[NOT FOR PUBLISH] Jan Patch 2

Summary Table

Flags

• PCD-5807 — RN field not populated in Jira. Release note drafted from ticket description. Engineer verification required before publish.

• PCD-5682 — RN field not populated in Jira. Release note drafted from ticket description. Engineer verification required before publish.

• PCD-5778 — RN field not populated in Jira. Release note drafted from ticket description. Engineer and PM verification required before publish. Please confirm whether existing SAML role mappings require any user-facing action post-upgrade.

• PCD-4852 — RN field not populated in Jira. Release note drafted from ticket description. Engineer verification required before publish. Please confirm whether the fix applies to all NFS-backed storage configurations or is scoped to Tintri only.

• PCD-5767 — RN field not populated in Jira. Release note drafted from ticket description. Engineer verification required before publish. Please confirm the root cause (HCP DHCP allocation failure) and whether this affects all default security group configurations or specific network topologies.

• Unknown ticket — vcp-proxy Known Issue — No matching Jira ticket found in the RN filter. Content included in draft as provided. Please supply the ticket number before publication.

• KAAP-1482 — Marked as Duplicate in Jira. Removed from publish draft.

Release Note Details — RN Field vs. Drafted Note

PCD-4934 · Enhancement

RN Field (Jira):

By default, all L2 ports created post upgrade will by default prevent mac spoofing, i.e, src mac won't be allowed to be different than the assigned src mac to the Port. For disabling mac spoofing prevention for a port: openstack port set --binding-profile '{"pf9-allow-mac-forged-transmits": true}' <port_uuid> Note: For existing L2 Only Ports before upgrade, mac spoofing prevention check won't be added until the port is recreated.

Drafted Release Note:

MAC spoofing prevention is now enforced by default on all new Layer 2 ports created after the upgrade. A port's source MAC address can no longer differ from its assigned MAC. To permit MAC forged transmits on a specific port, run: openstack port set --binding-profile '{"pf9-allow-mac-forged-transmits": true}' <port_uuid> Existing Layer 2 ports created before the upgrade are unaffected until recreated.

PCD-5985 · Enhancement

RN Field (Jira):

• Allow user to enable VMHA with a single Glance host

• Show a warning icon for the Image Library condition when there is single glance host

• Confirm the risk from user before enabling VMHA for a cluster with single glance host

• The VMHA status will be Degraded with single glance host

Drafted Release Note:

VMHA can now be enabled on clusters that have only one Image Library host. When this configuration is detected, the UI displays a warning indicator and requires the operator to acknowledge the associated risk before proceeding. When enabled in this configuration, the VMHA status is reported as Degraded until all prerequisites are met.

KAAP-1534 · Enhancement

RN Field (Jira):

We now showing up-to-date health information of cluster addons

Drafted Release Note:

Cluster addon health status in the UI now reflects real-time state, sourced from live health checks run against workload clusters. Status indicators are no longer subject to stale reads during or after cluster bootstrapping.

PCD-5807 · Enhancement ⚠️ Draft — engineer verification needed

RN Field (Jira):

❌ Not populated

Drafted Release Note (from ticket description):

A new VM HA Role Status column is now available on the host grid. The column displays the per-host VM HA role application status as one of the following: Disabled, Configuring, Failed, or Active. If the role is in a Failed state for a host, the UI provides an option to retry role application directly from the grid.

PCD-5682 · Bug Fix · Infrastructure Management ⚠️ Draft — engineer verification needed

RN Field (Jira):

❌ Not populated

Drafted Release Note (from ticket description):

SSO configuration via ADFS now completes successfully when the ADFS server presents a self-signed TLS certificate. Previously, the federation metadata download failed with a certificate verification error, preventing SSO configuration from being applied.

PCD-5778 · Bug Fix · Infrastructure Management ⚠️ Draft — engineer verification needed

RN Field (Jira):

❌ Not populated

Drafted Release Note (from ticket description):

SAML group role mappings no longer retain tenant access after a user is removed from an Entra ID security group. Previously, project-level access definitions in group role mappings caused permissions to be assigned at both the group level and the individual user level. This resulted in user-level permissions persisting as static entries even after group membership was revoked. Project mappings have been removed from SAML group role mappings to ensure access is fully controlled by group membership.

PCD-5724 · Bug Fix · Infrastructure Management

RN Field (Jira):

If the domain name has period/dot in the domain name - When setting the Reply URL in the SSO configuration, the period/dot should be replaced with underscore for the SSO to work. For e.g. — Domain name - "abcd.com" Reply URL (Previously) - "https://{DU_FQDN}/sso/abcd.com/Shibboleth.sso/SAML2/POST" Reply URL (Updated) - "https://{DU_FQDN}/sso/abcd_com/Shibboleth.sso/SAML2/POST"

Drafted Release Note:

SSO authentication with period-containing domain names now processes correctly. The Reply URL format in the SSO configuration must use underscores instead of periods. For example, a domain abcd.com requires the Reply URL path segment abcd_com. Previously, periods in the domain name caused silent backend failures during SAML SSO processing.

KAAP-1668 · Bug Fix · Networking Service

RN Field (Jira):

kube-proxy is now configured with strictARP: true. This improves network connections to workloads in PCD-K clusters, especially for long running connections, where users may see errors like "connection reset by peer".

Drafted Release Note:

Network connections to workloads in PCD-K clusters are now stable for long-running sessions. kube-proxy is now configured with strictARP: true. Previously, persistent connections to workloads intermittently failed with "connection reset by peer" errors.

PCD-5767 · Bug Fix · Networking Service ⚠️ Draft — engineer verification needed

RN Field (Jira):

❌ Not populated

Fix Version: 2026.Jan-Patch2

Drafted Release Note (from ticket description):

VMs launched with the default security group now receive a DHCP-assigned IPv4 address. Previously, affected VMs obtained only a link-local IPv6 address on their network interface. This prevented the VM from reaching the metadata service at 169.254.169.254, causing cloud-init to fail during network initialization.

PCD-5780 · Bug Fix · Compute and Image Service

RN Field (Jira):

The volume names for VM's built from Snapshot/VM Clones will have user friendly names for better user experience. This will not change the volume names for existing VM's.

Drafted Release Note:

Volumes created from VM snapshots or clones now display human-readable names. Previously, volumes attached to VMs built from snapshots or clones displayed raw UUIDs instead of descriptive identifiers in the UI. Existing VM volumes are unaffected.

PCD-4852 · Bug Fix · Compute and Image Service ⚠️ Draft — engineer verification needed

RN Field (Jira):

❌ Not populated

Fix Version: 2026.Jan-Patch2

Drafted Release Note (from ticket description):

Volumes created from a snapshot with a larger specified size now reflect the correct extended size on Tintri NFS-backed storage. Previously, the volume reported the requested size in the UI and in Cinder, but the underlying virtual disk size remained unchanged, matching the original snapshot. Existing volumes are unaffected.

KAAP-1659 · Bug Fix · Kubernetes on Private Cloud Director

RN Field (Jira):

Resolved timeout mismatch between the cluster and the hosted control plane leading to internal server errors for long-running requests.

Drafted Release Note (note 1 — timeout fix):

PCD-V deployment on PCD-K clusters no longer fails with HTTP 503 errors on long-running requests. Timeout values between the cluster and the hosted control plane are now aligned. Previously, a timeout mismatch caused the server to terminate requests before they could complete.

Drafted Release Note (note 2 — Envoy keepalive fix):

Intermittent connection reset errors for clients are now resolved. Previously, stale API server connections went undetected, causing request failures. Settings have been updated to detect and close inactive connections before they affect traffic.

KAAP-1140 · Bug Fix · Kubernetes on Private Cloud Director

RN Field (Jira):

Fixed an issue where users containing spaces in their user name could not create clusters

Drafted Release Note:

Cluster creation now works correctly for SSO users with spaces in the username. Previously, the identity reference secret was not generated correctly when a username included spaces, preventing cluster creation for affected SSO users.

KAAP-1751 · Bug Fix · Kubernetes on Private Cloud Director

RN Field (Jira):

Performance improvement by avoiding unnecessary API calls from the UI

Drafted Release Note:

The UI no longer generates continuous redundant background API requests to network service endpoints. Polling behavior has been corrected to eliminate the background calls. Previously, polling persisted even when the corresponding pages were inactive, placing undue load on the control plane.

KAAP-1670 · Bug Fix · Kubernetes on Private Cloud Director

RN Field (Jira):

The cluster drop-down is now visible for all pages under Kubernetes -> Access Control and Kubernetes -> Resources

Drafted Release Note:

The Cluster selector is now visible across all Kubernetes management pages. Previously, the drop-down did not render on pages Kubernetes > Access Control and Kubernetes > Resources.

PCD-5689 · Known Issue

RN Field (Jira):

Known Issue: In some environments, VMs booting on specific hypervisors are unable to access the OpenStack metadata service at 169.254.169.254, causing cloud-init to fail. Workaround: [5-step workaround — to be added to public docs separately]

Drafted Release Note:

In some environments, VMs booting on specific hypervisors are unable to access the metadata service at 169.254.169.254, causing cloud-init to fail. This occurs when the OVN metadata logical switch port type is set to empty instead of localport.

PCD-5604 · Known Issue

RN Field (Jira):

Known Issue: While upgrading the host if the dpkg lock is held by some other process (e.g unattended upgrades) the comms installation might fail causing the host upgrade failure, the subsequent package cannot be downloaded as the comms is down. Workaround: Install the comms package manually, running following command on host: /opt/pf9/hostagent/bin/pf9-apt install /var/cache/pf9apps/pf9-comms/<version>/pf9-comms-<version>.*

Drafted Release Note:

During a host upgrade, if a process such as unattended-upgrades holds the dpkg lock, the comms package installation fails and the upgrade stalls. Subsequent packages cannot be downloaded while comms are unavailable.

Unknown Ticket · Known Issue · Kubernetes on Private Cloud Director ⚠️ Ticket number needed

RN Field (Jira):

❌ No ticket found in RN filter

Drafted Release Note (as provided):

Interactive streaming operations using SPDY or WebSocket upgrades, including those from applications built on client-go SPDYExecutor or WebSocketExecutor, are not currently supported through the Envoy-based vcp-proxy. Affected commands fail when the proxy is in the request path.

KAAP-1482 · Removed before publish

RN Field (Jira):

Known Issue: The cluster addon status shown on the UI will not be real time. During the initial cluster bootstrapping process, the Cluster Addon status may be shown as Failed even though it is not.

Reason for removal: Marked as Duplicate in Jira.