OpenStack This Week: Neutron Performance, Vault Tokens, and Firmware Updates
The OpenStack community landed several critical performance and security updates this week, ranging from optimized OVN database interactions in Neutron to new token based authentication for Vault. These changes address real world scaling issues and security best practices for modern cloud deployments.
Activity in the OpenStack ecosystem remains high as the project moves through its 2026 release cycles. This week saw a strong focus on the Networking and Bare Metal services, with maintainers pushing fixes that reduce latency and improve the robustness of automated operations.
Networking Performance and OVN Optimizations
Performance work in Neutron took center stage this week with several optimizations for the OVN driver. The goal is to reduce the overhead of routine operations by minimizing round trips to the OVN Northbound database and leveraging in memory data structures more effectively.
One notable change improves the efficiency of router updates when handling gateway ports. Previously, the logic could trigger redundant queries to the OVN database. By passing already fetched Logical Router Port objects into the check functions, the team eliminated one round trip per gateway port. This is particularly valuable in environments with many routers or frequent network changes where database latency can aggregate.
The team also addressed a performance bottleneck in port deletion logic. When deleting a non virtual port, the system used to execute a separate read transaction to fetch the Logical Switch. This has been replaced with a direct lookup in the OVN IDL (Interface Definition Language) replica. Since the IDL maintains a local copy of the database, this change turns a network operation into a constant time memory access, removing unnecessary transaction overhead.
Beyond raw performance, Neutron gained a new RandomRangeAllocator for VNI selection. This replaces the standard allocator that simply picks the lowest available ID. The random approach helps distribute network identifiers more evenly across the range. The implementation is clever: it uses cumulative gap arithmetic to map a random float to a free slot in a single database round trip.
Castellan and Vault Token Based Auth
The Castellan library, which handles key management abstraction for OpenStack, received a significant security update. It now supports token based authentication for its Vault driver. This is a critical feature for users running OpenStack on top of Kubernetes or other platforms that use short lived tokens for identity.
The new VaultKeyManager can now read a token from a file, such as a Kubernetes ServiceAccount token or a JWT/OIDC token. This allows Castellan to authenticate with Vault without needing long lived AppRole credentials stored on disk. Operators can configure the auth_method to use kubernetes or jwt explicitly, providing better control over how the cloud control plane secures its secrets.
To support this, the maintainers added several configuration options:
token_role: The name of the Vault role to assume.token_file: The path to the file containing the authentication token.auth_path: The mount path of the Vault authentication backend.
This update also included work to hide internal exceptions from internal client implementations, ensuring that Castellan remains a clean abstraction layer and preventing leaky internal states from breaking functional tests.
Ironic Firmware Updates and API Schemas
The Ironic project is refining how it handles bare metal hardware maintenance. A major documentation and policy shift now highlights the firmware interface as the preferred way to perform updates, while deprecating the older management interface for this purpose.
The firmware interface has been the focus of recent development and offers better support for modern hardware. The maintainers also clarified that firmware updates are no longer restricted to cleaning operations; they can now be executed as part of servicing steps. This provides more flexibility for operators who need to update hardware without a full re provisioning cycle.
In addition to documentation, Ironic landed a new schema for its events API. This validates incoming event data more strictly, though the team noted they are accepting the loss of MAC address normalization for logged events to keep the implementation simple.
Infrastructure and Maintenance Hardening
Several updates touched on the stability and security of the deployment tools and core libraries.
In the OpenStack Helm project, a security hardening change introduced dedicated client certificates for MariaDB TLS connections. Previously, services like Keystone reused the MariaDB server certificate when connecting to the database. Now, each service can use its own client certificate, which is a significant improvement for auditing and certificate rotation strategies.
The Designate DNS service added a practical feature for containerized environments: automatic cleanup of stale DOWN service status entries. In container deployments where hostnames are often randomized, crashed pods can leave behind many orphaned records in the database. A new periodic task now deletes entries whose last heartbeat exceeds a configurable threshold, preventing database bloat.
Finally, the project continues its move toward Python 3.12+ by dropping support for Python 3.10 in components like Heat and Taskflow. This allows the team to adopt newer language features and simplify their CI testing matrix. In a more unusual maintenance update, the Kayobe project linked its AGENTS.md to CLAUDE.md because, as the commit message bluntly puts it, Anthropic does not follow standards. It is a small reminder that even the biggest open source projects have to hack around the quirks of modern AI tools.
What to watch
Operators should prepare for the shift in Ironic firmware management. If you are still relying on the management interface for updates, it is time to transition to the firmware interface before the legacy path is removed.
Those using OpenStack SDK should be aware of a recent versioning conflict. The release of version 4.15.0 caused some issues with older Ansible collections, leading to temporary constraints being applied in projects like Tenks. Keep an eye on your dependency pins if you use automated deployment tools.
Lastly, the new unified OVN database synchronization utility in the Octavia provider is worth testing. It allows for a single operation to sync both Neutron and Octavia resources with the OVN Northbound database, which reduces overhead and potential for configuration drift.