2025.2 Series Release Notes

17.0.0

New Features

  • Added volume zone to availability zone profile for amphorae backend for creating loadbalancer with specific volume availability zone

  • The service role now has access to list members in a pool, this is needed by Aodh to evaluate unhealthy members in a pool when doing evaluations.

  • A new module, octavia.wsgi, has been added as a place to gather WSGI application objects. This is intended to ease deployment by providing a consistent location for these objects. For example, if using uWSGI then instead of:

    [uwsgi]
wsgi-file = /bin/octavia-wsgi

    You can now use:

    [uwsgi]
module = octavia.wsgi.api:application

    This also simplifies deployment with other WSGI servers that expect module paths such as gunicorn.

  • Added support for multiple Fernet keys in the [certificates]/server_certs_key_passphrase configuration option by changing it to a ListOpt. The first key is used for encryption and other keys is used for decryption adding support for rotating the passphrase.

Upgrade Notes

  • UDP load balancers will require a failover to fix the UDP rebalance issue once the control plane is updated.

  • The default TLS cipher suite list has been updated to the current ‘intermediate’ recommendations. Load balancers will need to be failed over to use the new default list if the operator and user opted for the Octavia default cipher list.

  • The WSGI script octavia-wsgi has been removed. Deployment tooling should instead reference the Python module path for the wsgi module in Octavia, octavia.wsgi.api:application if their chosen WSGI server supports this (gunicorn, uWSGI, etc.) or implement a .wsgi script themselves if not (mod_wsgi).

  • The [certificates]/server_certs_key_passphrase configuration option is now a ListOpt so multiple keys can be specified, the first key is used for encryption and other keys is used for decryption adding support for rotating the passphrase.

  • diskimage-create.sh has been updated to build Ubuntu Noble (24.04) amphora images per default.

Security Issues

  • Updated the default TLS cipher suites based on current OWASP/Mozilla.org recommendations for Intermediate compatibility. The new default list is:

    • TLS_AES_128_GCM_SHA256

    • TLS_AES_256_GCM_SHA384

    • TLS_CHACHA20_POLY1305_SHA256

    • ECDHE-ECDSA-AES128-GCM-SHA256

    • ECDHE-RSA-AES128-GCM-SHA256

    • ECDHE-ECDSA-AES256-GCM-SHA384

    • ECDHE-RSA-AES256-GCM-SHA384

    • ECDHE-ECDSA-CHACHA20-POLY1305

    • ECDHE-RSA-CHACHA20-POLY1305

    • DHE-RSA-AES128-GCM-SHA256

    • DHE-RSA-AES256-GCM-SHA384

    • DHE-RSA-CHACHA20-POLY1305

Bug Fixes

  • Fixed a bug where the Amphora configuration update would only update the Amphora agent configuration, but the health sender would not be updated with the new controller IP list.

  • Fixed an issue where UDP listeners may not rebalance failed member servers in a timely fashion. It may have been up to five minutes for a failed member server to be removed from existing flows.

  • Fixed a bug that caused SSH to not be diabled in amphora images created with the “-n” flag.

  • Fixes the error reporting when a user requests a VIP IP address that is already in use.

  • Ignore serialization loadbalancer class in GetAmphoraNetworkConfigs tasks. It allows to avoid storing full graph in jobboard details. It fixes cases with enabled jobboard for huge LBs with ~2000+ resources in graph.

  • Fixes an error message translation in the controller worker to support the i18n translate before adding dynamic values.

  • Reduce the value of tune.ssl.cachesize for HTTPS termination listeners to prevent OOM during haproxy reload (LP: #2119987).

  • Fixed an issue with HAProxy configuration files when using http_version or domain_name attributes in healthmonitor. The generated configuration files used deprecated/removed features from HAProxy, the fix updates the HAProxy templates to support recent releases.

  • Fixed a bug when using a L7Rule with FILE_TYPE and EQUAL_TO comparison, it never matched due to an issue with the generated HAProxy configuration.

  • Fixed missing port_id element when getting the additional_vips parameter of a load balancer.

  • Fix a potential race condition during the cascade deletion of load balancers. When deleting a load balancer with multiple listeners, the security groups of the VIP port may have been updated many times concurrently, creating a race condition.

  • Make [task_flow].persistence_connection configuration setting secret, so it is not displayed when starting the Octavia applications in debug mode.