2025.1 Series Release Notes

16.0.0-10

Upgrade Notes

  • UDP load balancers will require a failover to fix the UDP rebalance issue once the control plane is updated.

Bug Fixes

  • Fixed a bug where the Amphora configuration update would only update the Amphora agent configuration, but the health sender would not be updated with the new controller IP list.

  • Fixed an issue where UDP listeners may not rebalance failed member servers in a timely fashion. It may have been up to five minutes for a failed member server to be removed from existing flows.

  • Ignore serialization loadbalancer class in GetAmphoraNetworkConfigs tasks. It allows to avoid storing full graph in jobboard details. It fixes cases with enabled jobboard for huge LBs with ~2000+ resources in graph.

  • Reduce the value of tune.ssl.cachesize for HTTPS termination listeners to prevent OOM during haproxy reload (LP: #2119987).

  • Fixed a bug when using a L7Rule with FILE_TYPE and EQUAL_TO comparison, it never matched due to an issue with the generated HAProxy configuration.

  • Fixed missing port_id element when getting the additional_vips parameter of a load balancer.

  • Fix a potential race condition during the cascade deletion of load balancers. When deleting a load balancer with multiple listeners, the security groups of the VIP port may have been updated many times concurrently, creating a race condition.

Other Notes

  • Added a “octavia-wsgi” script for backward compatibility now that pbr’s wsgi_scripts no longer functions with the latest setuptools.

16.0.0

New Features

  • Octavia Amphora based load balancers now support using SR-IOV virtual functions (VF) on the member ports.

  • Add the vip_sg_ids parameter to the load-balancer POST API. It allows to set a list of user-defined Neutron Security Groups on the VIP port of the Load Balancer.

  • Add the vip_sg_ids parameter to the Amphora driver, a list of Neutron Security Groups. When set, the Amphora driver applies the Security Groups to the VIP port of the Load Balancer. It also doesn’t set any Security Group Rules related to the Listeners on this ports, however it adds Security Groups Rules for VRRP and haproxy peers when needed. This feature does not work with SR-IOV ports as Neutron does not support Security Groups on these ports.

  • Added support for the Jobboard Etcd backend in Taskflow.

  • The new [task_flow] jobboard_redis_backend_db option has been added. This option allows using non default database in redis as backend.

Upgrade Notes

  • You must update the amphora image to support the SR-IOV member port feature.

  • When upgrading, the default RBAC rules will switch from Octavia Advanced RBAC to the keystone default roles. This means the load_balancer_* roles will not longer have access to the load balancer API. To continue to use the Octavia Advanced RBAC rules, please use the octavia-advanced-rbac-policy.yaml override file provided.

Critical Issues

  • When upgrading, the default RBAC rules will switch from Octavia Advanced RBAC to the keystone default roles. This means the load_balancer_* roles will not longer have access to the load balancer API. To continue to use the Octavia Advanced RBAC rules, please use the octavia-advanced-rbac-policy.yaml override file provided.

Security Issues

  • When upgrading, the default RBAC rules will switch from Octavia Advanced RBAC to the keystone default roles. This means the load_balancer_* roles will not longer have access to the load balancer API. To continue to use the Octavia Advanced RBAC rules, please use the octavia-advanced-rbac-policy.yaml override file provided. Note: the keystone default roles are less restrictive than the Octavia Advanced RBAC rules and you will no longer have global observer or quota specific roles.

Bug Fixes

  • Remove record in amphora_health table on revert. It’s necessary, because record in amphora table for corresponding amphora also deleted. It allows to avoid false positive react of failover threshold due to orphan records in amphora_health table.

  • Fixed potential AttributeError during listener update when security group rule had no protocol defined (ie. it was null).

  • Fixed an issue with SINGLE topology load balancer with UDP listeners, the Amphora now sends a Gratuitous ARP packet when a UDP pool is added, it makes the VIP address more quickly reachable after a failover or when reusing a previously allocated IP address.

  • Fix verification of certificates signed by a private CA when using Neutron endpoints.

  • Fix error on revert PlugVIPAmphora task, when db_lb is not defined and get_subnet raises NotFound error. It could happen when Amphora creation failed by timeout and before it VIP network was removed. As result revert failed with exception.