January 2026 Patch 2 Release

This patch improves system reliability, enhances security, and fixes critical issues that affect Private Cloud Director operations. This includes support for self-hosted deployments.

Enhancements

MAC Spoofing Prevention on Layer 2 Ports

MAC spoofing prevention is now enforced by default on all new Layer 2 ports created after the upgrade. A port's source MAC address can no longer differ from its assigned MAC. To permit MAC forged transmits on a specific port, run: openstack port set --binding-profile '{"pf9-allow-mac-forged-transmits": true}' <port_uuid> Existing Layer 2 ports created before the upgrade are unaffected until recreated.

Real-Time Cluster Addon Health Status for Kubernetes

Cluster addon health status in the Kubernetes UI now reflects real-time state, sourced from live health checks run against workload clusters. Status indicators are no longer subject to stale reads during or after cluster bootstrapping.

VM HA Role Status Visibility on Host Grid

A new VM HA Role Status column is now available on the host grid. The column displays the per-host VM HA role application status as one of the following: Disabled, Configuring, Failed, or Active. If the role is in a Failed state for a host, the UI provides an option to retry the role application directly from the grid.

Upgrade Notes

When the control plane is upgraded, but hosts are not, VM traffic may be impacted. Mixed-version environments may not function as expected due to the upgrade from OVN to Caracal. When the ovn-controller package is reinstalled, and the OVN controller process restarts, a brief VM traffic disruption, including transient packet drops, may be observed. Traffic recovers automatically once the service is back up and flows are reprogrammed. It is recommended to complete all host upgrades before validating workloads or testing network connectivity.

Bug Fixes

Infrastructure Management

• SSO configuration via ADFS now completes successfully when the server presents a self-signed TLS certificate. Previously, the metadata download failed due to a certificate verification error, preventing the SSO configuration from being applied.

• SAML group role mappings no longer retain tenant access after a user is removed from an Entra ID security group. Previously, project-level access definitions in group role mappings caused permissions to be assigned at both the group and user levels. This resulted in user-level permissions persisting as static entries even after the group membership was revoked.

• SSO authentication with period-containing domain names now processes correctly. The Reply URL format in the SSO configuration must use underscores instead of periods. For example, a domain abcd.com requires the Reply URL path segment abcd_com. Previously, periods in the domain name caused silent backend failures during SAML SSO processing.

Compute and Image Service

• Volumes created from VM snapshots or clones now display human-readable names. Previously, volumes attached to VMs built from snapshots or clones displayed raw UUIDs instead of descriptive identifiers in the UI. Existing VM volumes are unaffected.

• Volumes created from a snapshot with a larger specified size now reflect the correct extended size on Tintri NFS-backed storage. Previously, the volume reported the requested size in the UI and in Cinder, but the underlying virtual disk size remained unchanged, matching the original snapshot. Existing volumes are unaffected.

Kubernetes on Private Cloud Director

• Cluster creation now works correctly for SSO users with spaces in the username. Previously, the identity reference secret was not generated correctly when a username included spaces, preventing cluster creation for affected SSO users.

• The UI no longer generates continuous redundant background API requests to network service endpoints. Polling behavior has been corrected to eliminate the background calls. Previously, polling persisted even when the corresponding pages were inactive, placing undue load on the control plane.

• The Cluster selector is now visible across all Kubernetes management pages. Previously, the drop-down did not render on pages Kubernetes > Access Control and Kubernetes > Resources.

• kube-proxy is now configured with strictARP: true . This resolves potential ARP contention issues with kube-proxy in ipvs-mode and resolves connection reset issues clients see when using MetalLB in Layer 2 mode.

• Tuned Envoy upstream HTTP/2 keepalive config to prevent API requests from running into periodic 503 connection reset errors. Previously, a timeout mismatch caused the kube-apiserver to proactively terminate these requests.

Known Issues and Limitations

• In some environments, VMs running on specific hypervisors cannot query the metadata API, causing cloud-init to fail. This occurs when the OVN metadata logical switch port type is set to empty instead of localport. Please contact Platform9 support if you encounter this issue.

• During a host upgrade, if a process such as unattended-upgrades holds the dpkg lock, the comms package installation fails, and the upgrade stalls. Subsequent packages cannot be downloaded while comms package is unavailable. Please contact Platform9 support if you encounter this issue.

• Interactive streaming operations using SPDY or WebSocket upgrades, including those from applications built on client-go SPDYExecutor or WebSocketExecutor are not currently supported through the Envoy-based vcp-proxy. Affected commands fail when the proxy is in the request path.

• The cluster add-on status shown on the Kubernetes cluster page UI is not real-time. During the initial cluster bootstrapping process, the Cluster Addon status may be shown as Failed even though it is not.