Built on strong foundations

StackHPC can trace its roots all the way back through Bristol’s near 50-year computing history. The founding of Inmos in 1978 sparked a technological revolution in the south-west of England, drawing over £200 million in government investment and leading to significant developments in parallel supercomputing (Wired). Meiko, founded by former Inmos employees, launched an Inmos transputer-based supercomputer named the Computing Surface in 1986, and would employ both StackHPC co-founders John Taylor and Stig Telfer in the early 1990s.

Meiko’s technical team transferred to Quadrics in the late 1990s to keep developing Meiko networking technology. A spin-off called Gnodal formed ten years later, which folded in 2013 with its assets and team, including Stig, transferred to the Cray Bristol Research Laboratory. It was here that OpenStack’s potential for HPC infrastructure was first explored, and the Slingshot network fabric was developed.

StackHPC’s HPC cloud consultancy began at Cambridge University. John and Stig attended the OpenStack summit in Tokyo, 2015, with Stig presenting: The Case for a Scientific OpenStack. In Tokyo, John and Stig met Tim Bell from CERN, and the idea for an OpenStack Scientific Special Interest Group (SIG), a forum to share ideas across the scientific open infrastructure community, was born.

Stig delivering a keynote talk at the OpenStack Summit Barcelona 2016 with Paul Calleja from Cambridge University.

Embracing the open community

The next few years saw steady growth in StackHPC’s prominence in the OpenStack community. Presenting frequently at OpenStack summits, publishing studies on Keycloak, Kubernetes and HPC, as well as presenting at CERN OpenStack day in 2018 and 2019. For the 2017 OpenStack release, StackHPC engineers reviewed 97 contributions. By 2020’s OpenStack Ussuri, this figure had risen to 2,022, with our number of reviewers increasing from two to nine (Stackalytics).

At the OpenStack Summit Austin in 2016, StackHPC helped bring the OpenStack Scientific SIG to fruition. This has become a regular fixture at OpenInfra Summits every year since, providing a space for international collaboration to support the development of OpenStack in science and research use-cases. The ‘social infrastructure’ of SIG meetings make an ideal environment for technical exchange.

Like much of the world, StackHPC was forced to a halt in 2020, but our cloud-first and distributed approach allowed us to keep pushing forwards. The drive for bioinformatics projects created new demand for HPC and cloud-based solutions in the quest to sequence and overcome COVID-19. In November 2020, two projects we supported joined the TOP500 list, becoming the first fully OpenStack-based, software-defined supercomputers to qualify.

The ‘social infrastructure’ of the Scientific SIG at the OpenStack Summit Barcelona 2016.

Where we are now

Since then, StackHPC has continued to grow, with projects across Europe and the UK, the United States, Asia, Oceania and Africa and now employing almost 50 people. While a lot has changed, much remains the same. We are still headquartered in Bristol, but in our own office, and we have colleagues in Poland, and France. We continue to be champions for open source principles in all our work, exemplified by our position as the second highest contributor to the latest major OpenStack releases Epoxy and Gazpacho (Stackalytics: by reviews, resolved bugs, person-day hours).

A recent UK government publication noted StackHPC’s ‘highly innovative UK AI software stack’ in contribution to the University of Cambridge’s DAWN supercomputer, as the government is set to invest a further £36 million in the AI Research Resource (AIRR) at Cambridge for a new supercomputer project. DAWN has already played a role in supporting over 350 projects, such as accelerating research into personalised cancer vaccines. We are excited to continue our involvement in this and many other important projects throughout 2026.

The StackHPC team at OpenInfra Europe Summit 2025.

StackHPC Kayobe-config

• Upgrades

  • Add support for Rocky Linux 9.7, including host packages and a full container image refresh.

• Features and Improvements

  • Adds networking-generic-switch support for bond interfaces in trunk mode on Arista switches.
  • Add playbooks and configuration to enable the easy deployment of Pulp with TLS support in combination with certificates generated via OpenBao.
  • Changed the IPA (Ironic Python Agent) image compression algorithm. This improves provisioning performance by reducing the size of the IPA boot ISO.

• Fixes

  • Update OVN chassis priority fix playbook to ensure the correct leader runs the priority alignment.
  • Rebuild Nova and Neutron images to bring in upstream fixes to networking Mellanox agent.

• Read the full release notes

Kayobe

• Various fixes for issues including missing NTP configuration for infrastructure VMs, and an issue where the Bifrost host variable file failed to generate when the default ipv4 gateway was not defined.
• Read the full release notes

Kolla-Ansible

• Upgrades

  • Support for Rocky Linux 10 has been added in Epoxy to allow for operating system migrations ahead of upgrades to OpenStack Flamingo (2025.2) or Gazpacho (2026.1) where RL10 will be a requirement.

• Fixes

  • An issue where OpenSearch log retention check would fail due to improperly loaded plugins was resolved by adding a check before tasks that require plugins.
  • Addresses an issue causing HTTP 500 errors in Horizon when one of the memcached nodes was unavailable.

• Read the full release notes

Kolla

• Upgrades

  • Kolla now supports building CentOS Stream 10 and Rocky Linux 10 container images.
  • Prometheus services have been updated to the latest releases, including migration to a new TSDB format, compatible with Prometheus v3.

• Fixes

  • Pinned numpy to a safe version to prevent excessive memory consumption and memory leak in Gnocchi.

• Read the full release notes

CVE-2026-25506: MUNGE (SLURM) Buffer overflow in message unpacking allows key leakage and credential forgery

This vulnerability stems from an issue in MUNGE, the authentication service used to authenticate users – including system service users – within the cluster and to the SLURM daemons. MUNGE can be understood as the basis of trust in the StackHPC SLURM appliance.

This vulnerability could allow an attacker to impersonate any other user,  including root , to the SLURM controller and SLURM daemon. This, in turn, would let the attacker gain access as this user on compute nodes via a job, and administer SLURM using scontrol commands etc.

The attacker only needs login access to a node of the cluster or the ability to submit a SLURM job to attack the local munge daemon, which makes it a serious flaw to patch quickly especially in busy clusters.

As packages for the fixes were not yet available from the vendors of the host OS we deploy to (Ubuntu and Rocky Linux) we went ahead and packaged the fix ourselves for our customers and have been deploying it.

CVE-2025-15467: OpenSSL stack buffer overflow

This one is both quite specific in its requirements and potentially quite bad in terms of impact.

The attack exploits a bug in parsing AuthEnvelopedData structures that use Authenticated Encryption with Associated Data (AEAD) ciphers such as AES-GCM. An attacaker with supplying a crafted Cryptographic Message Syntax (CMS) message with an oversized Initialization Vector (IV) can trigger a buffer overflow, which may lead to a crash and a Denial of Service (DoS) or, more worryingly, potentially allow for remote code execution.

Again, worth patching quickly. We’ve been deploying the patched versions to our customers’ systems.

CVE-2026-24708: Nova calls qemu-img without format restriction for resize (OSSA-2026-002)

A more concerning vulnerability, which resulted in an embargo on the release of any details prior to publication. As soon as we got advance notice of this bug, we immediately got to preparing patched versions of the Nova service to make available to our customers as the embargo was lifted, on Tuesday 18 February at 15:00 GMT.

The attack relies on writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, which may convince Nova's flat image backend to call qemu-img without a format restriction which results in an unsafe image resize operation, which in turn could destroy data on the host system.

Thankfully, only compute nodes using the Flat image backend are affected and as we analysed our customers’ systems, we determined most of them were configured not to use it, meaning they already had the mitigation enabled (ie: use_cow_images=True).

Furthermore, the attack requires access to the Nova Compute API, which puts public and user-reachable deployments at higher risk.

All in all, still a vulnerability to be taken seriously and patched quickly, as the situation can evolve quickly after an embargoed vulnerability is made public.

HPC Asia

Stig presenting at HPC Asia.

In late January, CTO Stig Telfer and computer tolerator Alex Welsh travelled to the beautiful city of Osaka to attend the joint Supercomputing Asia/HPC Asia conference.

There were clearly two big focal points at the event: AI, and quantum computing. AI taking centre stage will surprise no-one, but quantum computing is continuing to gain momentum. Recent breakthroughs mean enthusiasm for the technology appears to be at an all-time high.

Between the qubits and okonomiyaki, Stig was invited to present at the 10th iteration of the SuperCompCloud workshop. The group focuses on the interoperability of supercomputing and cloud technologies. He used this time to share StackHPC's recent successes at the University of Bristol, where the StackHPC SLURM Appliance is being used to great effect (slides publicly available here).

Upcoming Events

Our busy calendar continues into Q1, and we hope to be attending some of these events:

• Global Open Ondemand Conference in Salt Lake City, USA, 9-12th March.
• HPSF Conference in Chicago, USA, 16-20th March.
• KubeCon + CloudNative Con in Amsterdam, Netherlands, 23-26th March.
• HPC-AI Swiss Conference in Locarno, Switzerland, 20-23rd April.
• StackConf in Munich, Germany, 28-29th April.
• KubeCon in Mumbai, India, 18-19th June.
• ISC-HPC in Hamburg, Germany, 22-26th June.

Slinking Time

Published 8 February 2026, by Raine Wales

Raine explores how FluxCD enables the packaging of Slinky as an Azimuth app, lowering the barrier to entry for SLURM by deploying it within a Kubernetes cluster.

Read the full post.

Azimuth All Alone: Standalone Mode

Published 17 December 2025, by Raine Wales

Raine presents a solution to deploy Azimuth on a Kubernetes cluster, allowing organisations and users without an existing OpenStack cloud to make use of the platform, and bring in new ideas.

Read the full post.

United by OpenStack: Empowering Women in STEM Beyond Borders

Published 12 November 2025, by Massimiliano Favaro-Bedford

Max summarises a great experience supporting students from the University of Jos, Nigeria, through a 7 week internship covering OpenStack and Magnum development.

Read the full post.

Keep an eye on our LinkedIn, or the blog page of our website for the latest posts.