2023.2 Series Release Notes


Bug Fixes

  • Fixed error on update UDP Health Monitor with empty “delay” parameter

  • Fix the issue, when “limit” parameter in request less or equal 0. Now it returns resources according pagination_max_limit as expected, instead of error.

  • Fixed an issue when using certificates with a blank subject or missing CN.

  • Fixed wrong endpoint information in neutron client configuration.

  • Fixed a bug that prevented the amphora from being updated by the Amphora Configure API call, the API call was succesfull but the internal flow for updating it failed.

  • Fixed a potential issue when deleting a load balancer with an amphora that was not fully created, the deletion may have failed when deallocating the VIP port, leaving the load balancer in ERROR state.

  • Added a validation step in the batch member API request that checks if a member is included multiple times in the list of updated members, this additional check prevents the load balancer from being stuck in PENDING_UPDATE. Duplicate members in the batch member flow triggered an exception in Taskflow. The API now returns 400 (ValidationException) if a member is already present in the body of the request.

  • Fixed a bug when creating a load balancer and a listener with allowed_cidrs with the fully-populated load balancer API, the call was rejected because Octavia could not validate that the IP addresses of the allowed_cidrs have the same family as the VIP address.

  • Bug fix: The response body of the LB API, when creating a new load balancer, now correctly includes information about the health monitor. Previously, this information was consistently null, despite configuring a health monitor.

  • Fixed a bug with HTTP/HTTPS health-monitors on pools with ALPN protocols in the amphora-driver. The healthchecks sent by haproxy were flagged as bad requests by the backend servers. Updated haproxy configuration to use ALPN for the heathchecks too.

  • Fixed an issue with load balancers stuck in a PENDING_* state during database outages. Now when a task fails in Octavia, it retries to update the provisioning_status of the load balancer until the database is back (or it gives up after a really long timeout - around 2h45)

  • Fixed an issue when using UDP listeners in dual-stack (IPv4 and IPv6) load balancers, some masquerade rules needed by UDP were not correctly set on the member interfaces.

  • Fixed a bug when the deprecated settings (endpoint, endpoint_type, ca_certificates_file) are used in the [neutron] section of the configuration file. The connection to the neutron service may have used some settings from the [service_auth] section or used undefined settings.

  • Fixed a race condition in the members batch update API call, the data passed to the Octavia worker service may have been incorrect when quickly sending successive API calls. Then the load balancer was stuck in PENDING_UPDATE provisioning_status.

  • Fixed a too long timeout when attempting to start the VRRP service in an unreachable amphora during a failover. A specific shorter timeout should be used during the failovers.

  • Fixed TLS-HELLO health-monitors in the amphora-driver.

  • Reduce the duration of the failovers of ACTIVE_STANDBY load balancers. Many updates of an unreachable amphora may have been attempted during a failover, now if an amphora is not reachable at the first update, the other updates are skipped.

  • Reduce the duration of the failovers of ACTIVE_STANDBY load balancers when both amphorae are unreachable.

Other Notes

  • Noop certificate manager was added. Now any Octavia certificate operations using noop drivers will be faster (as they won’t be validated).


New Features

  • Added support for HTTP Strict Transport Security (HSTS) for TLS-terminated listeners. The API for creating and updating listeners has been extended by the optional fields hsts_max_age, hsts_include_subdomains and hsts_preload. By default this feature is disabled. In order to activate this feature the hsts_max_age option needs to be set.

Upgrade Notes

  • A patch that fixes an issue making the VIP port unreachable because of missing IP rules requires an update of the Amphora image.

  • The amphorav1 provider was removed. It is recommended to the users who have kept using it to switch to the default amphora provider, which is an alias for the amphorav2 provider.

Deprecation Notes

  • In a future release Octavia will no longer take the authentication settings for Neutron from the [service_auth] as a fallback. It will require them to be in the [neutron] section. The endpoint option is now deprecated and replaced by endpoint_override. Similarly, the new name of the endpoint_type option is now valid_interfaces and the new name of the ca_certificates_file option is now cafile. Note that [service_auth] settings will still be used for other services like Nova and Glance.

  • The deprecated amphorav1 provider was removed. The default provider amphora is still an alias for the amphorav2 provider.

Bug Fixes

  • Fixed an issue when deleting the last listener from a load balancer may trigger a failover.

  • The validation for the allowed_cidr parameter only took into account the IP version of the primary VIP. CIDRs which only matched the version of an additonal VIP were rejected. This if fixed and CIDRs are now matched against the IP version of all VIPs.

  • Fixed an issue when adding or deleting a member, Octavia might have reconfigured the management port of the amphora by adding or removing additional subnets. Octavia no longer updates the management port during those tasks.

  • Fixed a potential race condition in the member batch update API call, the load balancers might not have been locked properly.

  • Fixed a bug in the amphora-agent, an exception was triggered when a LB with both IPv4 and IPv6 VIPs and with a UDP pool had only IPv4 members or only IPv6 members.

  • Fixed the global number of concurrent connections in haproxy when disabling listeners. The connection-limit of disabled listeners was used to compute this value, disabled listeners are now skipped.

  • Fixed a bug that didn’t set all the active load balancer Health Monitors ONLINE in populated LB single-create calls.

  • Fixed a bug that could have made the VIP port unreachable because of the removal of some IP rules in the Amphora. It could have been triggered only when sending a request from a subnet that is not the VIP subnet but that is plugged as a member subnet.

  • Fix a bug that prevented the operating_status of a health-monitor to be set to ONLINE when ipv6 addresses were enclosed within square brackets in controller_ip_port_list.

  • Fixed the issue with session persistence based on source IP not working for IPv6 load balancers. Session persistence now functions properly for IPv4, IPv6 and dual-stack load balancers.

  • Fixed a potential error when plugging a member from a new network after deleting another member and unplugging its network. Octavia may have tried to plug the new network to a new interface but with an already existing name. This fix requires to update the Amphora image.

  • Fixed a bug in octavia-status which reported an incorrect status for the amphorav2 driver when using the default amphora alias.

  • Fixed a bug that didn’t set the correct provisioning_status for unattached pools when creating a fully-populated load balancer.

  • Fixed an SELinux issues with TCP-based health-monitor on UDP pools, some specific monitoring ports were denied by SELinux. The Amphora image now enables the keepalived_connect_any SELinux boolean that allows connections to any ports.

  • Fixed a bug with the status of the members of UDP pools in load balancer with IPv4 and IPv6 VIPs. Some members may have been incorrectly reported as DOWN by the Amphora.

  • Fixed the format of log messages related to quota decrement errors. They displayed unhelpful information, they now report the correct resource type for which the error occurs.

  • Fix the issue where nf_conntrack* opts values are lost after rebooting the Amphora VM. more details Story 2010795

  • When plugging a new member subnet, the amphora sends an IP advertisement of the newly allocated IP. It allows the servers on the same L2 network to flush the ARP entries of a previously allocated IP address.

Other Notes

  • Replaced code that uses the deprecated python-neutronclient library with code that uses openstacksdk and removed python-neutronclient as a dependency.