Ocata Series Release Notes

0.10.0-37

Upgrade Notes

  • Added option ‘sync_provisioning_status’ to enable synchronizing provisioning status of loadbalancers with the neutron-lbaas database. Enabling this option will queue one additional message per amphora every heartbeat interval.

Security Issues

  • Correctly require two-way certificate authentication to connect to the amphora agent API (CVE-2019-17134).

  • Fixed a debug level logging of Amphora certificates for flows such as ‘octavia-create-amp-for-lb-subflow-octavia-generate-serverpem’ (triggered with loadbalancer failover) and ‘octavia-create-amp-for-lb-subflow-octavia-update-cert-expiration’.

Bug Fixes

  • Resolved an issue that could cause provisioning status to become out of sync between neutron-lbaas and octavia during high load.

0.10.0

Prelude

Amphora image support for RH Linux flavors.

Extended support for Keystone API v3.

Support for Keystone token authentication on frontend Octavia API.

New Features

  • Policy.json enforcement in Octavia. * Enables verification of privileges on specific API command for a specific user role and project_id.

  • Adds quota support to the Octavia API.

  • The diskimage-create script supports different operating system flavors such as Ubuntu (the default option), CentOS, Fedora and RHEL. Adaptations were made to several elements to ensure all images are operational.

  • The amphora-agent is now able to distinguish between operating systems and choose the right course of action to manage files and networking on each Linux flavor.

  • Adds support for amphora images that use systemd.

  • Add support for Ubuntu Xenial amphora images.

  • Octavia supports different Keystone APIs and choose authentication mechanism based on configuration specified in “keystone_authtoken” section of octavia.conf file.

  • After setting “auth_strategy = keystone” all incoming requests to Octavia API will be verified using Keystone are they send by authenticated person. By default that option is disabled because Neutron LBaaS v2 is not supporting that functionality properly.

  • Adds support for PKCS7 PEM or DER encoded intermediate certificate bundles for TERMINATED_HTTPS listeners.

Known Issues

  • To use CentOS, Fedora, or RHEL in your amphora image you must set the user_group option, located in the [haproxy_amphora] section of the octavia.conf file to “haproxy”. This will be made automatic in a future version.

Upgrade Notes

  • agent_server_network_dir is now auto-detected for Ubuntu, CentOS, Fedora and RHEL if one is not specified in the configuration file.

  • From configuration file section “keystone_authtoken_v3” was removed and all parameters are stored in “keystone_authtoken” section of configuration file.

  • This feature add new configuration value “auth_strategy” which by default is set for “noauth”.

  • Remove duplicated config option ‘cert_generator’ in [controller_worker]. Operators now should set it under [certificates].

Deprecation Notes

  • The “use_upstart” configuration option is now deprecated because the amphora agent can now automatically discover the init system in use in the amphora image.

Bug Fixes

  • Resolves an issue with using encrypted TLS private keys.