Bug Fixes¶

• Fix an issue that prevents the Octavia API service to be correctlyinitialized when it fails to load a provider driver. It will nowfail gracefully and remove the driver from the enabled list.

Upgrade Notes¶

• UDP load balancers will require a failover to fix the UDP rebalance issueonce the control plane is updated.

Bug Fixes¶

• Fixed a bug where the Amphora configuration update would only update theAmphora agent configuration, but the health sender would not be updatedwith the new controller IP list.

• Fixed an issue where UDP listeners may not rebalance failed member serversin a timely fashion. It may have been up to five minutes for a failedmember server to be removed from existing flows.

• Ignore serialization loadbalancer class in GetAmphoraNetworkConfigs tasks.It allows to avoid storing full graph in jobboard details. It fixes caseswith enabled jobboard for huge LBs with ~2000+ resources in graph.

• Reduce the value of tune.ssl.cachesize for HTTPS termination listeners toprevent OOM during haproxy reload (LP: #2119987).

• Fixed a bug when using a L7Rule with FILE_TYPE and EQUAL_TO comparison,it never matched due to an issue with the generated HAProxy configuration.

• Fixed missingport_id element when getting theadditional_vipsparameter of a load balancer.

• Fix a potential race condition during the cascade deletion of loadbalancers. When deleting a load balancer with multiple listeners, thesecurity groups of the VIP port may have been updated many timesconcurrently, creating a race condition.

Other Notes¶

• Added a “octavia-wsgi” script for backward compatibility now that pbr’swsgi_scripts no longer functions with the latest setuptools.

New Features¶

• Octavia Amphora based load balancers now support using SR-IOV virtualfunctions (VF) on the member ports.

• Add thevip_sg_ids parameter to the load-balancer POST API. It allows toset a list of user-defined Neutron Security Groups on the VIP port of theLoad Balancer.

• Add the vip_sg_ids parameter to the Amphora driver, a list of NeutronSecurity Groups. When set, the Amphora driver applies the Security Groups tothe VIP port of the Load Balancer. It also doesn’t set any Security GroupRules related to the Listeners on this ports, however it adds SecurityGroups Rules for VRRP and haproxy peers when needed.This feature does not work with SR-IOV ports as Neutron does not supportSecurity Groups on these ports.

• Added support for the Jobboard Etcd backend in Taskflow.

• The new[task_flow]jobboard_redis_backend_db option has been added.This option allows using non default database in redis as backend.

Upgrade Notes¶

• You must update the amphora image to support the SR-IOV member portfeature.

• When upgrading, the default RBAC rules will switch from Octavia AdvancedRBAC to the keystone default roles. This means the load_balancer_* roleswill not longer have access to the load balancer API. To continue to usethe Octavia Advanced RBAC rules, please use theoctavia-advanced-rbac-policy.yaml override file provided.

Critical Issues¶

• When upgrading, the default RBAC rules will switch from Octavia AdvancedRBAC to the keystone default roles. This means the load_balancer_* roleswill not longer have access to the load balancer API. To continue to usethe Octavia Advanced RBAC rules, please use theoctavia-advanced-rbac-policy.yaml override file provided.

Security Issues¶

• When upgrading, the default RBAC rules will switch from Octavia AdvancedRBAC to the keystone default roles. This means the load_balancer_* roleswill not longer have access to the load balancer API. To continue to usethe Octavia Advanced RBAC rules, please use theoctavia-advanced-rbac-policy.yaml override file provided. Note: thekeystone default roles are less restrictive than the Octavia Advanced RBACrules and you will no longer have global observer or quota specific roles.

Bug Fixes¶

• Remove record in amphora_health table on revert. It’s necessary, becauserecord in amphora table for corresponding amphora also deleted.It allows to avoid false positive react of failover threshold due toorphan records in amphora_health table.

• Fixed potential AttributeError during listener update when security grouprule had no protocol defined (ie. it was null).

• Fixed an issue with SINGLE topology load balancer with UDP listeners, theAmphora now sends a Gratuitous ARP packet when a UDP pool is added, itmakes the VIP address more quickly reachable after a failover or whenreusing a previously allocated IP address.

• Fix verification of certificates signed by a private CA when using Neutronendpoints.

• Fix error on revert PlugVIPAmphora task, when db_lb is not definedand get_subnet raises NotFound error. It could happen when Amphoracreation failed by timeout and before it VIP network was removed.As result revert failed with exception.