Current Series Release Notes

6.0.0-72

New Features

  • Add l7policy and l7rule to octavia quota.

  • Added minimum_tls_version to octavia.conf. Listeners, pools, and the defaults for either will be blocked from using any lower TLS versions. By default, there is no minumum version.

  • TLS-enabled pools can now be configured to use only specified versions of TLS. Default TLS versions for new pools can be set with default_pool_tls_versions in octavia.conf. Existing pools will continue to use the old defaults.

  • Added tls_cipher_blacklist to octavia.conf. Listeners, pools, and the default values for either will be blocked from using any of these ciphers. By default, no ciphers are blacklisted.

  • HTTPS-terminated listeners can now be configured to use only specified versions of TLS. Default TLS versions for new listeners can be set with default_listener_tls_versions in octavia.conf. Existing listeners will continue to use the old defaults.

Upgrade Notes

  • An amphora image update is recommended to pick up a workaround to an HAProxy issue where it would fail to reload on configuration change should the local peer name start with “-x”.

  • The failover improvements do not require an updated amphora image, but updating existing amphora will minimize the failover outage time for standalone amphora on subsequent failovers.

  • The option [controller_worker]/amp_ssh_access_allowed has been deprecated since Queens release and is now removed. This option was superseded by [controller_worker]/amp_ssh_key_name option.

  • The option [controller_worker]/amp_image_id has been deprecated since Mitaka release and is now removed. This option was superseded by [controller_worker]/amp_image_tag option.

  • HTTPS-terminated listeners will now only allow TLS1.2 and TLS1.3 by default. If no TLS versions are specified at listener create time, the listener will only accept TLS1.2 and TLS1.3 connections. Previously TLS listeners would accept any TLS version. Existing listeners will not be changed.

Deprecation Notes

  • Terminology such as blacklist has been replaced with more inclusive words, such as prohibit list wherever possible.

    The configuration option tls_cipher_blacklist has been deprecated and replaced with tls_cipher_prohibit_list. It will be removed in a future release.

  • The deprecated option status_update_threads has been removed, health_update_threads and stats_update_threads should be used instead.

Bug Fixes

  • Fixed an issue when a loadbalancer is disabled, Octavia Health Manager keeps failovering the amphorae

  • Fixed an issue where setting of SNI containers were not being applied on listener update API calls.

  • Fixed an Octavia API validation on listener update where SNI containers could be set on non-TERMINATED_HTTPS listeners.

  • Fixed an issue in the CADF audit map file for failover actions that could cause keystonemiddleware to raise an exception.

  • Fix an issue when the barbican service enable TLS, we create the listerner failed.

  • Fixed an issue where amphora load balancers fail to create when Nova anti-affinity is enabled and topology is SINGLE.

  • Workaround an HAProxy issue where it would fail to reload on configuration change should the local peer name start with “-x”.

  • Fixed an issue where listener “insert_headers” parameter was accepted for protocols that do not support header insertion.

  • Significantly improved the reliability and performance of amphora and load balancer failovers. This is especially true when the Nova service is experiencing failures.