Pike Series Release Notes


Security Issues

  • Correctly require two-way certificate authentication to connect to the amphora agent API (CVE-2019-17134).


Security Issues

  • Fixed a debug level logging of Amphora certificates for flows such as ‘octavia-create-amp-for-lb-subflow-octavia-generate-serverpem’ (triggered with loadbalancer failover) and ‘octavia-create-amp-for-lb-subflow-octavia-update-cert-expiration’.


Bug Fixes

  • Neutron LBaaS was assigning the VIP port it created the user’s project-id, thus allowing the user to attach Floating-IPs to the VIP port. Octavia, on the other hand, was assigning the Octavia project-id to the port, making it impossible for the user to attach a Floating IP. This patch brings Octavia’s behavior in line with Neutron LBaaS and assigns the user’s project-id to the VIP port created by Octavia.



For the OpenStack Pike release, the Octavia team is excited to announce Octavia version 1.0.0 and introduce the Octavia v2 API. Octavia can now be deployed without neutron-lbaas as a standalone endpoint. The Octavia v2 API is fully backward compatible with the neutron-lbaas v2 API and is a superset of the neutron-lbaas v2 API.

New Features

  • New Health Monitor type “TLS-HELLO” to perform a simple TLS connection.

  • Add a config variable to disable creation of TLS Terminated listeners.

  • Adds a new config parameter to specify the anti-affinity policy

  • Add monitor address and port to member

  • Add config variables to allow disabling either API version (v1 or v2.0).

  • Added a configuration option that specifies the availability zone amphora should be built in.

  • The amphora haproxy user_group setting is now automatically detected for Ubuntu, CentOS, Fedora, or RHEL based amphora.

  • The Octavia v2 API now supports Role Based Access Control (RBAC). The default rules require users to have a load-balancer_* role to be able to access the Octavia v2 API. This can be overriden with the admin_or_owner-policy.json sample file provided. See the Octavia Policies document for more information.

  • Add support PROXY protocol for lbaas pool in octavia

  • Octavia API now supports WSGI deplyment.

  • The diskimage-create script now supports generic download mirrors via the DIB_DISTRIBUTION_MIRROR environment variable, replacing the existing distribution-specific elements

Upgrade Notes

  • If users have configured Health Monitors of type “HTTPS” and are expecting a simple “TLS-HELLO” check, they will need to recreate their monitor with the new “TLS-HELLO” type.

  • Adding ID column to the health_monitor table in Octavia, whose value is same as the pool_id column. The database needs to be upgraded first, followed by upgrade and restart of the API servers.

  • The configuration setting auth_strategy is now set to keystone by default.

  • The keepalived improvements require the amphora image to be upgraded.

  • Several API related variables are moving to their own section api_settings. bind_host bind_port api_handler allow_pagination allow_sorting pagination_max_limit api_base_uri

  • Added option ‘sync_provisioning_status’ to enable synchronizing provisioning status of loadbalancers with the neutron-lbaas database. Enabling this option will queue one additional message per amphora every heartbeat interval.

  • For the diskimage-create script, the BASE_OS_MIRROR environment variable was renamed to DIB_DISTRIBUTION_MIRROR

Deprecation Notes

  • The project_id attribute of the POST method on the following objects is now deprecated: listener, pool, health monitor, and member. These objects will use the parent load balancer’s project_id. Values passed into the project_id on those objects will be ignored until the deprecation cycle has expired, at which point they will cause an error.

  • haproxy user_group is no longer being used. it is now auto-detected for Ubuntu, CentOS, Fedora and RHEL based amphora images.

  • Finally completely remove tenant_id, as it was deprecated along with the keystone v2 API in Mitaka, which means we’re free of it in Pike!

  • These custom distribution mirror elements for the diskimage-script were removed: apt-mirror, centos-mirror, fedora-mirror

Security Issues

  • Note that while the Octavia v2 API now supports Role Bassed Access Control (RBAC), the Octavia v1.0 API does not. The Octavia v1.0 API should not be exposed publicly and should only be used internally such as for the neutron-lbaas octavia driver. Publicly accessible instances of the Octavia API should have the v1.0 API disabled via the Octavia configuration file.

Bug Fixes

  • Health Monitor type “HTTPS” now correctly performs the configured check. This is done with all certificate validation disabled, so it will not work if backend members are performing client certificate validation.

  • Some versions of HAProxy incorrectly reported nodes in DRAIN status as being UP, and Octavia code was written around this incorrect reporting. This has been fixed in some versions of HAProxy and is now handled properly in Octavia as well. Now it is possible for members to be in the status DRAINING. Note that this is masked when statuses are forwarded to neutron-lbaas in the eventstream, so no compatibility change is necessary.

  • Allow the loadbalancer’s VIP to be created on the same network as the management interface.

  • Fixed an issue that caused failover to unsuccessful if the vip network was not DHCP enabled.

  • Fixed an issue where the amphora would fail to bring up the VIP if the VIP network did not have a gateway specified in neutron.

  • Improvements to the keepalived system used in active/standby topologies. keepalived is now monitored for health by the amphora agent (previously just by the init system) and a systemd race condition between keepalived and haproxy have been resolved.

  • Resolved an issue that could cause provisioning status to become out of sync between neutron-lbaas and octavia during high load.

Other Notes

  • The Octavia project documentation has been reorganized as part of the OpenStack documentation migration project. The Octavia project documentation is now located at: https://docs.openstack.org/octavia/latest/