# January 2026 Patch 2 Release

This patch improves system reliability, enhances security, and fixes critical issues that affect <code class="expression">space.vars.PRODUCT\_NAME</code> operations. This includes support for self-hosted deployments.

### Enhancements

**MAC Spoofing Prevention on Layer 2 Ports**

MAC spoofing prevention is now enforced by default on all new Layer 2 ports created after the upgrade. A port's source MAC address can no longer differ from its assigned MAC. To permit MAC forged transmits on a specific port, run: `openstack port set --binding-profile '{"pf9-allow-mac-forged-transmits": true}' <port_uuid>` Existing Layer 2 ports created before the upgrade are unaffected until recreated.

**Real-Time Cluster Addon Health Status for Kubernetes**

Cluster addon health status in the Kubernetes UI now reflects real-time state, sourced from live health checks run against workload clusters. Status indicators are no longer subject to stale reads during or after cluster bootstrapping.

**VM HA Role Status Visibility on Host Grid**

A new **VM HA Role Status** column is now available on the host grid. The column displays the per-host VM HA role application status as one of the following: Disabled, Configuring, Failed, or Active. If the role is in a Failed state for a host, the UI provides an option to retry the role application directly from the grid.

### Upgrade Notes

When the control plane is upgraded, but hosts are not, VM traffic may be impacted. Mixed-version environments may not function as expected due to the upgrade from OVN to Caracal. When the `ovn-controller` package is reinstalled, and the OVN controller process restarts, a brief VM traffic disruption, including transient packet drops, may be observed. Traffic recovers automatically once the service is back up and flows are reprogrammed. It is recommended to complete all host upgrades before validating workloads or testing network connectivity.&#x20;

### Bug Fixes

#### **Infrastructure Management**

* SSO configuration via ADFS now completes successfully when the server presents a self-signed TLS certificate. Previously, the metadata download failed due to a certificate verification error, preventing the SSO configuration from being applied.
* SAML group role mappings no longer retain tenant access after a user is removed from an Entra ID security group. Previously, project-level access definitions in group role mappings caused permissions to be assigned at both the group and user levels. This resulted in user-level permissions persisting as static entries even after the group membership was revoked.&#x20;
* SSO authentication with period-containing domain names now processes correctly. The **Reply URL** format in the SSO configuration must use underscores instead of periods. For example, a domain  `abcd.com` requires the Reply URL path segment `abcd_com`. Previously, periods in the domain name caused silent backend failures during SAML SSO processing.&#x20;

#### **Compute and Image Service**

* Volumes created from VM snapshots or clones now display human-readable names. Previously, volumes attached to VMs built from snapshots or clones displayed raw UUIDs instead of descriptive identifiers in the UI. Existing VM volumes are unaffected.
* Volumes created from a snapshot with a larger specified size now reflect the correct extended size on Tintri NFS-backed storage. Previously, the volume reported the requested size in the UI and in Cinder, but the underlying virtual disk size remained unchanged, matching the original snapshot. Existing volumes are unaffected.

#### **Kubernetes on Private Cloud Director**

* Cluster creation now works correctly for SSO users with spaces in the username. Previously, the identity reference secret was not generated correctly when a username included spaces, preventing cluster creation for affected SSO users.
* The UI no longer generates continuous redundant background API requests to network service endpoints. Polling behavior has been corrected to eliminate the background calls. Previously, polling persisted even when the corresponding pages were inactive, placing undue load on the control plane.
* The Cluster selector is now visible across all Kubernetes management pages. Previously, the drop-down did not render on pages  **Kubernetes > Access Control** and **Kubernetes > Resources**.
* `kube-proxy` is now configured with `strictARP: true` . This resolves potential ARP contention issues with `kube-proxy` in `ipvs-mode` and resolves connection reset issues clients see when using MetalLB in Layer 2 mode.&#x20;
* Tuned Envoy upstream HTTP/2 `keepalive` config to prevent API requests from running into periodic 503 connection reset errors. Previously, a timeout mismatch caused the kube-apiserver to proactively terminate these requests.&#x20;

{% hint style="info" %}
The list of known issues and limitations noted in the January 2026 release of Private Cloud Director also applies to this patch release.
{% endhint %}

### Known Issues and Limitations

* In some environments, VMs running on specific hypervisors cannot query the metadata API, causing cloud-init to fail. This occurs when the OVN metadata logical switch port type is set to empty instead of `localport`. Please contact Platform9 support if you encounter this issue.
* During a host upgrade, if a process such as `unattended-upgrades` holds the dpkg lock, the comms package installation fails, and the upgrade stalls. Subsequent packages cannot be downloaded while comms package is unavailable. Please contact Platform9 support if you encounter this issue.
* Interactive streaming operations using SPDY or WebSocket upgrades, including those from applications built on `client-go` `SPDYExecutor` or `WebSocketExecutor` are not currently supported through the Envoy-based `vcp-proxy`. Affected commands fail when the proxy is in the request path.
* The cluster add-on status shown on the Kubernetes cluster page UI is not real-time. During the initial cluster bootstrapping process, the Cluster Addon status may be shown as Failed even though it is not.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.platform9.com/release-notes/january-2026-release/january-2026-patch-2-release.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.