Apache CloudStack 4.22 is a Long-Term Support (LTS) release focused on stability and production readiness. It consolidates the platform work introduced in 4.21 and delivers targeted improvements in Backup and DR, VMware migration, Extensions, and operational observability. Highlights include enhanced Backup & DR (cross-zone restore, Ceph/Shared MountPoint support, backup selection at deploy), SSL offloading on Virtual Routers, a built-in Baremetal/MaaS extension, console access for Extensions, a global Snapshot/Backup schedule listing, and direct Volume migration within a Cluster. Additional improvements cover per Zone Console Proxy settings, persistent KVM domains, reduced pause during KVM Snapshots, centralised logging, updated OS support, a stronger checksum algorithm, and multiple security fixes.

 

What’s New in Apache CloudStack 4.22

Apache CloudStack 4.22 is the next LTS release. It builds on 4.21 by prioritising stability, operator experience, and production-grade behaviours. The release delivers a set of focused features that strengthen data protection and DR workflows, simplify migration from VMware, extend the XaaS Extensions Framework, and improve day-to-day operations for Administrators.

 

Highlight Features

Enhanced Backup and Disaster Recovery

Apache CloudStack 4.22 introduces multiple enhancements to the Backup and Restore framework, significantly improving flexibility, reliability, and disaster recovery capabilities across Zones and storage backends.

One of the key updates is Cross-Zone Instance Restore, which allows Administrators and Users to create Instances from Backups stored in a different Zone. This enables disaster recovery scenarios (DRaaS) without the need for manual data replication or additional configuration. CloudStack automatically manages access to NAS Backup repositories across Zones.

 

 

The release also adds support for Ceph/RBD and Shared MountPoint storage pools within the NAS Backup & Restore provider. This expands the list of supported backends and enables CloudStack to perform backups and restores directly on Ceph-based environments, including for stopped Instances. The system now handles format conversions between qcow2 and raw images transparently, improving compatibility with both block and file-based storage.

A new UI improvement allows Users to associate a Backup Offering during Instance deployment. Administrators can define Backup policies, schedules, and Offerings that are selectable at creation time, ensuring data protection policies are applied consistently from the start. Additionally, new alert types have been added for Backup and Object Storage usage, providing early visibility into resource consumption and helping Administrators enforce defined quotas.

Together, these changes make CloudStack’s Backup and Recovery workflow more integrated and production-ready. Multi-Zone environments benefit from simplified DR planning, backup administrators gain broader storage compatibility, and Users experience a more intuitive and policy-driven approach to protecting workloads.

 

SSL Offloading for Load Balancers

Apache CloudStack 4.22 introduces native support for SSL Offloading on the Virtual Router, allowing HTTPS connections to be terminated directly at the Load Balancer rather than on backend Instances. Previously, this capability was only available through external appliances such as Citrix NetScaler.

 

 

 

With SSL Offloading, CloudStack handles encryption and decryption at the Virtual Router, forwarding plain HTTP traffic (or optionally re-encrypted HTTPS traffic) to backend Instances. This significantly reduces CPU utilisation on Instances and simplifies SSL certificate management. Certificates are uploaded and stored centrally per Account or Project. They can be assigned, replaced, or removed directly from the Load Balancer configuration in the UI.

 

Administrators can upload certificates, including the whole chain (root and intermediate CAs), and associate them with Load Balancer rules that use the SSL protocol. This centralises control of TLS versions, cyphers, and renewal processes, improving security compliance and scalability. It also enables advanced traffic management features once the traffic is decrypted at the Load Balancer, such as Layer-7 inspection, intelligent routing, and potential WAF integration.

 

 

Because SSL offloading increases CPU usage on the Virtual Router, operators should allocate sufficient resources to handle high volumes of encrypted traffic. This feature extends CloudStack’s built-in Load Balancing capabilities, aligning Virtual Router functionality more closely with enterprise-grade reverse proxies while maintaining the platform’s simplicity and openness.

 

Baremetal/MaaS Extension

Building on the XaaS Extensions Framework introduced in 4.21, with existing Extensions for Proxmox and Hyper-V, Apache CloudStack 4.22 adds native support for Canonical MaaS (Metal as a Service). This allows CloudStack to provision and manage physical servers through MaaS while maintaining the same orchestration model used for virtual resources. Users can deploy, start, stop, or release bare-metal nodes directly from CloudStack, integrating them seamlessly into Zones and Accounts.

This addition extends CloudStack’s reach beyond traditional hypervisors, enabling unified lifecycle management of both virtual and physical workloads. It’s particularly valuable for service providers and enterprises running hybrid environments or offering dedicated bare-metal Instances, as it combines CloudStack’s governance and automation with MaaS’s robust hardware provisioning capabilities.

 

Additional Improvements

CSI Driver for CKS

Apache CloudStack 4.22 introduces an expanded CloudStack CSI Driver, allowing Kubernetes clusters running on CloudStack to provision, attach, detach, and delete persistent Volumes through standard CSI interfaces. The driver supports shared Disk Offerings, integrates via a simple secret-based configuration, and provides complete Snapshot and restore capabilities via Kubernetes snapshot CRDs. It works with both CKS (CloudStack Kubernetes Service) and external Kubernetes clusters, as long as nodes map to CloudStack Instances or expose Instance metadata via cloud-init. This update aligns CloudStack storage with modern Kubernetes expectations and improves support for cloud-native workloads.

 

Console Access in Extensions Framework

Provides console access for Instances managed by external Extensions (for example, Proxmox or Hyper-V), delivering a unified console experience through the CloudStack Console Proxy infrastructure.

 

VMware-to-KVM Migration Enhancements

Improves the migration workflow with task visibility (running/completed), clearer logging with source VM context, optional direct-to-pool conversion, and controlled extra parameters for virt-v2v. A stronger, faster path for large-scale migrations to KVM.

Snapshot/Backup Schedule Listing

New API and UI view to list Snapshot and Backup schedules across Volumes and Instances, improving visibility in larger environments.

 

Per-Zone Console Proxy Configuration

Moves Console Proxy settings from Global Settings to Zone scope, allowing proper domain/SSL handling in multi-zone deployments.

 

Direct Volume Migration by-passing Secondary Storage

Bypasses Secondary Storage when migrating Volumes between Primary Storage pools in the same Cluster, where direct copy is supported, reducing time and resource usage.

 

Persistent Domain for Unmanaged KVM Instances from CloudStack

Keeps domain definitions on the Host when Instances are unmanaged from CloudStack, enabling local control via libvirt tools.

 

Support for UserData on System VMs

This feature enables UserData injection for System VMs and Virtual Routers, allowing Administrators to customise these components programmatically without manual intervention. Use cases include configuring custom iptables rules, implementing logging mechanisms, and exporting metrics.

 

EL10 & OpenSUSE 15.6 Platform Support

Adds compatibility for Enterprise Linux 10 and OpenSUSE 15.6 across management components and KVM Hosts.

 

Stronger Checksum Algorithm (SHA-512)

Replaces MD5 with SHA-512 for integrity checks, aligning with current security best practices.

 

Enable KVM Volume and VM Snapshot by Default

Enable KVM Volume and Instance snapshots by default, as older QEMU versions from EL6/EL7 are no longer supported.

 

Support XZ Compression Format for Template Registration with KVM

Add support for registering Templates compressed with the xz format, commonly used for Linux cloud images.

 

Support for Shared Filesystem on Networks with Config Drive

Fix an issue where Shared Filesystem appliances deployed on ConfigDrive-based networks would boot successfully but fail to prepare or export the data volume.

 

Security and Maintenance Fixes

• Security Vulnerability Fixes – multiple CVE patches
• Remote Code Execution Vulnerability Fix – RCE mitigation
• Аccess Control for Extension Custom Actions – tightened RBAC checks