×

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Providing documentation feedback

To report an error or to improve our documentation, log in to your Red Hat Jira account and submit a Jira issue.

About Red Hat OpenShift Virtualization

With Red Hat OpenShift Virtualization, you can bring traditional virtual machines (VMs) into OpenShift Container Platform and run them alongside containers. In OpenShift Virtualization, VMs are native Kubernetes objects that you can manage by using the OpenShift Container Platform web console or the command line.

OpenShift Virtualization is represented by the OpenShift Virtualization icon.

You can use OpenShift Virtualization with either the OVN-Kubernetes or the OpenShiftSDN default Container Network Interface (CNI) network provider.

Prepare your cluster for OpenShift Virtualization.

OpenShift Virtualization supported cluster version

OpenShift Virtualization 4.15 is supported for use on OpenShift Container Platform 4.15 clusters. To use the latest z-stream release of OpenShift Virtualization, you must first upgrade to the latest version of OpenShift Container Platform.

Supported guest operating systems

Microsoft Windows SVVP certification

OpenShift Virtualization is certified in Microsoft’s Windows Server Virtualization Validation Program (SVVP) to run Windows Server workloads.

The SVVP certification applies to:

  • Red Hat Enterprise Linux CoreOS workers. In the Microsoft SVVP Catalog, they are named Red Hat OpenShift Container Platform 4 on RHEL CoreOS 9.

  • Intel and AMD CPUs.

Quick starts

Quick start tours are available for several OpenShift Virtualization features. To view the tours, click the Help icon ? in the menu bar on the header of the OpenShift Container Platform web console and then select Quick Starts. You can filter the available tours by entering the keyword virtualization in the Filter field.

New and changed features

This release adds new features and enhancements related to the following components and concepts:

Installation and update

  • You can now use the kubevirt_vm_created_total metric (Type: Counter) to query the number of VMs created in a specified namespace.

Infrastructure

  • The instanceType API now uses a more stable v1beta1 version.

Virtualization

  • You can now enable access to the serial console logs of VM guests to facilitate troubleshooting. This feature is disabled by default. Cluster administrators can change the default setting for VMs by using the web console or the CLI. Users can toggle guest log access on individual VMs regardless of the cluster-wide default setting.

  • Free page reporting is enabled by default.

Networking

  • You can hot plug a secondary network interface to a running virtual machine (VM). Hot plugging and hot unplugging is supported only for VMs created with OpenShift Virtualization 4.14 or later. Hot unplugging is not supported for Single Root I/O Virtualization (SR-IOV) interfaces.

  • OpenShift Virtualization now supports the localnet topology for OVN-Kubernetes secondary networks. A localnet topology connects the secondary network to the physical underlay. This enables both east-west cluster traffic and access to services running outside the cluster, but it requires additional configuration of the underlying Open vSwitch (OVS) system on cluster nodes.

  • An OVN-Kubernetes secondary network is compatible with the multi-network policy API, which provides the MultiNetworkPolicy custom resource definition (CRD) to control traffic flow to and from VMs. You can use the ipBlock attribute to define network policy ingress and egress rules for specific CIDR blocks.

Storage

  • When cloning a data volume, the Containerized Data Importer (CDI) chooses an efficient Container Storage Interface (CSI) clone if certain prerequisites are met. Host-assisted cloning, a less efficient method, is used as a fallback. To understand why host-assisted cloning was used, you can check the cdi.kubevirt.io/cloneFallbackReason annotation on the cloned persistent volume claim (PVC).

Web console

  • Installing and editing customized instance types and preferences to create a virtual machine (VM) from a volume or persistent volume claim (PVC) was previously Technology Preview and is now generally available.

  • The Preview features tab can now be found under VirtualizationOverviewSettings.

  • You can configure disk sharing for ordinary virtual machine (VM) or LUN-backed VM disks to allow multiple VMs to share the same underlying storage. Any disk to be shared must be in block mode.

    To allow a LUN-backed block mode VM disk to be shared among multiple VMs, a cluster administrator must enable the SCSI persistentReservation feature gate.

  • You can now search for VM configuration settings in the Configuration tab of the VirtualMachine details page.

  • You can now configure SSH over NodePort service under VirtualizationOverviewSettingsClusterGeneral settingsSSH configurations.

  • When creating a VM from an instance type, you can now designate favorite bootable volumes by starring them in the volume list of the OpenShift Container Platform web console.

  • You can run a VM latency checkup by using the web console. From the side menu, click VirtualizationCheckupsNetwork latency. To run your first checkup, click Install permissions and then click Run checkup.

  • You can run a storage validation checkup by using the web console. From the side menu, click VirtualizationCheckupsStorage. To run your first checkup, click Install permissions and then click Run checkup.

  • You can now hot plug a Single Root I/O Virtualization (SR-IOV) interface to a running virtual machine (VM) by using the web console.

Deprecated and removed features

Deprecated features

Deprecated features are included in the current release and supported. However, they will be removed in a future release and are not recommended for new deployments.

  • The tekton-tasks-operator is deprecated and Tekton tasks and example pipelines are now deployed by the ssp-operator.

  • The copy-template, modify-vm-template, and create-vm-from-template tasks are deprecated.

  • Support for Windows Server 2012 R2 templates is deprecated.

Removed features

Removed features are not supported in the current release.

  • Support for the legacy HPP custom resource, and the associated storage class, has been removed for all new deployments. In OpenShift Virtualization 4.15, the HPP Operator uses the Kubernetes Container Storage Interface (CSI) driver to configure local storage. A legacy HPP custom resource is supported only if it had been installed on a previous version of OpenShift Virtualization.

  • CentOS 7 and CentOS Stream 8 are now in the End of Life phase. As a consequence, the container images for these operating systems have been removed from OpenShift Virtualization and are no longer community supported.

Technology Preview features

Some features in this release are currently in Technology Preview. These experimental features are not intended for production use. Note the following scope of support on the Red Hat Customer Portal for these features:

  • Cluster admins can now enable CPU resource limits on a namespace in the OpenShift Container Platform web console under OverviewSettingsClusterPreview features.

Bug fixes

  • Previously, the windows-efi-installer pipeline failed when started with a storage class that had the volumeBindingMode set to WaitForFirstConsumer. This fix removes the annotation in the StorageClass object that was causing the pipelines to fail. (CNV-32287)

  • Previously, if you simultaneously cloned approximately 1000 virtual machines (VMs) using the provided data sources in the openshift-virtualization-os-images namespace, not all of the VMs moved to a running state. With this fix, you can clone a large number of VMs concurrently. (CNV-30083)

  • Previously, you could not SSH into a VM by using a NodePort service and its associated fully qualified domain name (FQDN) displayed in the web console when using networkType: OVNKubernetes in your install-config.yaml file. With this update, you can configure the web console so it shows a valid accessible endpoint for SSH NodePort services. (CNV-24889)

  • With this update, live migration no longer fails for a virtual machine instance (VMI) after hot plugging a virtual disk. (CNV-34761)

Known issues

Monitoring

  • The Pod Disruption Budget (PDB) prevents pod disruptions for migratable virtual machine images. If the PDB detects pod disruption, then openshift-monitoring sends a PodDisruptionBudgetAtLimit alert every 60 minutes for virtual machine images that use the LiveMigrate eviction strategy. (CNV-33834)

Networking

Nodes

  • Uninstalling OpenShift Virtualization does not remove the feature.node.kubevirt.io node labels created by OpenShift Virtualization. You must remove the labels manually. (CNV-38543)

Storage

  • If you use Portworx as your storage solution on AWS and create a VM disk image, the created image might be smaller than expected due to the filesystem overhead being accounted for twice. (CNV-32695)

    • As a workaround, you can manually expand the persistent volume claim (PVC) to increase the available space after the initial provisioning process completes.

  • In some instances, multiple virtual machines can mount the same PVC in read-write mode, which might result in data corruption. (CNV-13500)

    • As a workaround, avoid using a single PVC in read-write mode with multiple VMs.

  • If you clone more than 100 VMs using the csi-clone cloning strategy, then the Ceph CSI might not purge the clones. Manually deleting the clones might also fail. (CNV-23501)

    • As a workaround, you can restart the ceph-mgr to purge the VM clones.

Virtualization

  • A critical bug in qemu-kvm causes VMs to hang and experience I/O errors after disk hot plug operations. This issue can also affect the operating system disk and other disks that were not involved in the hot plug operations. If the operating system disk stops working, the root file system shuts down. For more information, see Virtual Machine loses access to its disks after hot-plugging some extra disks in the Red Hat Knowledgebase.

    Due to package versioning, this bug might reappear after updating OpenShift Virtualization from 4.13.z or 4.14.z to 4.15.0.

  • When adding a virtual Trusted Platform Module (vTPM) device to a Windows VM, the BitLocker Drive Encryption system check passes even if the vTPM device is not persistent. This is because a vTPM device that is not persistent stores and recovers encryption keys using ephemeral storage for the lifetime of the virt-launcher pod. When the VM migrates or is shut down and restarts, the vTPM data is lost. (CNV-36448)

  • OpenShift Virtualization links a service account token in use by a pod to that specific pod. OpenShift Virtualization implements a service account volume by creating a disk image that contains a token. If you migrate a VM, then the service account volume becomes invalid. (CNV-33835)

    • As a workaround, use user accounts rather than service accounts because user account tokens are not bound to a specific pod.

  • With the release of the RHSA-2023:3722 advisory, the TLS Extended Master Secret (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled Red Hat Enterprise Linux (RHEL) 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected.

    Legacy OpenSSL clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3. For more information, see TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2.

    • As a workaround, update legacy OpenSSL clients to a version that supports TLS 1.3 and configure OpenShift Virtualization to use TLS 1.3, with the Modern TLS security profile type, for FIPS mode.

Web console

  • When you first deploy an OpenShift Container Platform cluster, creating VMs from templates or instance types by using the web console, fails if you do not have cluster-admin permissions.

    • As a workaround, the cluster administrator must first create a config map to enable other users to use templates and instance types to create VMs. (link: CNV-38284)

  • When you create a network attachment definition (NAD) for an OVN-Kubernetes localnet topology by using the web console, the invalid annotation k8s.v1.cni.cncf.io/resourceName: openshift.io/ appears. This annotation prevents the starting of the VM.

    • As a workaround, remove the annotation.