What’s New in MOSK 24.3: Enhanced Security, Flexibility, and Long-Term Support

The release of Mirantis OpenStack for Kubernetes (MOSK) 24.3 represents a significant step forward in the evolution of cloud infrastructure management, focusing on long-term support, advanced security features, improved update mechanisms, and greater flexibility for operators.

This blog post dives into the key features of MOSK’s latest version, providing insights into how these advancements can help optimize your cloud environment, whether you’re looking to bolster security, improve monitoring and diagnostics, or fine-tune your infrastructure's configuration. Read on to explore the full scope of MOSK 24.3's capabilities and how they can empower your cloud operations.

OpenStack Caracal: The New LTS in MOSK – Enhanced Security and Usability

The release of Mirantis OpenStack for Kubernetes (MOSK) 24.3 marks a significant milestone with the full availability of OpenStack Caracal for both greenfield deployments and upgrades from OpenStack Antelope. As the latest Long-Term Support (LTS) version, OpenStack Caracal will enjoy MOSK support for the next two years. It is worth highlighting some valuable security, usability, and performance-enhancing features that OpenStack Caracal brings to MOSK 

• The Dashboard service (OpenStack Horizon) now supports Time-based One-Time Password (TOTP) authentication, enabling users to strengthen their security through multi-factor authentication. 

• The Shared Filesystems service (OpenStack Manila) introduces a new resource lock framework, allowing shares and access rules to be locked against deletion and sensitive fields to be hidden. This release also marks full support for the Shared Filesystems service in MOSK. 

• The Networking service (OpenStack Neutron) has implemented a rate limit on metadata service queries to protect against potential DoS attacks or misbehaving instances, and a new API enables automated security group rule sets for new default or custom security groups. 

• Additionally, the Compute service (OpenStack Nova) now allows different authorization policies for migration with or without a target host, providing more flexibility and control over migration processes.

Ensuring Future-Proof Supportability by Upgrading to Ubuntu Jammy Jellyfish (22.04)

Ubuntu 22.04 is now fully supported for both new and existing Mirantis OpenStack for Kubernetes (MOSK) clusters, offering operators the latest security updates, optimizations, and hardware drivers. As Ubuntu 20.04 approaches its end of life in April 2025, all users are encouraged to plan and execute their upgrades to ensure continued support and compatibility with future MOSK updates.

Enhanced Monitoring for DNSaaS and the Compute service 

The built-in Logging, Monitoring, and Alerting system (Mirantis StackLight) in MOSK 24.3 now offers enhanced observability and control for the DNS-as-a-Service (DNSaaS) default backend, PowerDNS. The new health metrics are presented in comprehensive graphical dashboards, providing operators with a clear view of the DNS subsystem performance and state. Accordingly, StackLight also introduced new alerts to proactively notify about potential issues that may impact cloud application reachability through fully-qualified domain names (FQDNs).

Furthermore, in response to feedback from a few customers who experienced performance degradation in the Compute (Nova) service due to orphaned allocation records clogging the database, additional metrics have been integrated into StackLight. Collecting these metrics in the long run will help identify the source of these orphaned records, facilitating root cause mitigation or, in the worst-case scenario, proactive clean-ups.

Day 2 Host OS Configuration: CPU isolation, Kernel Parameters, and More Flexibility for Custom Modules

Additional standard modules were introduced for the so-called Day 2 bare metal configuration system, making it simpler to configure the server’s CPU isolation and kernel parameters. This recently introduced set of APIs allows operators to streamline the configuration of their MOSK clusters, eliminating the need for separate shadow configuration management systems. By consolidating all configurations into a single Git repository, cloud operators gain centralized control over the infrastructure, enhancing management efficiency and reducing the risk of configuration drift.

Additionally, MOSK now supports version deprecation and updating scenarios for host operating system configuration modules to help cloud operators create and maintain their own custom modules with greater flexibility. 

Preventative Maintenance: New Self-Diagnostics and Ceph Benchmarking Tools

The new self-diagnostics tool empowers cloud operators to validate the configuration and state of their MOSK clusters against the product’s best practices and known issues. This suite of checks currently covers OpenStack, bare metal configuration, and Tungsten Fabric. It’s designed in a way for Mirantis to add new checks dynamically as new issues and best practices are identified, so we can always deliver the latest information. This proactive approach will help you maintain your MOSK in a healthy state, minimizing the chance of potential disruptions in the future and improving the overall reliability of the cloud infrastructure. 

Additionally, a new Ceph cluster performance measurement tool has been introduced, providing you with a standardized method to benchmark the storage performance of newly deployed MOSK clusters. By comparing the results against a known baseline, potential storage performance issues can be detected early - before workloads are onboarded.

Enterprise-grade Update Experience for MOSK

MOSK management cluster updates have undergone a comprehensive overhaul, providing flexible control over when changes get applied. You can now delay automatic updates for at least three weeks after a new release is out and as well configure multiple time slots to better align with your maintenance schedule or preference, e.g., for updates to happen only on weekends or only on weekdays in certain hours.

In addition, the current update status of each management cluster will now be reflected as an informational alert in StackLight: e.g., “no new updates available,” “update is available and planned at X time,” and “update is available, but blocked”, so that you’re always up-to-date with what’s going on in your cloud infrastructure. Just like any other alerts, these can be propagated to external platforms like Salesforce and Slack, so your entire operations team stays informed in real-time.

Significant improvements have also been made to the recently introduced ClusterUpdatePlan API, which is now the officially recommended interface for updating MOSK clusters. One of the key features of this release is the ability for operators to organize MOSK cluster nodes into "node update groups." Each group appears as a dedicated step within the ClusterUpdatePlan, providing granular control over the order in which changes will be applied to the servers. You define the sequence in which the groups get updated, and within each group, you can define the number of nodes to update in parallel, optimizing the process for your specific environment and architecture of the cloud.

For changes that require a host operating system restart, such as a kernel version bump, you now have the choice to either manually reboot nodes after applying changes (like before) or ask the system to automatically reboot the nodes during the update process within the same maintenance window. This feature, configurable per update node group, helps avoid additional downtime for the workloads. 

Additionally, when performing a hypervisor reboot as part of a MOSK cluster update, the lifecycle management system will gracefully shut down any non-evacuated virtual machines in a hypervisor, which will restart once the server is back online. This removes the risk of the guest operating system getting broken by the sudden interruption.

Enhancing Resiliency and Flexibility: Integration with External Identity Providers and Custom Storage Backends

For customers who view the MOSK management cluster’s built-in IAM system as a potential single point of failure, it is now possible to configure the Identity service (OpenStack Keystone) to work directly with external identity providers. By integrating one or more OpenID Connect-compatible providers, such as Okta, MOSK operators can establish alternative paths for cloud user authentication. This reduces the reliance on the built-in identity provider and mitigates the risk of users not being able to log into the cloud, resulting in a more resilient and secure cloud environment.

Additionally, cloud operators now have access to an API that enables the configuration of arbitrary backends for the MOSK block storage service (OpenStack Cinder). This API allows operators to integrate MOSK with almost any third-party storage appliance compatible with OpenStack. By simplifying the integration process and providing operators with tools to manage it independently, organizations can save on operational costs while ensuring a more flexible and maintainable storage infrastructure.

Self-Service Instance Live Migration for Cloud Users

With MOSK 24.3, cloud users now have the capability to live-migrate their project's instances without needing direct intervention from cloud administrators, providing a practical solution for scenarios like preparing for underlying infrastructure updates. Enabling users to move their virtual machines across hypervisors on their own, enhances operational efficiency for the cloud while granting users greater control over their cloud resources.

Mirantis Container Cloud (MCC) Becomes a part of MOSK

As previously announced in KubeCon Europe 2024, Mirantis is making a significant move to streamline its product portfolio. Specifically, by merging Mirantis Container Cloud (MCC) as part of Mirantis OpenStack for Kubernetes (MOSK), instead of existing as a separate product. This transition reflects a strategic focus on supporting bare-metal Kubernetes as the underlay for OpenStack environments, marking a shift away from MCC’s previous broader capabilities in managing general-purpose Kubernetes.

As part of this change, MCC will gradually phase out features unrelated to the MOSK use case, concentrating exclusively on managing Kubernetes clusters that serve as the foundational layer for OpenStack deployments on bare metal. Over the next few months, all existing MCC documentation will be consolidated with the MOSK documentation, to streamline resources and reduce complexity for users, making it easier to find information and support. To reflect the deeper integration of the products, what was previously referred to as “MCC clusters” will often be referred to as “MOSK management clusters,” aligning the documentation terminology with the MCC’s refined focus.

Ready to Take Your Private Cloud to the Next Level?

Mirantis OpenStack for Kubernetes (MOSK) 24.3 brings a host of powerful enhancements designed to streamline your cloud operations, strengthen security, and increase flexibility. Whether you’re looking to upgrade, optimize, or future-proof your cloud infrastructure, MOSK 24.3 provides the tools and features you need.

If you're interested in learning more or need support with your upgrade, reach out to our team or visit our official documentation for detailed guidance. Let’s build a more resilient and efficient cloud, together.

To request a private demo with one of our cloud architects, please contact us.