvements to the documentation have been added

Inherited from the 2.11 branch:

- Fixed Issue #1113: Reduce amount of logging on successful requests

Known issues
~~~~~~~~~~~~

- Issue #1104: gnt-backup: dh key too small


Version 2.12.4
--------------

*(Released Tue, 12 May 2015)*

- Fixed Issue #1082: RAPI is unresponsive after master-failover
- Fixed Issue #1083: Cluster verify reports existing instance disks on
  non-default VGs as missing
- Fixed a possible file descriptor leak when forking jobs
- Fixed missing private parameters in the environment for OS scripts
- Fixed a performance regression when handling configuration
  (only upgrade it if it changes)
- Adapt for compilation with GHC7.8 (compiles with warnings;
  cherrypicked from 2.14)

Known issues
~~~~~~~~~~~~

Pending since 2.12.2:

- Under certain conditions instance doesn't get unpaused after live
  migration (issue #1050)
- GlusterFS support breaks at upgrade to 2.12 - switches back to
  shared-file (issue #1030)


Version 2.12.3
--------------

*(Released Wed, 29 Apr 2015)*

- Fixed Issue #1019: upgrade from 2.6.2 to 2.12 fails. cfgupgrade
  doesn't migrate the config.data file properly
- Fixed Issue 1023: Master master-capable option bug
- Fixed Issue 1068: gnt-network info outputs wrong external reservations
- Fixed Issue 1070: Upgrade of Ganeti 2.5.2 to 2.12.0 fails due to
  missing UUIDs for disks
- Fixed Issue 1073: ssconf_hvparams_* not distributed with ssconf

Inherited from the 2.11 branch:

- Fixed Issue 1032: Renew-crypto --new-node-certificates sometimes does not
  complete.
  The operation 'gnt-cluster renew-crypto --new-node-certificates' is
  now more robust against intermitten reachability errors. Nodes that
  are temporarily not reachable, are contacted with several retries.
  Nodes which are marked as offline are omitted right away.

Inherited from the 2.10 branch:

- Fixed Issue 1057: master-failover succeeds, but IP remains assigned to
  old master
- Fixed Issue 1058: Python's os.minor() does not support devices with
  high minor numbers
- Fixed Issue 1059: Luxid fails if DNS returns an IPv6 address that does
  not reverse resolve

Known issues
~~~~~~~~~~~~

Pending since 2.12.2:

- GHC 7.8 introduced some incompatible changes, so currently Ganeti
  2.12. doesn't compile on GHC 7.8
- Under certain conditions instance doesn't get unpaused after live
  migration (issue #1050)
- GlusterFS support breaks at upgrade to 2.12 - switches back to
  shared-file (issue #1030)


Version 2.12.2
--------------

*(Released Wed, 25 Mar 2015)*

- Support for the lens Haskell library up to version 4.7 (issue #1028)
- SSH keys are now distributed only to master and master candidates
  (issue #377)
- Improved performance for operations that frequently read the
  cluster configuration
- Improved robustness of spawning job processes that occasionally caused
  newly-started jobs to timeout
- Fixed race condition during cluster verify which occasionally caused
  it to fail

Inherited from the 2.11 branch:

- Fix failing automatic glusterfs mounts (issue #984)
- Fix watcher failing to read its status file after an upgrade
  (issue #1022)
- Improve Xen instance state handling, in particular of somewhat exotic
  transitional states

Inherited from the 2.10 branch:

- Fix failing to change a diskless drbd instance to plain
  (issue #1036)
- Fixed issues with auto-upgrades from pre-2.6
  (hv_state_static and disk_state_static)
- Fix memory leak in the monitoring daemon

Inherited from the 2.9 branch:

- Fix file descriptor leak in Confd client

Known issues
~~~~~~~~~~~~

- GHC 7.8 introduced some incompatible changes, so currently Ganeti
  2.12. doesn't compile on GHC 7.8
- Under certain conditions instance doesn't get unpaused after live
  migration (issue #1050)
- GlusterFS support breaks at upgrade to 2.12 - switches back to
  shared-file (issue #1030)


Version 2.12.1
--------------

*(Released Wed, 14 Jan 2015)*

- Fix users under which the wconfd and metad daemons run (issue #976)
- Clean up stale livelock files (issue #865)
- Fix setting up the metadata daemon's network interface for Xen
- Make watcher identify itself on disk activation
- Add "ignore-ipolicy" option to gnt-instance grow-disk
- Check disk size ipolicy during "gnt-instance grow-disk" (issue #995)

Inherited from the 2.11 branch:

- Fix counting votes when doing master failover (issue #962)
- Fix broken haskell dependencies (issues #758 and #912)
- Check if IPv6 is used directly when running SSH (issue #892)

Inherited from the 2.10 branch:

- Fix typo in gnt_cluster output (issue #1015)
- Use the Python path detected at configure time in the top-level Python
  scripts.
- Fix check for sphinx-build from python2-sphinx
- Properly check if an instance exists in 'gnt-instance console'


Version 2.12.0
--------------

*(Released Fri, 10 Oct 2014)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Ganeti is now distributed under the 2-clause BSD license.
  See the COPYING file.
- Do not use debug mode in production. Certain daemons will issue warnings
  when launched in debug mode. Some debug logging violates some of the new
  invariants in the system (see "New features"). The logging has been kept as
  it aids diagnostics and development.

New features
~~~~~~~~~~~~

- OS install script parameters now come in public, private and secret
  varieties:

  - Public parameters are like all other parameters in Ganeti.
  - Ganeti will not log private and secret parameters, *unless* it is running
    in debug mode.
  - Ganeti will not save secret parameters to configuration. Secret parameters
    must be supplied every time you install, or reinstall, an instance.
  - Attempting to override public parameters with private or secret parameters
    results in an error. Similarly, you may not use secret parameters to
    override private parameters.

- The move-instance tool can now attempt to allocate an instance by using
  opportunistic locking when an iallocator is used.
- The build system creates sample systemd unit files, available under
  doc/examples/systemd. These unit files allow systemd to natively
  manage and supervise all Ganeti processes.
- Different types of compression can be applied during instance moves, including
  user-specified ones.
- Ganeti jobs now run as separate processes. The jobs are coordinated by
  a new daemon "WConfd" that manages cluster's configuration and locks
  for individual jobs. A consequence is that more jobs can run in parallel;
  the number is run-time configurable, see "New features" entry
  of 2.11.0. To avoid luxid being overloaded with tracking running jobs, it
  backs of and only occasionally, in a sequential way, checks if jobs have
  finished and schedules new ones. In this way, luxid keeps responsive under
  high cluster load. The limit as when to start backing of is also run-time
  configurable.
- The metadata daemon is now optionally available, as part of the
  partial implementation of the OS-installs design. It allows pass
  information to OS install scripts or to instances.
  It is also possible to run Ganeti without the daemon, if desired.
- Detection of user shutdown of instances has been implemented for Xen
  as well.

New dependencies
~~~~~~~~~~~~~~~~

- The KVM CPU pinning no longer uses the affinity python package, but psutil
  instead. The package is still optional and needed only if the feature is to
  be used.

Incomplete features
~~~~~~~~~~~~~~~~~~~

The following issues are related to features which are not completely
implemented in 2.12:

- Issue 885: Network hotplugging on KVM sometimes makes an instance
  unresponsive
- Issues 708 and 602: The secret parameters are currently still written
  to disk in the job queue.
- Setting up the metadata network interface under Xen isn't fully
  implemented yet.

Known issues
~~~~~~~~~~~~

- *Wrong UDP checksums in DHCP network packets:*
  If an instance communicates with the metadata daemon and uses DHCP to
  obtain its IP address on the provided virtual network interface,
  it can happen that UDP packets have a wrong checksum, due to
  a bug in virtio. See for example https://bugs.launchpad.net/bugs/930962

  Ganeti works around this bug by disabling the UDP checksums on the way
  from a host to instances (only on the special metadata communication
  network interface) using the ethtool command. Therefore if using
  the metadata daemon the host nodes should have this tool available.
- The metadata daemon is run as root in the split-user mode, to be able
  to bind to port 80.
  This should be improved in future versions, see issue #949.

Since 2.12.0 rc2
~~~~~~~~~~~~~~~~

The following issues have been fixed:

- Fixed passing additional parameters to RecreateInstanceDisks over
  RAPI.
- Fixed the permissions of WConfd when running in the split-user mode.
  As WConfd takes over the previous master daemon to manage the
  configuration, it currently runs under the masterd user.
- Fixed the permissions of the metadata daemon  wn running in the
  split-user mode (see Known issues).
- Watcher now properly adds a reason trail entry when initiating disk
  checks.
- Fixed removing KVM parameters introduced in 2.12 when downgrading a
  cluster to 2.11: "migration_caps", "disk_aio" and "virtio_net_queues".
- Improved retrying of RPC calls that fail due to network errors.


Version 2.12.0 rc2
------------------

*(Released Mon, 22 Sep 2014)*

This was the second release candidate of the 2.12 series.
All important changes are listed in the latest 2.12 entry.

Since 2.12.0 rc1
~~~~~~~~~~~~~~~~

The following issues have been fixed:

- Watcher now checks if WConfd is running and functional.
- Watcher now properly adds reason trail entries.
- Fixed NIC options in Xen's config files.

Inherited from the 2.10 branch:

- Fixed handling of the --online option
- Add warning against hvparam changes with live migrations, which might
  lead to dangerous situations for instances.
- Only the LVs in the configured VG are checked during cluster verify.


Version 2.12.0 rc1
------------------

*(Released Wed, 20 Aug 2014)*

This was the first release candidate of the 2.12 series.
All important changes are listed in the latest 2.12 entry.

Since 2.12.0 beta1
~~~~~~~~~~~~~~~~~~

The following issues have been fixed:

- Issue 881: Handle communication errors in mcpu
- Issue 883: WConfd leaks memory for some long operations
- Issue 884: Under heavy load the IAllocator fails with a "missing
  instance" error

Inherited from the 2.10 branch:

- Improve the recognition of Xen domU states
- Automatic upgrades:
  - Create the config backup archive in a safe way
  - On upgrades, check for upgrades to resume first
  - Pause watcher during upgrade
- Allow instance disks to be added with --no-wait-for-sync


Version 2.12.0 beta1
--------------------

*(Released Mon, 21 Jul 2014)*

This was the first beta release of the 2.12 series. All important changes
are listed in the latest 2.12 entry.


Version 2.11.8
--------------

*(Released Mon, 14 Dec 2015)*

Important changes and security notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS
implementation is vulnerable to DoS attacks via client-initiated SSL
parameter renegotiation. While the interface is not meant to be exposed
publicly, due to the fact that it binds to all interfaces, we believe
some users might be exposing it unintentionally and are vulnerable. A
DoS attack can consume resources meant for Ganeti daemons and instances
running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing
functionality needed to disable client-side renegotiation. Instead, we
offer instructions on how to control RAPI's exposure, along with info
on how RAPI can be setup alongside an HTTPS proxy in case users still
want or need to expose the RAPI interface. The instructions are
outlined in Ganeti's security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job
results after an instance information job reveals the secret. With the
DRBD secret, access to the local cluster network, and ARP poisoning,
an attacker can impersonate a Ganeti node and clone the disks of a
DRBD-based instance. While an attacker with access to the cluster
network is already capable of accessing any data written as DRBD
traffic is unencrypted, having the secret expedites the process and
allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed
via the RAPI. The DRBD secret can be changed by converting an instance
to plain and back to DRBD, generating a new secret, but redundancy will
be lost until the process completes.
Since attackers with node access are capable of accessing some and
potentially all data even without the secret, we do not recommend that
the secret be changed for existing instances.

Minor changes
~~~~~~~~~~~~~

- Make htools tolerate missing "dtotal" and "dfree" on luxi
- Fix default for --default-iallocator-params
- At IAlloc backend guess state from admin state
- replace-disks: fix --ignore-ipolicy
- Fix instance multi allocation for non-DRBD disks
- Trigger renew-crypto on downgrade to 2.11
- Downgrade log-message for rereading job
- Downgrade log-level for successful requests
- Check for gnt-cluster before running gnt-cluster upgrade


Version 2.11.7
--------------

*(Released Fri, 17 Apr 2015)*

- The operation 'gnt-cluster renew-crypto --new-node-certificates' is
  now more robust against intermitten reachability errors. Nodes that
  are temporarily not reachable, are contacted with several retries.
  Nodes which are marked as offline are omitted right away.


Version 2.11.6
--------------

*(Released Mon, 22 Sep 2014)*

- Ganeti is now distributed under the 2-clause BSD license.
  See the COPYING file.
- Fix userspace access checks.
- Various documentation fixes have been added.

Inherited from the 2.10 branch:

- The --online option now works as documented.
- The watcher is paused during cluster upgrades; also, upgrade
  checks for upgrades to resume first.
- Instance disks can be added with --no-wait-for-sync.


Version 2.11.5
--------------

*(Released Thu, 7 Aug 2014)*

Inherited from the 2.10 branch:

Important security release. In 2.10.0, the
'gnt-cluster upgrade' command was introduced. Before
performing an upgrade, the configuration directory of
the cluster is backed up. Unfortunately, the archive was
written with permissions that make it possible for
non-privileged users to read the archive and thus have
access to cluster and RAPI keys. After this release,
the archive will be created with privileged access only.

We strongly advise you to restrict the permissions of
previously created archives. The archives are found in
/var/lib/ganeti*.tar (unless otherwise configured with
--localstatedir or --with-backup-dir).

If you suspect that non-privileged users have accessed
your archives already, we advise you to renew the
cluster's crypto keys using 'gnt-cluster renew-crypto'
and to reset the RAPI credentials by editing
/var/lib/ganeti/rapi_users (respectively under a
different path if configured differently with
--localstatedir).

Other changes included in this release:

- Fix handling of Xen instance states.
- Fix NIC configuration with absent NIC VLAN
- Adapt relative path expansion in PATH to new environment
- Exclude archived jobs from configuration backups
- Fix RAPI for split query setup
- Allow disk hot-remove even with chroot or SM

Inherited from the 2.9 branch:

- Make htools tolerate missing 'spfree' on luxi


Version 2.11.4
--------------

*(Released Thu, 31 Jul 2014)*

- Improved documentation of the instance shutdown behavior.

Inherited from the 2.10 branch:

- KVM: fix NIC configuration with absent NIC VLAN (Issue 893)
- Adapt relative path expansion in PATH to new environment
- Exclude archived jobs from configuration backup
- Expose early_release for ReplaceInstanceDisks
- Add backup directory for configuration backups for upgrades
- Fix BlockdevSnapshot in case of non lvm-based disk
- Improve RAPI error handling for queries in non-existing items
- Allow disk hot-remove even with chroot or SM
- Remove superflous loop in instance queries (Issue 875)

Inherited from the 2.9 branch:

- Make ganeti-cleaner switch to save working directory (Issue 880)


Version 2.11.3
--------------

*(Released Wed, 9 Jul 2014)*

- Readd nodes to their previous node group
- Remove old-style gnt-network connect

Inherited from the 2.10 branch:

- Make network_vlan an optional OpParam
- hspace: support --accept-existing-errors
- Make hspace support --independent-groups
- Add a modifier for a group's allocation policy
- Export VLAN nicparam to NIC configuration scripts
- Fix gnt-network client to accept vlan info
- Support disk hotplug with userspace access

Inherited from the 2.9 branch:

- Make htools tolerate missing "spfree" on luxi
- Move the design for query splitting to the implemented list
- Add tests for DRBD setups with empty first resource

Inherited from the 2.8 branch:

- DRBD parser: consume initial empty resource lines


Version 2.11.2
--------------

*(Released Fri, 13 Jun 2014)*

- Improvements to KVM wrt to the kvmd and instance shutdown behavior.
  WARNING: In contrast to our standard policy, this bug fix update
  introduces new parameters to the configuration. This means in
  particular that after an upgrade from 2.11.0 or 2.11.1, 'cfgupgrade'
  needs to be run, either manually or explicitly by running
  'gnt-cluster upgrade --to 2.11.2' (which requires that they
  had configured the cluster with --enable-versionfull).
  This also means, that it is not easily possible to downgrade from
  2.11.2 to 2.11.1 or 2.11.0. The only way is to go back to 2.10 and
  back.

Inherited from the 2.10 branch:

- Check for SSL encoding inconsistencies
- Check drbd helper only in VM capable nodes
- Improvements in statistics utils

Inherited from the 2.9 branch:

- check-man-warnings: use C.UTF-8 and set LC_ALL


Version 2.11.1
--------------

*(Released Wed, 14 May 2014)*

- Add design-node-security.rst to docinput
- kvm: use a dedicated QMP socket for kvmd

Inherited from the 2.10 branch:

- Set correct Ganeti version on setup commands
- Add a utility to combine shell commands
- Add design doc for performance tests
- Fix failed DRBD disk creation cleanup
- Hooking up verification for shared file storage
- Fix --shared-file-storage-dir option of gnt-cluster modify
- Clarify default setting of 'metavg'
- Fix invocation of GetCommandOutput in QA
- Clean up RunWithLocks
- Add an exception-trapping thread class
- Wait for delay to provide interruption information
- Add an expected block option to RunWithLocks
- Track if a QA test was blocked by locks
- Add a RunWithLocks QA utility function
- Add restricted migration
- Add an example for node evacuation
- Add a test for parsing version strings
- Tests for parallel job execution
- Fail in replace-disks if attaching disks fails
- Fix passing of ispecs in cluster init during QA
- Move QAThreadGroup to qa_job_utils.py
- Extract GetJobStatuses and use an unified version
- Run disk template specific tests only if possible

Inherited from the 2.9 branch:

- If Automake version > 1.11, force serial tests
- KVM: set IFF_ONE_QUEUE on created tap interfaces
- Add configure option to pass GHC flags


Version 2.11.0
--------------

*(Released Fri, 25 Apr 2014)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- ``gnt-node list`` no longer shows disk space information for shared file
  disk templates because it is not a node attribute. (For example, if you have
  both the file and shared file disk templates enabled, ``gnt-node list`` now
  only shows information about the file disk template.)
- The shared file disk template is now in the new 'sharedfile' storage type.
  As a result, ``gnt-node list-storage -t file`` now only shows information
  about the file disk template and you may use ``gnt-node list-storage -t
  sharedfile`` to query storage information for the shared file disk template.
- Over luxi, syntactially incorrect queries are now rejected as a whole;
  before, a 'SumbmitManyJobs' request was partially executed, if the outer
  structure of the request was syntactically correct. As the luxi protocol
  is internal (external applications are expected to use RAPI), the impact
  of this incompatible change should be limited.
- Queries for nodes, instances, groups, backups and networks are now
  exclusively done via the luxi daemon. Legacy python code was removed,
  as well as the --enable-split-queries configuration option.
- Orphan volumes errors are demoted to warnings and no longer affect the exit
  code of ``gnt-cluster verify``.
- RPC security got enhanced by using different client SSL certificates
  for each node. In this context 'gnt-cluster renew-crypto' got a new
  option '--renew-node-certificates', which renews the client
  certificates of all nodes. After a cluster upgrade from pre-2.11, run
  this to create client certificates and activate this feature.

New features
~~~~~~~~~~~~

- Instance moves, backups and imports can now use compression to transfer the
  instance data.
- Node groups can be configured to use an SSH port different than the
  default 22.
- Added experimental support for Gluster distributed file storage as the
  ``gluster`` disk template under the new ``sharedfile`` storage type through
  automatic management of per-node FUSE mount points. You can configure the
  mount point location at ``gnt-cluster init`` time by using the new
  ``--gluster-storage-dir`` switch.
- Job scheduling is now handled by luxid, and the maximal number of jobs running
  in parallel is a run-time parameter of the cluster.
- A new tool for planning dynamic power management, called ``hsqueeze``, has
  been added. It suggests nodes to power up or down and corresponding instance
  moves.

New dependencies
~~~~~~~~~~~~~~~~

The following new dependencies have been added:

For Haskell:

- ``zlib`` library (http://hackage.haskell.org/package/base64-bytestring)

- ``base64-bytestring`` library (http://hackage.haskell.org/package/zlib),
  at least version 1.0.0.0

- ``lifted-base`` library (http://hackage.haskell.org/package/lifted-base)

- ``lens`` library (http://hackage.haskell.org/package/lens)

Since 2.11.0 rc1
~~~~~~~~~~~~~~~~

- Fix Xen instance state

Inherited from the 2.10 branch:

- Fix conflict between virtio + spice or soundhw
- Fix bitarray ops wrt PCI slots
- Allow releases scheduled 5 days in advance
- Make watcher submit queries low priority
- Fix specification of TIDiskParams
- Add unittests for instance modify parameter renaming
- Add renaming of instance custom params
- Add RAPI symmetry tests for groups
- Extend RAPI symmetry tests with RAPI-only aliases
- Add test for group custom parameter renaming
- Add renaming of group custom ndparams, ipolicy, diskparams
- Add the RAPI symmetry test for nodes
- Add aliases for nodes
- Allow choice of HTTP method for modification
- Add cluster RAPI symmetry test
- Fix failing cluster query test
- Add aliases for cluster parameters
- Add support for value aliases to RAPI
- Provide tests for GET/PUT symmetry
- Sort imports
- Also consider filter fields for deciding if using live data
- Document the python-fdsend dependency
- Verify configuration version number before parsing
- KVM: use running HVPs to calc blockdev options
- KVM: reserve a PCI slot for the SCSI controller
- Check for LVM-based verification results only when enabled
- Fix "existing" typos
- Fix output of gnt-instance info after migration
- Warn in UPGRADE about not tar'ing exported insts
- Fix non-running test and remove custom_nicparams rename
- Account for NODE_RES lock in opportunistic locking
- Fix request flooding of noded during disk sync

Inherited from the 2.9 branch:

- Make watcher submit queries low priority
- Fix failing gnt-node list-drbd command
- Update installation guide wrt to DRBD version
- Fix list-drbd QA test
- Add messages about skipped QA disk template tests
- Allow QA asserts to produce more messages
- Set exclusion tags correctly in requested instance
- Export extractExTags and updateExclTags
- Document spindles in the hbal man page
- Sample logrotate conf breaks permissions with split users
- Fix 'gnt-cluster' and 'gnt-node list-storage' outputs

Inherited from the 2.8 branch:

- Add reason parameter to RAPI client functions
- Include qa/patch in Makefile
- Handle empty patches better
- Move message formatting functions to separate file
- Add optional ordering of QA patch files
- Allow multiple QA patches
- Refactor current patching code


Version 2.11.0 rc1
------------------

*(Released Thu, 20 Mar 2014)*

This was the first RC release of the 2.11 series. Since 2.11.0 beta1:

- Convert int to float when checking config. consistency
- Rename compression option in gnt-backup export

Inherited from the 2.9 branch:

- Fix error introduced during merge
- gnt-cluster copyfile: accept relative paths

Inherited from the 2.8 branch:

- Improve RAPI detection of the watcher
- Add patching QA configuration files on buildbots
- Enable a timeout for instance shutdown
- Allow KVM commands to have a timeout
- Allow xen commands to have a timeout
- Fix wrong docstring


Version 2.11.0 beta1
--------------------

*(Released Wed, 5 Mar 2014)*

This was the first beta release of the 2.11 series. All important changes
are listed in the latest 2.11 entry.


Version 2.10.8
--------------

*(Released Fri, 11 Dec 2015)*

Important changes and security notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS
implementation is vulnerable to DoS attacks via client-initiated SSL
parameter renegotiation. While the interface is not meant to be exposed
publicly, due to the fact that it binds to all interfaces, we believe
some users might be exposing it unintentionally and are vulnerable. A
DoS attack can consume resources meant for Ganeti daemons and instances
running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing
functionality needed to disable client-side renegotiation. Instead, we
offer instructions on how to control RAPI's exposure, along with info
on how RAPI can be setup alongside an HTTPS proxy in case users still
want or need to expose the RAPI interface. The instructions are
outlined in Ganeti's security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job
results after an instance information job reveals the secret. With the
DRBD secret, access to the local cluster network, and ARP poisoning,
an attacker can impersonate a Ganeti node and clone the disks of a
DRBD-based instance. While an attacker with access to the cluster
network is already capable of accessing any data written as DRBD
traffic is unencrypted, having the secret expedites the process and
allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed
via the RAPI. The DRBD secret can be changed by converting an instance
to plain and back to DRBD, generating a new secret, but redundancy will
be lost until the process completes.
Since attackers with node access are capable of accessing some and
potentially all data even without the secret, we do not recommend that
the secret be changed for existing instances.

Minor changes
~~~~~~~~~~~~~

- Make htools tolerate missing "dtotal" and "dfree" on luxi
- At IAlloc backend guess state from admin state
- replace-disks: fix --ignore-ipolicy
- Fix instance multi allocation for non-DRBD disks
- Check for gnt-cluster before running gnt-cluster upgrade
- Work around a Python os.minor bug
- Add IP-related checks after master-failover
- Pass correct backend params in move-instance
- Allow plain/DRBD conversions regardless of lack of disks
- Fix MonD collector thunk leak
- Stop MonD when removing a node from a cluster
- Finalize backup only if successful
- Fix file descriptor leak in Confd Client
- Auto-upgrade hv_state_static and disk_state_static
- Do not hardcode the Python path in CLI tools
- Use the Python interpreter from ENV
- ganeti.daemon: fix daemon mode with GnuTLS >= 3.3 (Issues 961, 964)
- Ganeti.Daemon: always install SIGHUP handler (Issue 755)
- Fix DRBD version check for non VM capable nodes
- Fix handling of the --online option
- Add warning against hvparam changes with live migrations
- Only verify LVs in configured VG during cluster verify
- Fix network info in case of multi NIC instances
- On upgrades, check for upgrades to resume first
- Pause watcher during upgrade
- Allow instance disks to be added with --no-wait-for-sync


Version 2.10.7
--------------

*(Released Thu, 7 Aug 2014)*

Important security release. In 2.10.0, the
'gnt-cluster upgrade' command was introduced. Before
performing an upgrade, the configuration directory of
the cluster is backed up. Unfortunately, the archive was
written with permissions that make it possible for
non-privileged users to read the archive and thus have
access to cluster and RAPI keys. After this release,
the archive will be created with privileged access only.

We strongly advise you to restrict the permissions of
previously created archives. The archives are found in
/var/lib/ganeti*.tar (unless otherwise configured with
--localstatedir or --with-backup-dir).

If you suspect that non-privileged users have accessed
your archives already, we advise you to renew the
cluster's crypto keys using 'gnt-cluster renew-crypto'
and to reset the RAPI credentials by editing
/var/lib/ganeti/rapi_users (respectively under a
different path if configured differently with
--localstatedir).

Other changes included in this release:

- Fix handling of Xen instance states.
- Fix NIC configuration with absent NIC VLAN
- Adapt relative path expansion in PATH to new environment
- Exclude archived jobs from configuration backups
- Fix RAPI for split query setup
- Allow disk hot-remove even with chroot or SM

Inherited from the 2.9 branch:

- Make htools tolerate missing 'spfree' on luxi


Version 2.10.6
--------------

*(Released Mon, 30 Jun 2014)*

- Make Ganeti tolerant towards differnt openssl library
  version on different nodes (issue 853).
- Allow hspace to make useful predictions in multi-group
  clusters with one group overfull (isse 861).
- Various gnt-network related fixes.
- Fix disk hotplug with userspace access.
- Various documentation errors fixed.


Version 2.10.5
--------------

*(Released Mon, 2 Jun 2014)*

- Two new options have been added to gnt-group evacuate.
  The 'sequential' option forces all the evacuation steps to
  be carried out sequentially, thus avoiding congestion on a
  slow link between node groups. The 'force-failover' option
  disallows migrations and forces failovers to be used instead.
  In this way evacuation to a group with vastly differnet
  hypervisor is possible.
- In tiered allocation, when looking for ways on how to shrink
  an instance, the canoncial path is tried first, i.e., in each
  step reduce on the resource most placements are blocked on. Only
  if no smaller fitting instance can be found shrinking a single
  resource till fit is tried.
- For finding the placement of an instance, the duplicate computations
  in the computation of the various cluster scores are computed only
  once. This significantly improves the performance of hspace for DRBD
  on large clusters; for other clusters, a slight performance decrease
  might occur. Moreover, due to the changed order, floating point
  number inaccuracies accumulate differently, thus resulting in different
  cluster scores. It has been verified that the effect of these different
  roundings is less than 1e-12.
- network queries fixed with respect to instances
- relax too strict prerequisite in LUClusterSetParams for DRBD helpers
- VArious improvements to QA and build-time tests


Version 2.10.4
--------------

*(Released Thu, 15 May 2014)*

- Support restricted migration in hbal
- Fix for the --shared-file-storage-dir of gnt-cluster modify (issue 811)
- Fail in replace-disks if attaching disks fails (issue 814)
- Set IFF_ONE_QUEUE on created tap interfaces for KVM
- Small fixes and enhancements in the build system
- Various documentation fixes (e.g. issue 810)


Version 2.10.3
--------------

*(Released Wed, 16 Apr 2014)*

- Fix filtering of pending jobs with -o id (issue 778)
- Make RAPI API calls more symmetric (issue 770)
- Make parsing of old cluster configuration more robust (issue 783)
- Fix wrong output of gnt-instance info after migrations
- Fix reserved PCI slots for KVM hotplugging
- Use runtime hypervisor parameters to calculate bockdevice options for KVM
- Fix high node daemon load during disk sync if the sync is paused manually
  (issue 792)
- Improve opportunistic locking during instance creation (issue 791)

Inherited from the 2.9 branch:

- Make watcher submit queries low priority (issue 772)
- Add reason parameter to RAPI client functions (issue 776)
- Fix failing gnt-node list-drbd command (issue 777)
- Properly display fake job locks in gnt-debug.
- small fixes in documentation


Version 2.10.2
--------------

*(Released Mon, 24 Mar 2014)*

- Fix conflict between virtio + spice or soundhw (issue 757)
- accept relative paths in gnt-cluster copyfile (issue 754)
- Introduce shutdown timeout for 'xm shutdown' command
- Improve RAPI detection of the watcher (issue 752)


Version 2.10.1
--------------

*(Released Wed, 5 Mar 2014)*

- Fix incorrect invocation of hooks on offline nodes (issue 742)
- Fix incorrect exit code of gnt-cluster verify in certain circumstances
  (issue 744)

Inherited from the 2.9 branch:

- Fix overflow problem in hbal that caused it to break when waiting for
  jobs for more than 10 minutes (issue 717)
- Make hbal properly handle non-LVM storage
- Properly export and import NIC parameters, and do so in a backwards
  compatible way (issue 716)
- Fix net-common script in case of routed mode (issue 728)
- Improve documentation (issues 724, 730)


Version 2.10.0
--------------

*(Released Thu, 20 Feb 2014)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Adding disks with 'gnt-instance modify' now waits for the disks to sync per
  default. Specify --no-wait-for-sync to override this behavior.
- The Ganeti python code now adheres to a private-module layout. In particular,
  the module 'ganeti' is no longer in the python search path.
- On instance allocation, the iallocator now considers non-LVM storage
  properly. In particular, actual file storage space information is used
  when allocating space for a file/sharedfile instance.
- When disabling disk templates cluster-wide, the cluster now first
  checks whether there are instances still using those templates.
- 'gnt-node list-storage' now also reports storage information about
  file-based storage types.
- In case of non drbd instances, export \*_SECONDARY environment variables
  as empty strings (and not "None") during 'instance-migrate' related hooks.

New features
~~~~~~~~~~~~

- KVM hypervisors can now access RBD storage directly without having to
  go through a block device.
- A new command 'gnt-cluster upgrade' was added that automates the upgrade
  procedure between two Ganeti versions that are both 2.10 or higher.
- The move-instance command can now change disk templates when moving
  instances, and does not require any node placement options to be
  specified if the destination cluster has a default iallocator.
- Users can now change the soundhw and cpuid settings for XEN hypervisors.
- Hail and hbal now have the (optional) capability of accessing average CPU
  load information through the monitoring deamon, and to use it to dynamically
  adapt the allocation of instances.
- Hotplug support. Introduce new option '--hotplug' to ``gnt-instance modify``
  so that disk and NIC modifications take effect without the need of actual
  reboot. There are a couple of constrains currently for this feature:

   - only KVM hypervisor (versions >= 1.0) supports it,
   - one can not (yet) hotplug a disk using userspace access mode for RBD
   - in case of a downgrade instances should suffer a reboot in order to
     be migratable (due to core change of runtime files)
   - ``python-fdsend`` is required for NIC hotplugging.

Misc changes
~~~~~~~~~~~~

- A new test framework for logical units was introduced and the test
  coverage for logical units was improved significantly.
- Opcodes are entirely generated from Haskell using the tool 'hs2py' and
  the module 'src/Ganeti/OpCodes.hs'.
- Constants are also generated from Haskell using the tool
  'hs2py-constants' and the module 'src/Ganeti/Constants.hs', with the
  exception of socket related constants, which require changing the
  cluster configuration file, and HVS related constants, because they
  are part of a port of instance queries to Haskell.  As a result, these
  changes will be part of the next release of Ganeti.

New dependencies
~~~~~~~~~~~~~~~~

The following new dependencies have been added/updated.

Python

- The version requirements for ``python-mock`` have increased to at least
  version 1.0.1. It is still used for testing only.
- ``python-fdsend`` (https://gitorious.org/python-fdsend) is optional
  but required for KVM NIC hotplugging to work.

Since 2.10.0 rc3
~~~~~~~~~~~~~~~~

- Fix integer overflow problem in hbal


Version 2.10.0 rc3
------------------

*(Released Wed, 12 Feb 2014)*

This was the third RC release of the 2.10 series. Since 2.10.0 rc2:

- Improved hotplug robustness
- Start Ganeti daemons after ensure-dirs during upgrade
- Documentation improvements

Inherited from the 2.9 branch:

- Fix the RAPI instances-multi-alloc call
- assign unique filenames to file-based disks
- gracefully handle degraded non-diskless instances with 0 disks (issue 697)
- noded now runs with its specified group, which is the default group,
  defaulting to root (issue 707)
- make using UUIDs to identify nodes in gnt-node consistently possible
  (issue 703)


Version 2.10.0 rc2
------------------

*(Released Fri, 31 Jan 2014)*

This was the second RC release of the 2.10 series. Since 2.10.0 rc1:

- Documentation improvements
- Run drbdsetup syncer only on network attach
- Include target node in hooks nodes for migration
- Fix configure dirs
- Support post-upgrade hooks during cluster upgrades

Inherited from the 2.9 branch:

- Ensure that all the hypervisors exist in the config file (Issue 640)
- Correctly recognise the role as master node (Issue 687)
- configure: allow detection of Sphinx 1.2+ (Issue 502)
- gnt-instance now honors the KVM path correctly (Issue 691)

Inherited from the 2.8 branch:

- Change the list separator for the usb_devices parameter from comma to space.
  Commas could not work because they are already the hypervisor option
  separator (Issue 649)
- Add support for blktap2 file-driver (Issue 638)
- Add network tag definitions to the haskell codebase (Issue 641)
- Fix RAPI network tag handling
- Add the network tags to the tags searched by gnt-cluster search-tags
- Fix caching bug preventing jobs from being cancelled
- Start-master/stop-master was always failing if ConfD was disabled. (Issue 685)


Version 2.10.0 rc1
------------------

*(Released Tue, 17 Dec 2013)*

This was the first RC release of the 2.10 series. Since 2.10.0 beta1:

- All known issues in 2.10.0 beta1 have been resolved (see changes from
  the 2.8 branch).
- Improve handling of KVM runtime files from earlier Ganeti versions
- Documentation fixes

Inherited from the 2.9 branch:

- use custom KVM path if set for version checking
- SingleNotifyPipeCondition: don't share pollers

Inherited from the 2.8 branch:

- Fixed Luxi daemon socket permissions after master-failover
- Improve IP version detection code directly checking for colons rather than
  passing the family from the cluster object
- Fix NODE/NODE_RES locking in LUInstanceCreate by not acquiring NODE_RES locks
  opportunistically anymore (Issue 622)
- Allow link local IPv6 gateways (Issue 624)
- Fix error printing (Issue 616)
- Fix a bug in InstanceSetParams concerning names: in case no name is passed in
  disk modifications, keep the old one. If name=none then set disk name to
  None.
- Update build_chroot script to work with the latest hackage packages
- Add a packet number limit to "fping" in master-ip-setup (Issue 630)
- Fix evacuation out of drained node (Issue 615)
- Add default file_driver if missing (Issue 571)
- Fix job error message after unclean master shutdown (Issue 618)
- Lock group(s) when creating instances (Issue 621)
- SetDiskID() before accepting an instance (Issue 633)
- Allow the ext template disks to receive arbitrary parameters, both at creation
  time and while being modified
- Xen handle domain shutdown (future proofing cherry-pick)
- Refactor reading live data in htools (future proofing cherry-pick)


Version 2.10.0 beta1
--------------------

*(Released Wed, 27 Nov 2013)*

This was the first beta release of the 2.10 series. All important changes
are listed in the latest 2.10 entry.

Known issues
~~~~~~~~~~~~

The following issues are known to be present in the beta and will be fixed
before rc1.

- Issue 477: Wrong permissions for confd LUXI socket
- Issue 621: Instance related opcodes do not aquire network/group locks
- Issue 622: Assertion Error: Node locks differ from node resource locks
- Issue 623: IPv6 Masterd <-> Luxid communication error


Version 2.9.7
-------------

*(Released Fri, 11 Dec 2015)*

Important changes and security notes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security release.

CVE-2015-7944

Ganeti provides a RESTful control interface called the RAPI. Its HTTPS
implementation is vulnerable to DoS attacks via client-initiated SSL
parameter renegotiation. While the interface is not meant to be exposed
publicly, due to the fact that it binds to all interfaces, we believe
some users might be exposing it unintentionally and are vulnerable. A
DoS attack can consume resources meant for Ganeti daemons and instances
running on the master node, making both perform badly.

Fixes are not feasible due to the OpenSSL Python library not exposing
functionality needed to disable client-side renegotiation. Instead, we
offer instructions on how to control RAPI's exposure, along with info
on how RAPI can be setup alongside an HTTPS proxy in case users still
want or need to expose the RAPI interface. The instructions are
outlined in Ganeti's security document: doc/html/security.html

CVE-2015-7945

Ganeti leaks the DRBD secret through the RAPI interface. Examining job
results after an instance information job reveals the secret. With the
DRBD secret, access to the local cluster network, and ARP poisoning,
an attacker can impersonate a Ganeti node and clone the disks of a
DRBD-based instance. While an attacker with access to the cluster
network is already capable of accessing any data written as DRBD
traffic is unencrypted, having the secret expedites the process and
allows access to the entire disk.

Fixes contained in this release prevent the secret from being exposed
via the RAPI. The DRBD secret can be changed by converting an instance
to plain and back to DRBD, generating a new secret, but redundancy will
be lost until the process completes.
Since attackers with node access are capable of accessing some and
potentially all data even without the secret, we do not recommend that
the secret be changed for existing instances.

Minor changes
~~~~~~~~~~~~~

- gnt-instance replace-disks no longer crashes when --ignore-policy is
  passed to it
- Stop MonD when removing a node from a cluster
- Fix file descriptor leak in Confd client
- Always install SIGHUP handler for Haskell daemons (Issue 755)
- Make ganeti-cleaner switch to a safe working directory (Issue 880)
- Make htools tolerate missing "spfree" on Luxi
- DRBD parser: consume initial empty resource lines (Issue 869)
- KVM: set IFF_ONE_QUEUE on created tap interfaces
- Set exclusion tags correctly in requested instance


Version 2.9.6
-------------

*(Released Mon, 7 Apr 2014)*

- Improve RAPI detection of the watcher (Issue 752)
- gnt-cluster copyfile: accept relative paths (Issue 754)
- Make watcher submit queries low priority (Issue 772)
- Add reason parameter to RAPI client functions (Issue 776)
- Fix failing gnt-node list-drbd command (Issue 777)
- Properly display fake job locks in gnt-debug.
- Enable timeout for instance shutdown
- small fixes in documentation


Version 2.9.5
-------------

*(Released Tue, 25 Feb 2014)*

- Fix overflow problem in hbal that caused it to break when waiting for
  jobs for more than 10 minutes (issue 717)
- Make hbal properly handle non-LVM storage
- Properly export and import NIC parameters, and do so in a backwards
  compatible way (issue 716)
- Fix net-common script in case of routed mode (issue 728)
- Improve documentation (issues 724, 730)


Version 2.9.4
-------------

*(Released Mon, 10 Feb 2014)*

- Fix the RAPI instances-multi-alloc call
- assign unique filenames to file-based disks
- gracefully handle degraded non-diskless instances with 0 disks (issue 697)
- noded now runs with its specified group, which is the default group,
  defaulting to root (issue 707)
- make using UUIDs to identify nodes in gnt-node consistently possible
  (issue 703)


Version 2.9.3
-------------

*(Released Mon, 27 Jan 2014)*

- Ensure that all the hypervisors exist in the config file (Issue 640)
- Correctly recognise the role as master node (Issue 687)
- configure: allow detection of Sphinx 1.2+ (Issue 502)
- gnt-instance now honors the KVM path correctly (Issue 691)

Inherited from the 2.8 branch:

- Change the list separator for the usb_devices parameter from comma to space.
  Commas could not work because they are already the hypervisor option
  separator (Issue 649)
- Add support for blktap2 file-driver (Issue 638)
- Add network tag definitions to the haskell codebase (Issue 641)
- Fix RAPI network tag handling
- Add the network tags to the tags searched by gnt-cluster search-tags
- Fix caching bug preventing jobs from being cancelled
- Start-master/stop-master was always failing if ConfD was disabled. (Issue 685)


Version 2.9.2
-------------

*(Released Fri, 13 Dec 2013)*

- use custom KVM path if set for version checking
- SingleNotifyPipeCondition: don't share pollers

Inherited from the 2.8 branch:

- Fixed Luxi daemon socket permissions after master-failover
- Improve IP version detection code directly checking for colons rather than
  passing the family from the cluster object
- Fix NODE/NODE_RES locking in LUInstanceCreate by not acquiring NODE_RES locks
  opportunistically anymore (Issue 622)
- Allow link local IPv6 gateways (Issue 624)
- Fix error printing (Issue 616)
- Fix a bug in InstanceSetParams concerning names: in case no name is passed in
  disk modifications, keep the old one. If name=none then set disk name to
  None.
- Update build_chroot script to work with the latest hackage packages
- Add a packet number limit to "fping" in master-ip-setup (Issue 630)
- Fix evacuation out of drained node (Issue 615)
- Add default file_driver if missing (Issue 571)
- Fix job error message after unclean master shutdown (Issue 618)
- Lock group(s) when creating instances (Issue 621)
- SetDiskID() before accepting an instance (Issue 633)
- Allow the ext template disks to receive arbitrary parameters, both at creation
  time and while being modified
- Xen handle domain shutdown (future proofing cherry-pick)
- Refactor reading live data in htools (future proofing cherry-pick)


Version 2.9.1
-------------

*(Released Wed, 13 Nov 2013)*

- fix bug, that kept nodes offline when readding
- when verifying DRBD versions, ignore unavailable nodes
- fix bug that made the console unavailable on kvm in split-user
  setup (issue 608)
- DRBD: ensure peers are UpToDate for dual-primary (inherited 2.8.2)


Version 2.9.0
-------------

*(Released Tue, 5 Nov 2013)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- hroller now also plans for capacity to move non-redundant instances off
  any node to be rebooted; the old behavior of completely ignoring any
  non-redundant instances can be restored by adding the --ignore-non-redundant
  option.
- The cluster option '--no-lvm-storage' was removed in favor of the new option
  '--enabled-disk-templates'.
- On instance creation, disk templates no longer need to be specified
  with '-t'. The default disk template will be taken from the list of
  enabled disk templates.
- The monitoring daemon is now running as root, in order to be able to collect
  information only available to root (such as the state of Xen instances).
- The ConfD client is now IPv6 compatible.
- File and shared file storage is no longer dis/enabled at configure time,
  but using the option '--enabled-disk-templates' at cluster initialization and
  modification.
- The default directories for file and shared file storage are not anymore
  specified at configure time, but taken from the cluster's configuration.
  They can be set at cluster initialization and modification with
  '--file-storage-dir' and '--shared-file-storage-dir'.
- Cluster verification now includes stricter checks regarding the
  default file and shared file storage directories. It now checks that
  the directories are explicitely allowed in the 'file-storage-paths' file and
  that the directories exist on all nodes.
- The list of allowed disk templates in the instance policy and the list
  of cluster-wide enabled disk templates is now checked for consistency
  on cluster or group modification. On cluster initialization, the ipolicy
  disk templates are ensured to be a subset of the cluster-wide enabled
  disk templates.

New features
~~~~~~~~~~~~

- DRBD 8.4 support. Depending on the installed DRBD version, Ganeti now uses
  the correct command syntax. It is possible to use different DRBD versions
  on different nodes as long as they are compatible to each other. This
  enables rolling upgrades of DRBD with no downtime. As permanent operation
  of different DRBD versions within a node group is discouraged,
  ``gnt-cluster verify`` will emit a warning if it detects such a situation.
- New "inst-status-xen" data collector for the monitoring daemon, providing
  information about the state of the xen instances on the nodes.
- New "lv" data collector for the monitoring daemon, collecting data about the
  logical volumes on the nodes, and pairing them with the name of the instances
  they belong to.
- New "diskstats" data collector, collecting the data from /proc/diskstats and
  presenting them over the monitoring daemon interface.
- The ConfD client is now IPv6 compatible.

New dependencies
~~~~~~~~~~~~~~~~
The following new dependencies have been added.

Python

- ``python-mock`` (http://www.voidspace.org.uk/python/mock/) is now a required
  for the unit tests (and only used for testing).

Haskell

- ``hslogger`` (http://software.complete.org/hslogger) is now always
  required, even if confd is not enabled.

Since 2.9.0 rc3
~~~~~~~~~~~~~~~

- Correctly start/stop luxid during gnt-cluster master-failover (inherited
  from stable-2.8)
- Improved error messsages (inherited from stable-2.8)


Version 2.9.0 rc3
-----------------

*(Released Tue, 15 Oct 2013)*

The third release candidate in the 2.9 series. Since 2.9.0 rc2:

- in implicit configuration upgrade, match ipolicy with enabled disk templates
- improved harep documentation (inherited from stable-2.8)


Version 2.9.0 rc2
-----------------

*(Released Wed, 9 Oct 2013)*

The second release candidate in the 2.9 series. Since 2.9.0 rc1:

- Fix bug in cfgupgrade that led to failure when upgrading from 2.8 with
  at least one DRBD instance.
- Fix bug in cfgupgrade that led to an invalid 2.8 configuration after
  downgrading.


Version 2.9.0 rc1
-----------------

*(Released Tue, 1 Oct 2013)*

The first release candidate in the 2.9 series. Since 2.9.0 beta1:

- various bug fixes
- update of the documentation, in particular installation instructions
- merging of LD_* constants into DT_* constants
- python style changes to be compatible with newer versions of pylint


Version 2.9.0 beta1
-------------------

*(Released Thu, 29 Aug 2013)*

This was the first beta release of the 2.9 series. All important changes
are listed in the latest 2.9 entry.


Version 2.8.4
-------------

*(Released Thu, 23 Jan 2014)*

- Change the list separator for the usb_devices parameter from comma to space.
  Commas could not work because they are already the hypervisor option
  separator (Issue 649)
- Add support for blktap2 file-driver (Issue 638)
- Add network tag definitions to the haskell codebase (Issue 641)
- Fix RAPI network tag handling
- Add the network tags to the tags searched by gnt-cluster search-tags
- Fix caching bug preventing jobs from being cancelled
- Start-master/stop-master was always failing if ConfD was disabled. (Issue 685)


Version 2.8.3
-------------

*(Released Thu, 12 Dec 2013)*

- Fixed Luxi daemon socket permissions after master-failover
- Improve IP version detection code directly checking for colons rather than
  passing the family from the cluster object
- Fix NODE/NODE_RES locking in LUInstanceCreate by not acquiring NODE_RES locks
  opportunistically anymore (Issue 622)
- Allow link local IPv6 gateways (Issue 624)
- Fix error printing (Issue 616)
- Fix a bug in InstanceSetParams concerning names: in case no name is passed in
  disk modifications, keep the old one. If name=none then set disk name to
  None.
- Update build_chroot script to work with the latest hackage packages
- Add a packet number limit to "fping" in master-ip-setup (Issue 630)
- Fix evacuation out of drained node (Issue 615)
- Add default file_driver if missing (Issue 571)
- Fix job error message after unclean master shutdown (Issue 618)
- Lock group(s) when creating instances (Issue 621)
- SetDiskID() before accepting an instance (Issue 633)
- Allow the ext template disks to receive arbitrary parameters, both at creation
  time and while being modified
- Xen handle domain shutdown (future proofing cherry-pick)
- Refactor reading live data in htools (future proofing cherry-pick)


Version 2.8.2
-------------

*(Released Thu, 07 Nov 2013)*

- DRBD: ensure peers are UpToDate for dual-primary
- Improve error message for replace-disks
- More dependency checks at configure time
- Placate warnings on ganeti.outils_unittest.py


Version 2.8.1
-------------

*(Released Thu, 17 Oct 2013)*

- Correctly start/stop luxid during gnt-cluster master-failover
- Don't attempt IPv6 ssh in case of IPv4 cluster (Issue 595)
- Fix path for the job queue serial file
- Improved harep man page
- Minor documentation improvements


Version 2.8.0
-------------

*(Released Mon, 30 Sep 2013)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Instance policy can contain multiple instance specs, as described in
  the “Constrained instance sizes” section of :doc:`Partitioned Ganeti
  <design-partitioned>`. As a consequence, it's not possible to partially change
  or override instance specs. Bounding specs (min and max) can be specified as a
  whole using the new option ``--ipolicy-bounds-specs``, while standard
  specs use the new option ``--ipolicy-std-specs``.
- The output of the info command of gnt-cluster, gnt-group, gnt-node,
  gnt-instance is a valid YAML object.
- hail now honors network restrictions when allocating nodes. This led to an
  update of the IAllocator protocol. See the IAllocator documentation for
  details.
- confd now only answers static configuration request over the network. luxid
  was extracted, listens on the local LUXI socket and responds to live queries.
  This allows finer grained permissions if using separate users.

New features
~~~~~~~~~~~~

- The :doc:`Remote API <rapi>` daemon now supports a command line flag
  to always require authentication, ``--require-authentication``. It can
  be specified in ``$sysconfdir/default/ganeti``.
- A new cluster attribute 'enabled_disk_templates' is introduced. It will
  be used to manage the disk templates to be used by instances in the cluster.
  Initially, it will be set to a list that includes plain, drbd, if they were
  enabled by specifying a volume group name, and file and sharedfile, if those
  were enabled at configure time. Additionally, it will include all disk
  templates that are currently used by instances. The order of disk templates
  will be based on Ganeti's history of supporting them. In the future, the
  first entry of the list will be used as a default disk template on instance
  creation.
- ``cfgupgrade`` now supports a ``--downgrade`` option to bring the
  configuration back to the previous stable version.
- Disk templates in group ipolicy can be restored to the default value.
- Initial support for diskless instances and virtual clusters in QA.
- More QA and unit tests for instance policies.
- Every opcode now contains a reason trail (visible through ``gnt-job info``)
  describing why the opcode itself was executed.
- The monitoring daemon is now available. It allows users to query the cluster
  for obtaining information about the status of the system. The daemon is only
  responsible for providing the information over the network: the actual data
  gathering is performed by data collectors (currently, only the DRBD status
  collector is available).
- In order to help developers work on Ganeti, a new script
  (``devel/build_chroot``) is provided, for building a chroot that contains all
  the required development libraries and tools for compiling Ganeti on a Debian
  Squeeze system.
- A new tool, ``harep``, for performing self-repair and recreation of instances
  in Ganeti has been added.
- Split queries are enabled for tags, network, exports, cluster info, groups,
  jobs, nodes.
- New command ``show-ispecs-cmd`` for ``gnt-cluster`` and ``gnt-group``.
  It prints the command line to set the current policies, to ease
  changing them.
- Add the ``vnet_hdr`` HV parameter for KVM, to control whether the tap
  devices for KVM virtio-net interfaces will get created with VNET_HDR
  (IFF_VNET_HDR) support. If set to false, it disables offloading on the
  virtio-net interfaces, which prevents host kernel tainting and log
  flooding, when dealing with broken or malicious virtio-net drivers.
  It's set to true by default.
- Instance failover now supports a ``--cleanup`` parameter for fixing previous
  failures.
- Support 'viridian' parameter in Xen HVM
- Support DSA SSH keys in bootstrap
- To simplify the work of packaging frameworks that want to add the needed users
  and groups in a split-user setup themselves, at build time three files in
  ``doc/users`` will be generated. The ``groups`` files contains, one per line,
  the groups to be generated, the ``users`` file contains, one per line, the
  users to be generated, optionally followed by their primary group, where
  important. The ``groupmemberships`` file contains, one per line, additional
  user-group membership relations that need to be established. The syntax of
  these files will remain stable in all future versions.


New dependencies
~~~~~~~~~~~~~~~~
The following new dependencies have been added:

For Haskell:
- The ``curl`` library is not optional anymore for compiling the Haskell code.
- ``snap-server`` library (if monitoring is enabled).

For Python:
- The minimum Python version needed to run Ganeti is now 2.6.
- ``yaml`` library (only for running the QA).

Since 2.8.0 rc3
~~~~~~~~~~~~~~~
- Perform proper cleanup on termination of Haskell daemons
- Fix corner-case in handling of remaining retry time


Version 2.8.0 rc3
-----------------

*(Released Tue, 17 Sep 2013)*

- To simplify the work of packaging frameworks that want to add the needed users
  and groups in a split-user setup themselves, at build time three files in
  ``doc/users`` will be generated. The ``groups`` files contains, one per line,
  the groups to be generated, the ``users`` file contains, one per line, the
  users to be generated, optionally followed by their primary group, where
  important. The ``groupmemberships`` file contains, one per line, additional
  user-group membership relations that need to be established. The syntax of
  these files will remain stable in all future versions.
- Add a default to file-driver when unspecified over RAPI (Issue 571)
- Mark the DSA host pubkey as optional, and remove it during config downgrade
  (Issue 560)
- Some documentation fixes


Version 2.8.0 rc2
-----------------

*(Released Tue, 27 Aug 2013)*

The second release candidate of the 2.8 series. Since 2.8.0. rc1:

- Support 'viridian' parameter in Xen HVM (Issue 233)
- Include VCS version in ``gnt-cluster version``
- Support DSA SSH keys in bootstrap (Issue 338)
- Fix batch creation of instances
- Use FQDN to check master node status (Issue 551)
- Make the DRBD collector more failure-resilient


Version 2.8.0 rc1
-----------------

*(Released Fri, 2 Aug 2013)*

The first release candidate of the 2.8 series. Since 2.8.0 beta1:

- Fix upgrading/downgrading from 2.7
- Increase maximum RAPI message size
- Documentation updates
- Split ``confd`` between ``luxid`` and ``confd``
- Merge 2.7 series up to the 2.7.1 release
- Allow the ``modify_etc_hosts`` option to be changed
- Add better debugging for ``luxid`` queries
- Expose bulk parameter for GetJobs in RAPI client
- Expose missing ``network`` fields in RAPI
- Add some ``cluster verify`` tests
- Some unittest fixes
- Fix a malfunction in ``hspace``'s tiered allocation
- Fix query compatibility between haskell and python implementations
- Add the ``vnet_hdr`` HV parameter for KVM
- Add ``--cleanup`` to instance failover
- Change the connected groups format in ``gnt-network info`` output; it
  was previously displayed as a raw list by mistake. (Merged from 2.7)


Version 2.8.0 beta1
-------------------

*(Released Mon, 24 Jun 2013)*

This was the first beta release of the 2.8 series. All important changes
are listed in the latest 2.8 entry.


Version 2.7.2
-------------

*(Released Thu, 26 Sep 2013)*

- Change the connected groups format in ``gnt-network info`` output; it
  was previously displayed as a raw list by mistake
- Check disk template in right dict when copying
- Support multi-instance allocs without iallocator
- Fix some errors in the documentation
- Fix formatting of tuple in an error message


Version 2.7.1
-------------

*(Released Thu, 25 Jul 2013)*

- Add logrotate functionality in daemon-util
- Add logrotate example file
- Add missing fields to network queries over rapi
- Fix network object timestamps
- Add support for querying network timestamps
- Fix a typo in the example crontab
- Fix a documentation typo


Version 2.7.0
-------------

*(Released Thu, 04 Jul 2013)*

Incompatible/important changes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Instance policies for disk size were documented to be on a per-disk
  basis, but hail applied them to the sum of all disks. This has been
  fixed.
- ``hbal`` will now exit with status 0 if, during job execution over
  LUXI, early exit has been requested and all jobs are successful;
  before, exit status 1 was used, which cannot be differentiated from
  "job error" case
- Compatibility with newer versions of rbd has been fixed
- ``gnt-instance batch-create`` has been changed to use the bulk create
  opcode from Ganeti. This lead to incompatible changes in the format of
  the JSON file. It's now not a custom dict anymore but a dict
  compatible with the ``OpInstanceCreate`` opcode.
- Parent directories for file storage need to be listed in
  ``$sysconfdir/ganeti/file-storage-paths`` now. ``cfgupgrade`` will
  write the file automatically based on old configuration values, but it
  can not distribute it across all nodes and the file contents should be
  verified. Use ``gnt-cluster copyfile
  $sysconfdir/ganeti/file-storage-paths`` once the cluster has been
  upgraded. The reason for requiring this list of paths now is that
  before it would have been possible to inject new paths via RPC,
  allowing files to be created in arbitrary locations. The RPC protocol
  is protected using SSL/X.509 certificates, but as a design principle
  Ganeti does not permit arbitrary paths to be passed.
- The parsing of the variants file for OSes (see
  :manpage:`ganeti-os-interface(7)`) has been slightly changed: now empty
  lines and comment lines (starting with ``#``) are ignored for better
  readability.
- The ``setup-ssh`` tool added in Ganeti 2.2 has been replaced and is no
  longer available. ``gnt-node add`` now invokes a new tool on the
  destination node, named ``prepare-node-join``, to configure the SSH
  daemon. Paramiko is no longer necessary to configure nodes' SSH
  daemons via ``gnt-node add``.
- Draining (``gnt-cluster queue drain``) and un-draining the job queue
  (``gnt-cluster queue undrain``) now affects all nodes in a cluster and
  the flag is not reset after a master failover.
- Python 2.4 has *not* been tested with this release. Using 2.6 or above
  is recommended. 2.6 will be mandatory from the 2.8 series.


New features
~~~~~~~~~~~~

- New network management functionality to support automatic allocation
  of IP addresses and managing of network parameters. See
  :manpage:`gnt-network(8)` for more details.
- New external storage backend, to allow managing arbitrary storage
  systems external to the cluster. See
  :manpage:`ganeti-extstorage-interface(7)`.
- New ``exclusive-storage`` node parameter added, restricted to
  nodegroup level. When it's set to true, physical disks are assigned in
  an exclusive fashion to instances, as documented in :doc:`Partitioned
  Ganeti <design-partitioned>`.  Currently, only instances using the
  ``plain`` disk template are supported.
- The KVM hypervisor has been updated with many new hypervisor
  parameters, including a generic one for passing arbitrary command line
  values. See a complete list in :manpage:`gnt-instance(8)`. It is now
  compatible up to qemu 1.4.
- A new tool, called ``mon-collector``, is the stand-alone executor of
  the data collectors for a monitoring system. As of this version, it
  just includes the DRBD data collector, that can be executed by calling
  ``mon-collector`` using the ``drbd`` parameter. See
  :manpage:`mon-collector(7)`.
- A new user option, :pyeval:`rapi.RAPI_ACCESS_READ`, has been added
  for RAPI users. It allows granting permissions to query for
  information to a specific user without giving
  :pyeval:`rapi.RAPI_ACCESS_WRITE` permissions.
- A new tool named ``node-cleanup`` has been added. It cleans remains of
  a cluster from a machine by stopping all daemons, removing
  certificates and ssconf files. Unless the ``--no-backup`` option is
  given, copies of the certificates are made.
- Instance creations now support the use of opportunistic locking,
  potentially speeding up the (parallel) creation of multiple instances.
  This feature is currently only available via the :doc:`RAPI
  <rapi>` interface and when an instance allocator is used. If the
  ``opportunistic_locking`` parameter is set the opcode will try to
  acquire as many locks as possible, but will not wait for any locks
  held by other opcodes. If not enough resources can be found to
  allocate the instance, the temporary error code
  :pyeval:`errors.ECODE_TEMP_NORES` is returned. The operation can be
  retried thereafter, with or without opportunistic locking.
- New experimental linux-ha resource scripts.
- Restricted-commands support: ganeti can now be asked (via command line
  or rapi) to perform commands on a node. These are passed via ganeti
  RPC rather than ssh. This functionality is restricted to commands
  specified on the ``$sysconfdir/ganeti/restricted-commands`` for security
  reasons. The file is not copied automatically.


Misc changes
~~~~~~~~~~~~

- Diskless instances are now externally mirrored (Issue 237). This for
  now has only been tested in conjunction with explicit target nodes for
  migration/failover.
- Queries not needing locks or RPC access to the node can now be
  performed by the confd daemon, making them independent from jobs, and
  thus faster to execute. This is selectable at configure time.
- The functionality for allocating multiple instances at once has been
  overhauled and is now also available through :doc:`RAPI <rapi>`.

There are no significant changes from version 2.7.0~rc3.


Version 2.7.0 rc3
-----------------

*(Released Tue, 25 Jun 2013)*

- Fix permissions on the confd query socket (Issue 477)
- Fix permissions on the job archive dir (Issue 498)
- Fix handling of an internal exception in replace-disks (Issue 472)
- Fix gnt-node info handling of shortened names (Issue 497)
- Fix gnt-instance grow-disk when wiping is enabled
- Documentation improvements, and support for newer pandoc
- Fix hspace honoring ipolicy for disks (Issue 484)
- Improve handling of the ``kvm_extra`` HV parameter


Version 2.7.0 rc2
-----------------

*(Released Fri, 24 May 2013)*

- ``devel/upload`` now works when ``/var/run`` on the target nodes is a
  symlink.
- Disks added through ``gnt-instance modify`` or created through
  ``gnt-instance recreate-disks`` are wiped, if the
  ``prealloc_wipe_disks`` flag is set.
- If wiping newly created disks fails, the disks are removed. Also,
  partial failures in creating disks through ``gnt-instance modify``
  triggers a cleanup of the partially-created disks.
- Removing the master IP address doesn't fail if the address has been
  already removed.
- Fix ownership of the OS log dir
- Workaround missing SO_PEERCRED constant (Issue 191)


Version 2.7.0 rc1
-----------------

*(Released Fri, 3 May 2013)*

This was the first release candidate of the 2.7 series. Since beta3:

- Fix kvm compatibility with qemu 1.4 (Issue 389)
- Documentation updates (admin guide, upgrade notes, install
  instructions) (Issue 372)
- Fix gnt-group list nodes and instances count (Issue 436)
- Fix compilation without non-mandatory libraries (Issue 441)
- Fix xen-hvm hypervisor forcing nics to type 'ioemu' (Issue 247)
- Make confd logging more verbose at INFO level (Issue 435)
- Improve "networks" documentation in :manpage:`gnt-instance(8)`
- Fix failure path for instance storage type conversion (Issue 229)
- Update htools text backend documentation
- Improve the renew-crypto section of :manpage:`gnt-cluster(8)`
- Disable inter-cluster instance move for file-based instances, because
  it is dependant on instance export, which is not supported for
  file-based instances. (Issue 414)
- Fix gnt-job crashes on non-ascii characters (Issue 427)
- Fix volume group checks on non-vm-capable nodes (Issue 432)


Version 2.7.0 beta3
-------------------

*(Released Mon, 22 Apr 2013)*

This was the third beta release of the 2.7 series. Since beta2:

- Fix hail to verify disk instance policies on a per-disk basis (Issue 418).
- Fix data loss on wrong usage of ``gnt-instance move``
- Properly export errors in confd-based job queries
- Add ``users-setup`` tool
- Fix iallocator protocol to report 0 as a disk size for diskless
  instances. This avoids hail breaking when a diskless instance is
  present.
- Fix job queue directory permission problem that made confd job queries
  fail. This requires running an ``ensure-dirs --full-run`` on upgrade
  for access to archived jobs (Issue 406).
- Limit the sizes of networks supported by ``gnt-network`` to something
  between a ``/16`` and a ``/30`` to prevent memory bloat and crashes.
- Fix bugs in instance disk template conversion
- Fix GHC 7 compatibility
- Fix ``burnin`` install path (Issue 426).
- Allow very small disk grows (Issue 347).
- Fix a ``ganeti-noded`` memory bloat introduced in 2.5, by making sure
  that noded doesn't import masterd code (Issue 419).
- Make sure the default metavg at cluster init is the same as the vg, if
  unspecified (Issue 358).
- Fix cleanup of partially created disks (part of Issue 416)


Version 2.7.0 beta2
-------------------

*(Released Tue, 2 Apr 2013)*

This was the second beta release of the 2.7 series. Since beta1:

- Networks no longer have a "type" slot, since this information was
  unused in Ganeti: instead of it tags should be used.
- The rapi client now has a ``target_node`` option to MigrateInstance.
- Fix early exit return code for hbal (Issue 386).
- Fix ``gnt-instance migrate/failover -n`` (Issue 396).
- Fix ``rbd showmapped`` output parsing (Issue 312).
- Networks are now referenced indexed by UUID, rather than name. This
  will require running cfgupgrade, from 2.7.0beta1, if networks are in
  use.
- The OS environment now includes network information.
- Deleting of a network is now disallowed if any instance nic is using
  it, to prevent dangling references.
- External storage is now documented in man pages.
- The exclusive_storage flag can now only be set at nodegroup level.
- Hbal can now submit an explicit priority with its jobs.
- Many network related locking fixes.
- Bump up the required pylint version to 0.25.1.
- Fix the ``no_remember`` option in RAPI client.
- Many ipolicy related tests, qa, and fixes.
- Many documentation improvements and fixes.
- Fix building with ``--disable-file-storage``.
- Fix ``-q`` option in htools, which was broken if passed more than
  once.
- Some haskell/python interaction improvements and fixes.
- Fix iallocator in case of missing LVM storage.
- Fix confd config load in case of ``--no-lvm-storage``.
- The confd/query functionality is now mentioned in the security
  documentation.


Version 2.7.0 beta1
-------------------

*(Released Wed, 6 Feb 2013)*

This was the first beta release of the 2.7 series. All important changes
are listed in the latest 2.7 entry.


Version 2.6.2
-------------

*(Released Fri, 21 Dec 2012)*

Important behaviour change: hbal won't rebalance anymore instances which
have the ``auto_balance`` attribute set to false. This was the intention
all along, but until now it only skipped those from the N+1 memory
reservation (DRBD-specific).

A significant number of bug fixes in this release:

- Fixed disk adoption interaction with ipolicy checks.
- Fixed networking issues when instances are started, stopped or
  migrated, by forcing the tap device's MAC prefix to "fe" (issue 217).
- Fixed the warning in cluster verify for shared storage instances not
  being redundant.
- Fixed removal of storage directory on shared file storage (issue 262).
- Fixed validation of LVM volume group name in OpClusterSetParams
  (``gnt-cluster modify``) (issue 285).
- Fixed runtime memory increases (``gnt-instance modify -m``).
- Fixed live migration under Xen's ``xl`` mode.
- Fixed ``gnt-instance console`` with ``xl``.
- Fixed building with newer Haskell compiler/libraries.
- Fixed PID file writing in Haskell daemons (confd); this prevents
  restart issues if confd was launched manually (outside of
  ``daemon-util``) while another copy of it was running
- Fixed a type error when doing live migrations with KVM (issue 297) and
  the error messages for failing migrations have been improved.
- Fixed opcode validation for the out-of-band commands (``gnt-node
  power``).
- Fixed a type error when unsetting OS hypervisor parameters (issue
  311); now it's possible to unset all OS-specific hypervisor
  parameters.
- Fixed the ``dry-run`` mode for many operations: verification of
  results was over-zealous but didn't take into account the ``dry-run``
  operation, resulting in "wrong" failures.
- Fixed bash completion in ``gnt-job list`` when the job queue has
  hundreds of entries; especially with older ``bash`` versions, this
  results in significant CPU usage.

And lastly, a few other improvements have been made:

- Added option to force master-failover without voting (issue 282).
- Clarified error message on lock conflict (issue 287).
- Logging of newly submitted jobs has been improved (issue 290).
- Hostname checks have been made uniform between instance rename and
  create (issue 291).
- The ``--submit`` option is now supported by ``gnt-debug delay``.
- Shutting down the master daemon by sending SIGTERM now stops it from
  processing jobs waiting for locks; instead, those jobs will be started
  once again after the master daemon is started the next time (issue
  296).
- Support for Xen's ``xl`` program has been improved (besides the fixes
  above).
- Reduced logging noise in the Haskell confd daemon (only show one log
  entry for each config reload, instead of two).
- Several man page updates and typo fixes.


Version 2.6.1
-------------

*(Released Fri, 12 Oct 2012)*

A small bugfix release. Among the bugs fixed:

- Fixed double use of ``PRIORITY_OPT`` in ``gnt-node migrate``, that
  made the command unusable.
- Commands that issue many jobs don't fail anymore just because some jobs
  take so long that other jobs are archived.
- Failures during ``gnt-instance reinstall`` are reflected by the exit
  status.
- Issue 190 fixed. Check for DRBD in cluster verify is enabled only when
  DRBD is enabled.
- When ``always_failover`` is set, ``--allow-failover`` is not required
  in migrate commands anymore.
- ``bash_completion`` works even if extglob is disabled.
- Fixed bug with locks that made failover for RDB-based instances fail.
- Fixed bug in non-mirrored instance allocation that made Ganeti choose
  a random node instead of one based on the allocator metric.
- Support for newer versions of pylint and pep8.
- Hail doesn't fail anymore when trying to add an instance of type
  ``file``, ``sharedfile`` or ``rbd``.
- Added new Makefile target to rebuild the whole distribution, so that
  all files are included.


Version 2.6.0
-------------

*(Released Fri, 27 Jul 2012)*


.. attention:: The ``LUXI`` protocol has been made more consistent
   regarding its handling of command arguments. This, however, leads to
   incompatibility issues with previous versions. Please ensure that you
   restart Ganeti daemons soon after the upgrade, otherwise most
   ``LUXI`` calls (job submission, setting/resetting the drain flag,
   pausing/resuming the watcher, cancelling and archiving jobs, querying
   the cluster configuration) will fail.


New features
~~~~~~~~~~~~

Instance run status
+++++++++++++++++++

The current ``admin_up`` field, which used to denote whether an instance
should be running or not, has been removed. Instead, ``admin_state`` is
introduced, with 3 possible values -- ``up``, ``down`` and ``offline``.

The rational behind this is that an instance being “down” can have
different meanings:

- it could be down during a reboot
- it could be temporarily be down for a reinstall
- or it could be down because it is deprecated and kept just for its
  disk

The previous Boolean state was making it difficult to do capacity
calculations: should Ganeti reserve memory for a down instance? Now, the
tri-state field makes it clear:

- in ``up`` and ``down`` state, all resources are reserved for the
  instance, and it can be at any time brought up if it is down
- in ``offline`` state, only disk space is reserved for it, but not
  memory or CPUs

The field can have an extra use: since the transition between ``up`` and
``down`` and vice-versus is done via ``gnt-instance start/stop``, but
transition between ``offline`` and ``down`` is done via ``gnt-instance
modify``, it is possible to given different rights to users. For
example, owners of an instance could be allowed to start/stop it, but
not transition it out of the offline state.

Instance policies and specs
+++++++++++++++++++++++++++

In previous Ganeti versions, an instance creation request was not
limited on the minimum size and on the maximum size just by the cluster
resources. As such, any policy could be implemented only in third-party
clients (RAPI clients, or shell wrappers over ``gnt-*``
tools). Furthermore, calculating cluster capacity via ``hspace`` again
required external input with regards to instance sizes.

In order to improve these workflows and to allow for example better
per-node group differentiation, we introduced instance specs, which
allow declaring:

- minimum instance disk size, disk count, memory size, cpu count
- maximum values for the above metrics
- and “standard” values (used in ``hspace`` to calculate the standard
  sized instances)

The minimum/maximum values can be also customised at node-group level,
for example allowing more powerful hardware to support bigger instance
memory sizes.

Beside the instance specs, there are a few other settings belonging to
the instance policy framework. It is possible now to customise, per
cluster and node-group:

- the list of allowed disk templates
- the maximum ratio of VCPUs per PCPUs (to control CPU oversubscription)
- the maximum ratio of instance to spindles (see below for more
  information) for local storage

All these together should allow all tools that talk to Ganeti to know
what are the ranges of allowed values for instances and the
over-subscription that is allowed.

For the VCPU/PCPU ratio, we already have the VCPU configuration from the
instance configuration, and the physical CPU configuration from the
node. For the spindle ratios however, we didn't track before these
values, so new parameters have been added:

- a new node parameter ``spindle_count``, defaults to 1, customisable at
  node group or node level
- at new backend parameter (for instances), ``spindle_use`` defaults to 1

Note that spindles in this context doesn't need to mean actual
mechanical hard-drives; it's just a relative number for both the node
I/O capacity and instance I/O consumption.

Instance migration behaviour
++++++++++++++++++++++++++++

While live-migration is in general desirable over failover, it is
possible that for some workloads it is actually worse, due to the
variable time of the “suspend” phase during live migration.

To allow the tools to work consistently over such instances (without
having to hard-code instance names), a new backend parameter
``always_failover`` has been added to control the migration/failover
behaviour. When set to True, all migration requests for an instance will
instead fall-back to failover.

Instance memory ballooning
++++++++++++++++++++++++++

Initial support for memory ballooning has been added. The memory for an
instance is no longer fixed (backend parameter ``memory``), but instead
can vary between minimum and maximum values (backend parameters
``minmem`` and ``maxmem``). Currently we only change an instance's
memory when:

- live migrating or failing over and instance and the target node
  doesn't have enough memory
- user requests changing the memory via ``gnt-instance modify
  --runtime-memory``

Instance CPU pinning
++++++++++++++++++++

In order to control the use of specific CPUs by instance, support for
controlling CPU pinning has been added for the Xen, HVM and LXC
hypervisors. This is controlled by a new hypervisor parameter
``cpu_mask``; details about possible values for this are in the
:manpage:`gnt-instance(8)`. Note that use of the most specific (precise
VCPU-to-CPU mapping) form will work well only when all nodes in your
cluster have the same amount of CPUs.

Disk parameters
+++++++++++++++

Another area in which Ganeti was not customisable were the parameters
used for storage configuration, e.g. how many stripes to use for LVM,
DRBD resync configuration, etc.

To improve this area, we've added disks parameters, which are
customisable at cluster and node group level, and which allow to
specify various parameters for disks (DRBD has the most parameters
currently), for example:

- DRBD resync algorithm and parameters (e.g. speed)
- the default VG for meta-data volumes for DRBD
- number of stripes for LVM (plain disk template)
- the RBD pool

These parameters can be modified via ``gnt-cluster modify -D …`` and
``gnt-group modify -D …``, and are used at either instance creation (in
case of LVM stripes, for example) or at disk “activation” time
(e.g. resync speed).

Rados block device support
++++++++++++++++++++++++++

A Rados (http://ceph.com/wiki/Rbd) storage backend has been added,
denoted by the ``rbd`` disk template type. This is considered
experimental, feedback is welcome. For details on configuring it, see
the :doc:`install` document and the :manpage:`gnt-cluster(8)` man page.

Master IP setup
+++++++++++++++

The existing master IP functionality works well only in simple setups (a
single network shared by all nodes); however, if nodes belong to
different networks, then the ``/32`` setup and lack of routing
information is not enough.

To allow the master IP to function well in more complex cases, the
system was reworked as follows:

- a master IP netmask setting has been added
- the master IP activation/turn-down code was moved from the node daemon
  to a separate script
- whether to run the Ganeti-supplied master IP script or a user-supplied
  on is a ``gnt-cluster init`` setting

Details about the location of the standard and custom setup scripts are
in the man page :manpage:`gnt-cluster(8)`; for information about the
setup script protocol, look at the Ganeti-supplied script.

SPICE support
+++++++++++++

The `SPICE <http://www.linux-kvm.org/page/SPICE>`_ support has been
improved.

It is now possible to use TLS-protected connections, and when renewing
or changing the cluster certificates (via ``gnt-cluster renew-crypto``,
it is now possible to specify spice or spice CA certificates. Also, it
is possible to configure a password for SPICE sessions via the
hypervisor parameter ``spice_password_file``.

There are also new parameters to control the compression and streaming
options (e.g. ``spice_image_compression``, ``spice_streaming_video``,
etc.). For details, see the man page :manpage:`gnt-instance(8)` and look
for the spice parameters.

Lastly, it is now possible to see the SPICE connection information via
``gnt-instance console``.

OVF converter
+++++++++++++

A new tool (``tools/ovfconverter``) has been added that supports
conversion between Ganeti and the `Open Virtualization Format
<http://en.wikipedia.org/wiki/Open_Virtualization_Format>`_ (both to and
from).

This relies on the ``qemu-img`` tool to convert the disk formats, so the
actual compatibility with other virtualization solutions depends on it.

Confd daemon changes
++++++++++++++++++++

The configuration query daemon (``ganeti-confd``) is now optional, and
has been rewritten in Haskell; whether to use the daemon at all, use the
Python (default) or the Haskell version is selectable at configure time
via the ``--enable-confd`` parameter, which can take one of the
``haskell``, ``python`` or ``no`` values. If not used, disabling the
daemon will result in a smaller footprint; for larger systems, we
welcome feedback on the Haskell version which might become the default
in future versions.

If you want to use ``gnt-node list-drbd`` you need to have the Haskell
daemon running. The Python version doesn't implement the new call.


User interface changes
~~~~~~~~~~~~~~~~~~~~~~

We have replaced the ``--disks`` option of ``gnt-instance
replace-disks`` with a more flexible ``--disk`` option, which allows
adding and removing disks at arbitrary indices (Issue 188). Furthermore,
disk size and mode can be changed upon recreation (via ``gnt-instance
recreate-disks``, which accepts the same ``--disk`` option).

As many people are used to a ``show`` command, we have added that as an
alias to ``info`` on all ``gnt-*`` commands.

The ``gnt-instance grow-disk`` command has a new mode in which it can
accept the target size of the disk, instead of the delta; this can be
more safe since two runs in absolute mode will be idempotent, and
sometimes it's also easier to specify the desired size directly.

Also the handling of instances with regard to offline secondaries has
been improved. Instance operations should not fail because one of it's
secondary nodes is offline, even though it's safe to proceed.

A new command ``list-drbd`` has been added to the ``gnt-node`` script to
support debugging of DRBD issues on nodes. It provides a mapping of DRBD
minors to instance name.

API changes
~~~~~~~~~~~

RAPI coverage has improved, with (for example) new resources for
recreate-disks, node power-cycle, etc.

Compatibility
~~~~~~~~~~~~~

There is partial support for ``xl`` in the Xen hypervisor; feedback is
welcome.

Python 2.7 is better supported, and after Ganeti 2.6 we will investigate
whether to still support Python 2.4 or move to Python 2.6 as minimum
required version.

Support for Fedora has been slightly improved; the provided example
init.d script should work better on it and the INSTALL file should
document the needed dependencies.

Internal changes
~~~~~~~~~~~~~~~~

The deprecated ``QueryLocks`` LUXI request has been removed. Use
``Query(what=QR_LOCK, ...)`` instead.

The LUXI requests :pyeval:`luxi.REQ_QUERY_JOBS`,
:pyeval:`luxi.REQ_QUERY_INSTANCES`, :pyeval:`luxi.REQ_QUERY_NODES`,
:pyeval:`luxi.REQ_QUERY_GROUPS`, :pyeval:`luxi.REQ_QUERY_EXPORTS` and
:pyeval:`luxi.REQ_QUERY_TAGS` are deprecated and will be removed in a
future version. :pyeval:`luxi.REQ_QUERY` should be used instead.

RAPI client: ``CertificateError`` now derives from
``GanetiApiError``. This should make it more easy to handle Ganeti
errors.

Deprecation warnings due to PyCrypto/paramiko import in
``tools/setup-ssh`` have been silenced, as usually they are safe; please
make sure to run an up-to-date paramiko version, if you use this tool.

The QA scripts now depend on Python 2.5 or above (the main code base
still works with Python 2.4).

The configuration file (``config.data``) is now written without
indentation for performance reasons; if you want to edit it, it can be
re-formatted via ``tools/fmtjson``.

A number of bugs has been fixed in the cluster merge tool.

``x509`` certification verification (used in import-export) has been
changed to allow the same clock skew as permitted by the cluster
verification. This will remove some rare but hard to diagnose errors in
import-export.


Version 2.6.0 rc4
-----------------

*(Released Thu, 19 Jul 2012)*

Very few changes from rc4 to the final release, only bugfixes:

- integrated fixes from release 2.5.2 (fix general boot flag for KVM
  instance, fix CDROM booting for KVM instances)
- fixed node group modification of node parameters
- fixed issue in LUClusterVerifyGroup with multi-group clusters
- fixed generation of bash completion to ensure a stable ordering
- fixed a few typos


Version 2.6.0 rc3
-----------------

*(Released Fri, 13 Jul 2012)*

Third release candidate for 2.6. The following changes were done from
rc3 to rc4:

- Fixed ``UpgradeConfig`` w.r.t. to disk parameters on disk objects.
- Fixed an inconsistency in the LUXI protocol with the provided
  arguments (NOT backwards compatible)
- Fixed a bug with node groups ipolicy where ``min`` was greater than
  the cluster ``std`` value
- Implemented a new ``gnt-node list-drbd`` call to list DRBD minors for
  easier instance debugging on nodes (requires ``hconfd`` to work)


Version 2.6.0 rc2
-----------------

*(Released Tue, 03 Jul 2012)*

Second release candidate for 2.6. The following changes were done from
rc2 to rc3:

- Fixed ``gnt-cluster verify`` regarding ``master-ip-script`` on non
  master candidates
- Fixed a RAPI regression on missing beparams/memory
- Fixed redistribution of files on offline nodes
- Added possibility to run activate-disks even though secondaries are
  offline. With this change it relaxes also the strictness on some other
  commands which use activate disks internally:
  * ``gnt-instance start|reboot|rename|backup|export``
- Made it possible to remove safely an instance if its secondaries are
  offline
- Made it possible to reinstall even though secondaries are offline


Version 2.6.0 rc1
-----------------

*(Released Mon, 25 Jun 2012)*

First release candidate for 2.6. The following changes were done from
rc1 to rc2:

- Fixed bugs with disk parameters and ``rbd`` templates as well as
  ``instance_os_add``
- Made ``gnt-instance modify`` more consistent regarding new NIC/Disk
  behaviour. It supports now the modify operation
- ``hcheck`` implemented to analyze cluster health and possibility of
  improving health by rebalance
- ``hbal`` has been improved in dealing with split instances


Version 2.6.0 beta2
-------------------

*(Released Mon, 11 Jun 2012)*

Second beta release of 2.6. The following changes were done from beta2
to rc1:

- Fixed ``daemon-util`` with non-root user models
- Fixed creation of plain instances with ``--no-wait-for-sync``
- Fix wrong iv_names when running ``cfgupgrade``
- Export more information in RAPI group queries
- Fixed bug when changing instance network interfaces
- Extended burnin to do NIC changes
- query: Added ``<``, ``>``, ``<=``, ``>=`` comparison operators
- Changed default for DRBD barriers
- Fixed DRBD error reporting for syncer rate
- Verify the options on disk parameters

And of course various fixes to documentation and improved unittests and
QA.


Version 2.6.0 beta1
-------------------

*(Released Wed, 23 May 2012)*

First beta release of 2.6. The following changes were done from beta1 to
beta2:

- integrated patch for distributions without ``start-stop-daemon``
- adapted example init.d script to work on Fedora
- fixed log handling in Haskell daemons
- adapted checks in the watcher for pycurl linked against libnss
- add partial support for ``xl`` instead of ``xm`` for Xen
- fixed a type issue in cluster verification
- fixed ssconf handling in the Haskell code (was breaking confd in IPv6
  clusters)

Plus integrated fixes from the 2.5 branch:

- fixed ``kvm-ifup`` to use ``/bin/bash``
- fixed parallel build failures
- KVM live migration when using a custom keymap


Version 2.5.2
-------------

*(Released Tue, 24 Jul 2012)*

A small bugfix release, with no new features:

- fixed bash-isms in kvm-ifup, for compatibility with systems which use a
  different default shell (e.g. Debian, Ubuntu)
- fixed KVM startup and live migration with a custom keymap (fixes Issue
  243 and Debian bug #650664)
- fixed compatibility with KVM versions that don't support multiple boot
  devices (fixes Issue 230 and Debian bug #624256)

Additionally, a few fixes were done to the build system (fixed parallel
build failures) and to the unittests (fixed race condition in test for
FileID functions, and the default enable/disable mode for QA test is now
customisable).


Version 2.5.1
-------------

*(Released Fri, 11 May 2012)*

A small bugfix release.

The main issues solved are on the topic of compatibility with newer LVM
releases:

- fixed parsing of ``lv_attr`` field
- adapted to new ``vgreduce --removemissing`` behaviour where sometimes
  the ``--force`` flag is needed

Also on the topic of compatibility, ``tools/lvmstrap`` has been changed
to accept kernel 3.x too (was hardcoded to 2.6.*).

A regression present in 2.5.0 that broke handling (in the gnt-* scripts)
of hook results and that also made display of other errors suboptimal
was fixed; the code behaves now like 2.4 and earlier.

Another change in 2.5, the cleanup of the OS scripts environment, is too
aggressive: it removed even the ``PATH`` variable, which requires the OS
scripts to *always* need to export it. Since this is a bit too strict,
we now export a minimal PATH, the same that we export for hooks.

The fix for issue 201 (Preserve bridge MTU in KVM ifup script) was
integrated into this release.

Finally, a few other miscellaneous changes were done (no new features,
just small improvements):

- Fix ``gnt-group --help`` display
- Fix hardcoded Xen kernel path
- Fix grow-disk handling of invalid units
- Update synopsis for ``gnt-cluster repair-disk-sizes``
- Accept both PUT and POST in noded (makes future upgrade to 2.6 easier)


Version 2.5.0
-------------

*(Released Thu, 12 Apr 2012)*

Incompatible/important changes and bugfixes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- The default of the ``/2/instances/[instance_name]/rename`` RAPI
  resource's ``ip_check`` parameter changed from ``True`` to ``False``
  to match the underlying LUXI interface.
- The ``/2/nodes/[node_name]/evacuate`` RAPI resource was changed to use
  body parameters, see :doc:`RAPI documentation <rapi>`. The server does
  not maintain backwards-compatibility as the underlying operation
  changed in an incompatible way. The RAPI client can talk to old
  servers, but it needs to be told so as the return value changed.
- When creating file-based instances via RAPI, the ``file_driver``
  parameter no longer defaults to ``loop`` and must be specified.
- The deprecated ``bridge`` NIC parameter is no longer supported. Use
  ``link`` instead.
- Support for the undocumented and deprecated RAPI instance creation
  request format version 0 has been dropped. Use version 1, supported
  since Ganeti 2.1.3 and :doc:`documented <rapi>`, instead.
- Pyparsing 1.4.6 or above is required, see :doc:`installation
  documentation <install>`.
- The "cluster-verify" hooks are now executed per group by the
  ``OP_CLUSTER_VERIFY_GROUP`` opcode. This maintains the same behavior
  if you just run ``gnt-cluster verify``, which generates one opcode per
  group.
- The environment as passed to the OS scripts is cleared, and thus no
  environment variables defined in the node daemon's environment will be
  inherited by the scripts.
- The :doc:`iallocator <iallocator>` mode ``multi-evacuate`` has been
  deprecated.
- :doc:`New iallocator modes <design-multi-reloc>` have been added to
  support operations involving multiple node groups.
- Offline nodes are ignored when failing over an instance.
- Support for KVM version 1.0, which changed the version reporting format
  from 3 to 2 digits.
- TCP/IP ports used by DRBD disks are returned to a pool upon instance
  removal.
- ``Makefile`` is now compatible with Automake 1.11.2
- Includes all bugfixes made in the 2.4 series

New features
~~~~~~~~~~~~

- The ganeti-htools project has been merged into the ganeti-core source
  tree and will be built as part of Ganeti (see :doc:`install-quick`).
- Implemented support for :doc:`shared storage <design-shared-storage>`.
- Add support for disks larger than 2 TB in ``lvmstrap`` by supporting
  GPT-style partition tables (requires `parted
  <http://www.gnu.org/s/parted/>`_).
- Added support for floppy drive and 2nd CD-ROM drive in KVM hypervisor.
- Allowed adding tags on instance creation.
- Export instance tags to hooks (``INSTANCE_TAGS``, see :doc:`hooks`)
- Allow instances to be started in a paused state, enabling the user to
  see the complete console output on boot using the console.
- Added new hypervisor flag to control default reboot behaviour
  (``reboot_behavior``).
- Added support for KVM keymaps (hypervisor parameter ``keymap``).
- Improved out-of-band management support:

  - Added ``gnt-node health`` command reporting the health status of
    nodes.
  - Added ``gnt-node power`` command to manage power status of nodes.
  - Added command for emergency power-off (EPO), ``gnt-cluster epo``.

- Instance migration can fall back to failover if instance is not
  running.
- Filters can be used when listing nodes, instances, groups and locks;
  see :manpage:`ganeti(7)` manpage.
- Added post-execution status as variables to :doc:`hooks <hooks>`
  environment.
- Instance tags are exported/imported together with the instance.
- When given an explicit job ID, ``gnt-job info`` will work for archived
  jobs.
- Jobs can define dependencies on other jobs (not yet supported via
  RAPI or command line, but used by internal commands and usable via
  LUXI).

  - Lock monitor (``gnt-debug locks``) shows jobs waiting for
    dependencies.

- Instance failover is now available as a RAPI resource
  (``/2/instances/[instance_name]/failover``).
- ``gnt-instance info`` defaults to static information if primary node
  is offline.
- Opcodes have a new ``comment`` attribute.
- Added basic SPICE support to KVM hypervisor.
- ``tools/ganeti-listrunner`` allows passing of arguments to executable.

Node group improvements
~~~~~~~~~~~~~~~~~~~~~~~

- ``gnt-cluster verify`` has been modified to check groups separately,
  thereby improving performance.
- Node group support has been added to ``gnt-cluster verify-disks``,
  which now operates per node group.
- Watcher has been changed to work better with node groups.

  - One process and state file per node group.
  - Slow watcher in one group doesn't block other group's watcher.

- Added new command, ``gnt-group evacuate``, to move all instances in a
  node group to other groups.
- Added ``gnt-instance change-group`` to move an instance to another
  node group.
- ``gnt-cluster command`` and ``gnt-cluster copyfile`` now support
  per-group operations.
- Node groups can be tagged.
- Some operations switch from an exclusive to a shared lock as soon as
  possible.
- Instance's primary and secondary nodes' groups are now available as
  query fields (``pnode.group``, ``pnode.group.uuid``, ``snodes.group``
  and ``snodes.group.uuid``).

Misc
~~~~

- Numerous updates to documentation and manpages.

  - :doc:`RAPI <rapi>` documentation now has detailed parameter
    descriptions.
  - Some opcode/job results are now also documented, see :doc:`RAPI
    <rapi>`.

- A lockset's internal lock is now also visible in lock monitor.
- Log messages from job queue workers now contain information about the
  opcode they're processing.
- ``gnt-instance console`` no longer requires the instance lock.
- A short delay when waiting for job changes reduces the number of LUXI
  requests significantly.
- DRBD metadata volumes are overwritten with zeros during disk creation.
- Out-of-band commands no longer acquire the cluster lock in exclusive
  mode.
- ``devel/upload`` now uses correct permissions for directories.


Version 2.5.0 rc6
-----------------

*(Released Fri, 23 Mar 2012)*

This was the sixth release candidate of the 2.5 series.


Version 2.5.0 rc5
-----------------

*(Released Mon, 9 Jan 2012)*

This was the fifth release candidate of the 2.5 series.


Version 2.5.0 rc4
-----------------

*(Released Thu, 27 Oct 2011)*

This was the fourth release candidate of the 2.5 series.


Version 2.5.0 rc3
-----------------

*(Released Wed, 26 Oct 2011)*

This was the third release candidate of the 2.5 series.


Version 2.5.0 rc2
-----------------

*(Released Tue, 18 Oct 2011)*

This was the second release candidate of the 2.5 series.


Version 2.5.0 rc1
-----------------

*(Released Tue, 4 Oct 2011)*

This was the first release candidate of the 2.5 series.


Version 2.5.0 beta3
-------------------

*(Released Wed, 31 Aug 2011)*

This was the third beta release of the 2.5 series.


Version 2.5.0 beta2
-------------------

*(Released Mon, 22 Aug 2011)*

This was the second beta release of the 2.5 series.


Version 2.5.0 beta1
-------------------

*(Released Fri, 12 Aug 2011)*

This was the first beta release of the 2.5 series.


Version 2.4.5
-------------

*(Released Thu, 27 Oct 2011)*

- Fixed bug when parsing command line parameter values ending in
  backslash
- Fixed assertion error after unclean master shutdown
- Disable HTTP client pool for RPC, significantly reducing memory usage
  of master daemon
- Fixed queue archive creation with wrong permissions


Version 2.4.4
-------------

*(Released Tue, 23 Aug 2011)*

Small bug-fixes:

- Fixed documentation for importing with ``--src-dir`` option
- Fixed a bug in ``ensure-dirs`` with queue/archive permissions
- Fixed a parsing issue with DRBD 8.3.11 in the Linux kernel


Version 2.4.3
-------------

*(Released Fri, 5 Aug 2011)*

Many bug-fixes and a few small features:

- Fixed argument order in ``ReserveLV`` and ``ReserveMAC`` which caused
  issues when you tried to add an instance with two MAC addresses in one
  request
- KVM: fixed per-instance stored UID value
- KVM: configure bridged NICs at migration start
- KVM: Fix a bug where instance will not start with never KVM versions
  (>= 0.14)
- Added OS search path to ``gnt-cluster info``
- Fixed an issue with ``file_storage_dir`` where you were forced to
  provide an absolute path, but the documentation states it is a
  relative path, the documentation was right
- Added a new parameter to instance stop/start called ``--no-remember``
  that will make the state change to not be remembered
- Implemented ``no_remember`` at RAPI level
- Improved the documentation
- Node evacuation: don't call IAllocator if node is already empty
- Fixed bug in DRBD8 replace disks on current nodes
- Fixed bug in recreate-disks for DRBD instances
- Moved assertion checking locks in ``gnt-instance replace-disks``
  causing it to abort with not owning the right locks for some situation
- Job queue: Fixed potential race condition when cancelling queued jobs
- Fixed off-by-one bug in job serial generation
- ``gnt-node volumes``: Fix instance names
- Fixed aliases in bash completion
- Fixed a bug in reopening log files after being sent a SIGHUP
- Added a flag to burnin to allow specifying VCPU count
- Bugfixes to non-root Ganeti configuration


Version 2.4.2
-------------

*(Released Thu, 12 May 2011)*

Many bug-fixes and a few new small features:

- Fixed a bug related to log opening failures
- Fixed a bug in instance listing with orphan instances
- Fixed a bug which prevented resetting the cluster-level node parameter
  ``oob_program`` to the default
- Many fixes related to the ``cluster-merge`` tool
- Fixed a race condition in the lock monitor, which caused failures
  during (at least) creation of many instances in parallel
- Improved output for gnt-job info
- Removed the quiet flag on some ssh calls which prevented debugging
  failures
- Improved the N+1 failure messages in cluster verify by actually
  showing the memory values (needed and available)
- Increased lock attempt timeouts so that when executing long operations
  (e.g. DRBD replace-disks) other jobs do not enter 'blocking acquire'
  too early and thus prevent the use of the 'fair' mechanism
- Changed instance query data (``gnt-instance info``) to not acquire
  locks unless needed, thus allowing its use on locked instance if only
  static information is asked for
- Improved behaviour with filesystems that do not support rename on an
  opened file
- Fixed the behaviour of ``prealloc_wipe_disks`` cluster parameter which
  kept locks on all nodes during the wipe, which is unneeded
- Fixed ``gnt-watcher`` handling of errors during hooks execution
- Fixed bug in ``prealloc_wipe_disks`` with small disk sizes (less than
  10GiB) which caused the wipe to fail right at the end in some cases
- Fixed master IP activation when doing master failover with no-voting
- Fixed bug in ``gnt-node add --readd`` which allowed the re-adding of
  the master node itself
- Fixed potential data-loss in under disk full conditions, where Ganeti
  wouldn't check correctly the return code and would consider
  partially-written files 'correct'
- Fixed bug related to multiple VGs and DRBD disk replacing
- Added new disk parameter ``metavg`` that allows placement of the meta
  device for DRBD in a different volume group
- Fixed error handling in the node daemon when the system libc doesn't
  have major number 6 (i.e. if ``libc.so.6`` is not the actual libc)
- Fixed lock release during replace-disks, which kept cluster-wide locks
  when doing disk replaces with an iallocator script
- Added check for missing bridges in cluster verify
- Handle EPIPE errors while writing to the terminal better, so that
  piping the output to e.g. ``less`` doesn't cause a backtrace
- Fixed rare case where a ^C during Luxi calls could have been
  interpreted as server errors, instead of simply terminating
- Fixed a race condition in LUGroupAssignNodes (``gnt-group
  assign-nodes``)
- Added a few more parameters to the KVM hypervisor, allowing a second
  CDROM, custom disk type for CDROMs and a floppy image
- Removed redundant message in instance rename when the name is given
  already as a FQDN
- Added option to ``gnt-instance recreate-disks`` to allow creating the
  disks on new nodes, allowing recreation when the original instance
  nodes are completely gone
- Added option when converting disk templates to DRBD to skip waiting
  for the resync, in order to make the instance available sooner
- Added two new variables to the OS scripts environment (containing the
  instance's nodes)
- Made the root_path and optional parameter for the xen-pvm hypervisor,
  to allow use of ``pvgrub`` as bootloader
- Changed the instance memory modifications to only check out-of-memory
  conditions on memory increases, and turned the secondary node warnings
  into errors (they can still be overridden via ``--force``)
- Fixed the handling of a corner case when the Python installation gets
  corrupted (e.g. a bad disk) while ganeti-noded is running and we try
  to execute a command that doesn't exist
- Fixed a bug in ``gnt-instance move`` (LUInstanceMove) when the primary
  node of the instance returned failures during instance shutdown; this
  adds the option ``--ignore-consistency`` to gnt-instance move

And as usual, various improvements to the error messages, documentation
and man pages.


Version 2.4.1
-------------

*(Released Wed, 09 Mar 2011)*

Emergency bug-fix release. ``tools/cfgupgrade`` was broken and overwrote
the RAPI users file if run twice (even with ``--dry-run``).

The release fixes that bug (nothing else changed).


Version 2.4.0
-------------

*(Released Mon, 07 Mar 2011)*

Final 2.4.0 release. Just a few small fixes:

- Fixed RAPI node evacuate
- Fixed the kvm-ifup script
- Fixed internal error handling for special job cases
- Updated man page to specify the escaping feature for options


Version 2.4.0 rc3
-----------------

*(Released Mon, 28 Feb 2011)*

A critical fix for the ``prealloc_wipe_disks`` feature: it is possible
that this feature wiped the disks of the wrong instance, leading to loss
of data.

Other changes:

- Fixed title of query field containing instance name
- Expanded the glossary in the documentation
- Fixed one unittest (internal issue)


Version 2.4.0 rc2
-----------------

*(Released Mon, 21 Feb 2011)*

A number of bug fixes plus just a couple functionality changes.

On the user-visible side, the ``gnt-* list`` command output has changed
with respect to "special" field states. The current rc1 style of display
can be re-enabled by passing a new ``--verbose`` (``-v``) flag, but in
the default output mode special fields states are displayed as follows:

- Offline resource: ``*``
- Unavailable/not applicable: ``-``
- Data missing (RPC failure): ``?``
- Unknown field: ``??``

Another user-visible change is the addition of ``--force-join`` to
``gnt-node add``.

As for bug fixes:

- ``tools/cluster-merge`` has seen many fixes and is now enabled again
- Fixed regression in RAPI/instance reinstall where all parameters were
  required (instead of optional)
- Fixed ``gnt-cluster repair-disk-sizes``, was broken since Ganeti 2.2
- Fixed iallocator usage (offline nodes were not considered offline)
- Fixed ``gnt-node list`` with respect to non-vm_capable nodes
- Fixed hypervisor and OS parameter validation with respect to
  non-vm_capable nodes
- Fixed ``gnt-cluster verify`` with respect to offline nodes (mostly
  cosmetic)
- Fixed ``tools/listrunner`` with respect to agent-based usage


Version 2.4.0 rc1
-----------------

*(Released Fri,  4 Feb 2011)*

Many changes and fixes since the beta1 release. While there were some
internal changes, the code has been mostly stabilised for the RC
release.

Note: the dumb allocator was removed in this release, as it was not kept
up-to-date with the IAllocator protocol changes. It is recommended to
use the ``hail`` command from the ganeti-htools package.

Note: the 2.4 and up versions of Ganeti are not compatible with the
0.2.x branch of ganeti-htools. You need to upgrade to
ganeti-htools-0.3.0 (or later).

Regressions fixed from 2.3
~~~~~~~~~~~~~~~~~~~~~~~~~~

- Fixed the ``gnt-cluster verify-disks`` command
- Made ``gnt-cluster verify-disks`` work in parallel (as opposed to
  serially on nodes)
- Fixed disk adoption breakage
- Fixed wrong headers in instance listing for field aliases

Other bugs fixed
~~~~~~~~~~~~~~~~

- Fixed corner case in KVM handling of NICs
- Fixed many cases of wrong handling of non-vm_capable nodes
- Fixed a bug where a missing instance symlink was not possible to
  recreate with any ``gnt-*`` command (now ``gnt-instance
  activate-disks`` does it)
- Fixed the volume group name as reported by ``gnt-cluster
  verify-disks``
- Increased timeouts for the import-export code, hopefully leading to
  fewer aborts due network or instance timeouts
- Fixed bug in ``gnt-node list-storage``
- Fixed bug where not all daemons were started on cluster
  initialisation, but only at the first watcher run
- Fixed many bugs in the OOB implementation
- Fixed watcher behaviour in presence of instances with offline
  secondaries
- Fixed instance list output for instances running on the wrong node
- a few fixes to the cluster-merge tool, but it still cannot merge
  multi-node groups (currently it is not recommended to use this tool)


Improvements
~~~~~~~~~~~~

- Improved network configuration for the KVM hypervisor
- Added e1000 as a supported NIC for Xen-HVM
- Improved the lvmstrap tool to also be able to use partitions, as
  opposed to full disks
- Improved speed of disk wiping (the cluster parameter
  ``prealloc_wipe_disks``, so that it has a low impact on the total time
  of instance creations
- Added documentation for the OS parameters
- Changed ``gnt-instance deactivate-disks`` so that it can work if the
  hypervisor is not responding
- Added display of blacklisted and hidden OS information in
  ``gnt-cluster info``
- Extended ``gnt-cluster verify`` to also validate hypervisor, backend,
  NIC and node parameters, which might create problems with currently
  invalid (but undetected) configuration files, but prevents validation
  failures when unrelated parameters are modified
- Changed cluster initialisation to wait for the master daemon to become
  available
- Expanded the RAPI interface:

  - Added config redistribution resource
  - Added activation/deactivation of instance disks
  - Added export of console information

- Implemented log file reopening on SIGHUP, which allows using
  logrotate(8) for the Ganeti log files
- Added a basic OOB helper script as an example


Version 2.4.0 beta1
-------------------

*(Released Fri, 14 Jan 2011)*

User-visible
~~~~~~~~~~~~

- Fixed timezone issues when formatting timestamps
- Added support for node groups, available via ``gnt-group`` and other
  commands
- Added out-of-band framework and management, see :doc:`design
  document <design-oob>`
- Removed support for roman numbers from ``gnt-node list`` and
  ``gnt-instance list``.
- Allowed modification of master network interface via ``gnt-cluster
  modify --master-netdev``
- Accept offline secondaries while shutting down instance disks
- Added ``blockdev_prefix`` parameter to Xen PVM and HVM hypervisors
- Added support for multiple LVM volume groups
- Avoid sorting nodes for ``gnt-node list`` if specific nodes are
  requested
- Added commands to list available fields:

  - ``gnt-node list-fields``
  - ``gnt-group list-fields``
  - ``gnt-instance list-fields``

- Updated documentation and man pages

Integration
~~~~~~~~~~~

- Moved ``rapi_users`` file into separate directory, now named
  ``.../ganeti/rapi/users``, ``cfgupgrade`` moves the file and creates a
  symlink
- Added new tool for running commands on many machines,
  ``tools/ganeti-listrunner``
- Implemented more verbose result in ``OpInstanceConsole`` opcode, also
  improving the ``gnt-instance console`` output
- Allowed customisation of disk index separator at ``configure`` time
- Export node group allocation policy to :doc:`iallocator <iallocator>`
- Added support for non-partitioned md disks in ``lvmstrap``
- Added script to gracefully power off KVM instances
- Split ``utils`` module into smaller parts
- Changed query operations to return more detailed information, e.g.
  whether an information is unavailable due to an offline node. To use
  this new functionality, the LUXI call ``Query`` must be used. Field
  information is now stored by the master daemon and can be retrieved
  using ``QueryFields``. Instances, nodes and groups can also be queried
  using the new opcodes ``OpQuery`` and ``OpQueryFields`` (not yet
  exposed via RAPI). The following commands make use of this
  infrastructure change:

  - ``gnt-group list``
  - ``gnt-group list-fields``
  - ``gnt-node list``
  - ``gnt-node list-fields``
  - ``gnt-instance list``
  - ``gnt-instance list-fields``
  - ``gnt-debug locks``

Remote API
~~~~~~~~~~

- New RAPI resources (see :doc:`rapi`):

  - ``/2/modify``
  - ``/2/groups``
  - ``/2/groups/[group_name]``
  - ``/2/groups/[group_name]/assign-nodes``
  - ``/2/groups/[group_name]/modify``
  - ``/2/groups/[group_name]/rename``
  - ``/2/instances/[instance_name]/disk/[disk_index]/grow``

- RAPI changes:

  - Implemented ``no_install`` for instance creation
  - Implemented OS parameters for instance reinstallation, allowing
    use of special settings on reinstallation (e.g. for preserving data)

Misc
~~~~

- Added IPv6 support in import/export
- Pause DRBD synchronization while wiping disks on instance creation
- Updated unittests and QA scripts
- Improved network parameters passed to KVM
- Converted man pages from docbook to reStructuredText


Version 2.3.1
-------------

*(Released Mon, 20 Dec 2010)*

Released version 2.3.1~rc1 without any changes.


Version 2.3.1 rc1
-----------------

*(Released Wed, 1 Dec 2010)*

- impexpd: Disable OpenSSL compression in socat if possible (backport
  from master, commit e90739d625b, see :doc:`installation guide
  <install-quick>` for details)
- Changed unittest coverage report to exclude test scripts
- Added script to check version format


Version 2.3.0
-------------

*(Released Wed, 1 Dec 2010)*

Released version 2.3.0~rc1 without any changes.


Version 2.3.0 rc1
-----------------

*(Released Fri, 19 Nov 2010)*

A number of bugfixes and documentation updates:

- Update ganeti-os-interface documentation
- Fixed a bug related to duplicate MACs or similar items which should be
  unique
- Fix breakage in OS state modify
- Reinstall instance: disallow offline secondaries (fixes bug related to
  OS changing but reinstall failing)
- plus all the other fixes between 2.2.1 and 2.2.2


Version 2.3.0 rc0
-----------------

*(Released Tue, 2 Nov 2010)*

- Fixed clearing of the default iallocator using ``gnt-cluster modify``
- Fixed master failover race with watcher
- Fixed a bug in ``gnt-node modify`` which could lead to an inconsistent
  configuration
- Accept previously stopped instance for export with instance removal
- Simplify and extend the environment variables for instance OS scripts
- Added new node flags, ``master_capable`` and ``vm_capable``
- Added optional instance disk wiping prior during allocation. This is a
  cluster-wide option and can be set/modified using
  ``gnt-cluster {init,modify} --prealloc-wipe-disks``.
- Added IPv6 support, see :doc:`design document <design-2.3>` and
  :doc:`install-quick`
- Added a new watcher option (``--ignore-pause``)
- Added option to ignore offline node on instance start/stop
  (``--ignore-offline``)
- Allow overriding OS parameters with ``gnt-instance reinstall``
- Added ability to change node's secondary IP address using ``gnt-node
  modify``
- Implemented privilege separation for all daemons except
  ``ganeti-noded``, see ``configure`` options
- Complain if an instance's disk is marked faulty in ``gnt-cluster
  verify``
- Implemented job priorities (see ``ganeti(7)`` manpage)
- Ignore failures while shutting down instances during failover from
  offline node
- Exit daemon's bootstrap process only once daemon is ready
- Export more information via ``LUInstanceQuery``/remote API
- Improved documentation, QA and unittests
- RAPI daemon now watches ``rapi_users`` all the time and doesn't need a
  restart if the file was created or changed
- Added LUXI protocol version sent with each request and response,
  allowing detection of server/client mismatches
- Moved the Python scripts among gnt-* and ganeti-* into modules
- Moved all code related to setting up SSH to an external script,
  ``setup-ssh``
- Infrastructure changes for node group support in future versions


Version 2.2.2
-------------

*(Released Fri, 19 Nov 2010)*

A few small bugs fixed, and some improvements to the build system:

- Fix documentation regarding conversion to drbd
- Fix validation of parameters in cluster modify (``gnt-cluster modify
  -B``)
- Fix error handling in node modify with multiple changes
- Allow remote imports without checked names


Version 2.2.1
-------------

*(Released Tue, 19 Oct 2010)*

- Disable SSL session ID cache in RPC client


Version 2.2.1 rc1
-----------------

*(Released Thu, 14 Oct 2010)*

- Fix interaction between Curl/GnuTLS and the Python's HTTP server
  (thanks Apollon Oikonomopoulos!), finally allowing the use of Curl
  with GnuTLS
- Fix problems with interaction between Curl and Python's HTTP server,
  resulting in increased speed in many RPC calls
- Improve our release script to prevent breakage with older aclocal and
  Python 2.6


Version 2.2.1 rc0
-----------------

*(Released Thu, 7 Oct 2010)*

-&n