Wallaby Series Release Notes¶
Fix an issue with amphorav2 driver, a failover of an amphora created an amphora with an ERROR status.
Fixes loadbalancer creation failure when one of the listener port matches with the octavia generated peer ports and the allowed_cidr is explicitly set to 0.0.0.0/0 on the listener. This is due to creation of two security group rules with remote_ip_prefix as None and remote_ip_prefix as 0.0.0.0/0 which neutron rejects the second request with security group rule already exists.
Fixed MAX_TIMEOUT for timeout_client_data, timeout_member_connect, timeout_member_data, timeout_tcp_inspect API listener. The value was reduced from 365 days to 24 days, which now does not exceed the value of the data type in DB.
Fixed an issue with the
lointerface in the
amphora-haproxynetwork namespace. The
lointerface was down and prevented haproxy to communicate with other haproxy processes (for persistent stick tables) on configuration change. It delayed old haproxy worker cleanup and increased the memory consumption usage after reloading the configuration.
Fix weighted round-robin for UDP and SCTP listeners with keepalived and lvs. The algorithm must be specified as ‘wrr’ in order for weighted round-robin to work correctly, but was being set to ‘rr’.
Added support for keystone default roles and system token scopes.
Added aarch64/arm64 amphora image support to the disk image create tool and to the devstack plugin.
The HTTP/2 protocol is now added to the default ALPN protocol list for listener and pools.
CentOS-based amphora images will now install HAProxy version 2.2 maintained by CentOS NFV SIG. Other supported distributions (Ubuntu Bionic, RHEL 8) remain untouched.
Added support for TLS extension Application Layer Protocol Negotiation (ALPN) to TLS-enabled pools. A new parameter
alpn_protocolswas added to the Pool API.
Octavia provider drivers can now be extended to support HTTP/2 between TLS-enabled pools and members.
Added HTTP/2 over TLS support via ALPN protocol negotiation to the amphora provider driver for TLS-enabled pools.
The Octavia amphora driver now supports gRPC protocol when HTTP/2 is enabled for TERMINATED_HTTPS listeners and TLS-enabled pools, and the amphora image is using HAProxy 2.0 or newer.
Add support for the SCTP protocol in the Amphora driver. Support for SCTP listeners and pools is implemented using keepalived in the amphora. Support for SCTP health monitors is provided by the amphora-health-checker script and relies on an INIT/INIT-ACK/ABORT sequence of packets.
Legacy Octavia Advanced RBAC policies will continue to function as before as long as the [oslo_policy] enforce_scope = False and enforce_new_defaults = False settings are present (this is the current oslo.policy default). However, we highly recommend you update your user roles to follow the new keystone default roles and start using scoped tokens as appropriate. See the Octavia Policies administration guide for more information.
Support for new features, such as ALPN on pools, HTTP/2 on pools, gRPC, and SCTP require an updated amphora image.
The default value of
[oslo_policy] policy_fileconfig option has been changed from
policy.yaml. Operators who are utilizing customized or previously generated static policy JSON files (which are not needed by default), should generate new policy files or convert them in YAML format. Use the oslopolicy-convert-json-to-yaml tool to convert a JSON to YAML formatted policy file in backward compatible way.
Legacy Octavia Advanced RBAC policies without the keystone default roles and/or token scoping are deprecated as of the Wallaby release. The oslo.policy project may change the default settings requiring the keystone default roles and scoped tokens in a future release. Please see the upgrade section in these release notes and the Octavia Policies administration guide for more information.
Use of JSON policy files was deprecated by the
oslo.policylibrary during the Victoria development cycle. As a result, this deprecation is being noted in the Wallaby cycle with an anticipated future removal of support by
oslo.policy. As such operators will need to convert to YAML policy files. Please see the upgrade notes for details on migration of any custom policy files.
Fixes an issue with load balancer failover, when the VIP subnet is out of IP addresses, that could lead to the VIP being deallocated.
Fixed an issue with batch member updates, that don’t have any changes, not properly rolling back the update.
Fixed amphora driver pool ALPN compatibity with older amphora images.
Fix an issue when load balancer creation was aborted due to en error on get of amphora VM.
Fixed an issue that an amphorav2 LB cannot be reached after loadbalancer failover. The LB security group was not set in the amphora port.
Fix default value override for timeout values for listeners. Changing the default timeouts in the configuration file wasn’t correctly applied in the default listener parameters.
Fixes an issue where provider drivers may not decrement the load balancer objects quota on delete.
Fixed an issue that could cause load balancers, with multiple amphora in a failed state, to be unable to complete a failover.
Fix an incorrect
operating_statuswith empty UDP pools. A UDP pool without any member is now
Some IPv6 UDP members were incorrectly marked in ERROR status, because of a formatting issue while generating the health message in the amphora.
Add missing cloud-utils-growpart RPM to Red Hat based amphora images.
Add missing cronie RPM to Red Hat based amphora images.
Fix nf_conntrack_buckets sysctl in the Amphora, its value was incorrectly set.
Fixed an issue were updating a CRL or client certificate on a pool would cause the pool to go into ERROR.
Fixed a bug where pools with PROXYV2 will go into ERROR.
Fix load balancers that use customized host_routes in the VIP or the member subnets in amphorav2.
Fix an issue when updating
tls_ciphersin Pools with empty (None) values, unsetting theses parameters now resets their values to the default values.
Fixed the healthcheck endpoint always querying the backends by caching results for a configurable time. The default is five seconds.
Fix a bug that allowed a user to create a load balancer on a
vip_subnet_idthat belongs to another user using the subnet UUID.
Add a validation step in the Octavia Amphora driver to ensure that the port_security_enabled parameter is set on the VIP network.
The diskimage-create.sh default for Ubuntu is now focal.