We are happy to announce the release of:
octavia 4.1.0: OpenStack Octavia Scalable Load Balancer as a Service
This release is part of the stein stable release series.
The source is available from:
https://opendev.org/openstack/octavia
Download the package from:
https://pypi.org/project/octavia
Please report issues through:
https://storyboard.openstack.org/#!/project/908
For more details, please see below.
4.1.0 ^^^^^
New Features ************
* Now supports "oslo_middleware http_proxy_to_wsgi", which will set up the request URL correctly in the case that there is a proxy (for example, a loadbalancer such as HAProxy) in front of the Octavia API. It is off by default and can be enabled by setting "enable_proxy_headers_parsing=True" in the "[oslo_middleware]" section of "octavia.conf".
Known Issues ************
* When a load balancer with a UDP listener is updated, the listener service is restarted, which causes an interruption of the flow of traffic during a short period of time. This issue is caused by a keepalived bug (https://github.com/acassen/keepalived/issues/1163) that was fixed in keepalived 2.0.14, but this package is not yet provided by distributions.
Upgrade Notes *************
* A new amphora image is required to resolve the amphora memory issues when a load balancer has multiple listeners and the amphora image uses haproxy 1.8 or newer.
Security Issues ***************
* Correctly require two-way certificate authentication to connect to the amphora agent API (CVE-2019-17134).
Bug Fixes *********
* Fixed the API handling of None (JSON null) on object update calls. The API will now either clear the value from the field or will reset the value of the field to the API default.
* Fixed an issue with the health manager reporting an UnboundLocalError if it gets an exception attempting to get a database connection.
* Fixes a potential DB deadlock in allocate_and_associate found in testing.
* Fixes an issue where, if we were unable to attach the base (VRRP) port to an amphora instance, the revert would not clean up the port in neutron.
* Fixed an issue where the driver errors were not caught.
* Fix an issue that prevented the cleanup of load balancer entries in the database by the Octavia housekeeper service.
* Add support for monitor_address and monitor_port attributes in UDP members. Previously, monitor_address and monitor_port were ignored and address and protocol_port attributes were used as monitoring address and port.
* Fix operating_status for pools and members that use UDP protocol. operating_status values are now consistant with the values of non- UDP load balancers.
* Fix a bug that prevented UDP servers to be restored as members of a pool after removing a health monitor resource.
* Fixed an issue with load balancers that have multiple listeners when using an amphora image that contains HAProxy 1.8 or newer. An updated amphora image is required to apply this fix.
* The passphrase for config option 'server_certs_key_passphrase' is used as a Fernet key in Octavia and thus must be 32, base64(url) compatible, characters long. Octavia will now validate the passphrase length and format.
* Adding a member with different IP protocol version than the VIP IP protocol version in a UDP load balancer caused a crash in the amphora. A validation step in the amphora driver now prevents mixing IP protocol versions in UDP load balancers.
Changes in octavia 4.0.1..4.1.0 -------------------------------
1725517d Fix urgent amphora two-way auth security bug 5ecfa0a5 Fix healthmonitor message v2 for UDP listeners 2fb2aeec Fix building configs for multiple listeners 48db7b9c Fix pool API handling of None/null updates f5f6cc15 Fix member API handling of None/null updates b82589cb Fix health monitor API handling of None updates 1b9881dc Validate server_certs_key_passphrase is 32 chars 220c1b25 Work around strptime threading issue 8cb64148 Fix cleanup of expired load balancer entries 701a9001 Fix base (VRRP) port abandoned on revert 55b04f27 Fix l7rule API handling of None updates 3e587428 Fix catching driver exceptions 46ccfc66 Prevent UDP LBs to use different IP protocol versions in amphora driver cf53bc65 Fixed down server issue after reloading keepalived bf50e3a1 Fixed pool and members status with UDP loadbalancers 7f683dc2 Add support for monitor_{address,port} in UDP members 5d36bb6b Re-enable grenade as voting 99489e35 Revert "Use the infra pypi mirror for DIB" f412d852 Add failover logging to show the amphora details. 896b1cfd Fix template that generates vrrp check script 40462b2b only rollback DB when we have a connection to the DB bdd0d44e Fix L7 repository create methods 1e43a307 Use the infra pypi mirror for DIB 3f1b3890 Fix flavor profile API handling of None updates b88f1041 Add warning log if auth_strategy is not keystone 0571e0e4 elements: add arch property for ``open-vm-tools`` 4b7fe7f8 worker: Re-add FailoverPreparationForAmphora 0efee7ef Fix listener deletion in ACTIVE/STANDBY topology 6f8932e9 Add support for oslo_middleware http_proxy_to_wsgi 646071d8 Fix multi-listener load balancers 3053676f Fix cryptsetup --pbkdf-memory failures f41cd0a2 Update tox.ini for new upper constraints strategy d53010dc Add bindep.txt for Octavia d31b47fd Fix a python3 issue in the amphora-agent 32afefd6 Fix allocate_and_associate DB deadlock 8d3e0518 Add Stein octavia-v2-dsvm-scenario-ubuntu-xenial 4b912e48 Limit cryptsetup key RAM usage
Diffstat (except docs and test files) -------------------------------------
bindep.txt | 2 + elements/amphora-agent/package-installs.yaml | 1 + elements/certs-ramfs/element-deps | 1 + .../init-scripts/systemd/certs-ramfs.service | 2 +- elements/certs-ramfs/init-scripts/sysv/certs-ramfs | 9 +- .../init-scripts/upstart/certs-ramfs.conf | 9 +- .../certs-ramfs/static/usr/local/bin/certfs-ramfs | 19 + etc/octavia.conf | 4 + lower-constraints.txt | 2 +- .../amphorae/backends/agent/api_server/__init__.py | 2 +- .../backends/agent/api_server/amphora_info.py | 12 +- .../backends/agent/api_server/keepalived.py | 4 +- .../backends/agent/api_server/keepalivedlvs.py | 51 +- .../api_server/{listener.py => loadbalancer.py} | 249 ++-- .../amphorae/backends/agent/api_server/server.py | 74 +- .../templates/keepalived_check_script.conf.j2 | 2 +- .../backends/agent/api_server/udp_listener_base.py | 12 - octavia/amphorae/backends/agent/api_server/util.py | 113 +- .../backends/health_daemon/health_daemon.py | 87 +- octavia/amphorae/backends/utils/haproxy_query.py | 4 +- .../amphorae/backends/utils/keepalivedlvs_query.py | 46 +- octavia/amphorae/drivers/driver_base.py | 73 +- .../amphorae/drivers/haproxy/rest_api_driver.py | 580 +++++--- .../drivers/keepalived/vrrp_rest_driver.py | 15 +- octavia/amphorae/drivers/noop_driver/driver.py | 74 +- octavia/api/app.py | 3 + octavia/api/drivers/amphora_driver/driver.py | 26 + octavia/api/drivers/utils.py | 22 +- octavia/api/v2/controllers/flavor_profiles.py | 26 +- octavia/api/v2/controllers/health_monitor.py | 41 +- octavia/api/v2/controllers/l7rule.py | 5 + octavia/api/v2/controllers/load_balancer.py | 4 +- octavia/api/v2/controllers/member.py | 18 + octavia/api/v2/controllers/pool.py | 9 +- octavia/api/v2/types/health_monitor.py | 6 +- octavia/api/v2/types/member.py | 6 +- octavia/certificates/common/local.py | 6 +- octavia/cmd/agent.py | 3 +- octavia/cmd/api.py | 6 + octavia/cmd/health_manager.py | 3 + octavia/cmd/octavia_worker.py | 3 + octavia/common/base_taskflow.py | 3 + octavia/common/constants.py | 8 + .../jinja/haproxy/combined_listeners/__init__.py | 0 .../jinja/haproxy/combined_listeners/jinja_cfg.py | 475 +++++++ .../haproxy/combined_listeners/templates/base.j2 | 52 + .../combined_listeners/templates/haproxy.cfg.j2 | 40 + .../haproxy/combined_listeners/templates/macros.j2 | 377 ++++++ .../jinja/haproxy/split_listeners/__init__.py | 0 .../haproxy/{ => split_listeners}/jinja_cfg.py | 0 .../{ => split_listeners}/templates/base.j2 | 0 .../{ => split_listeners}/templates/haproxy.cfg.j2 | 0 .../{ => split_listeners}/templates/macros.j2 | 0 octavia/common/jinja/lvs/jinja_cfg.py | 4 +- octavia/common/jinja/lvs/templates/macros.j2 | 10 +- octavia/common/validate.py | 2 + .../healthmanager/health_drivers/update_db.py | 98 +- octavia/controller/healthmanager/health_manager.py | 4 +- octavia/controller/worker/controller_worker.py | 29 +- octavia/controller/worker/flows/amphora_flows.py | 9 +- .../worker/flows/health_monitor_flows.py | 6 +- octavia/controller/worker/flows/l7policy_flows.py | 6 +- octavia/controller/worker/flows/l7rule_flows.py | 6 +- octavia/controller/worker/flows/listener_flows.py | 8 +- .../controller/worker/flows/load_balancer_flows.py | 2 +- octavia/controller/worker/flows/member_flows.py | 8 +- octavia/controller/worker/flows/pool_flows.py | 6 +- .../worker/tasks/amphora_driver_tasks.py | 63 +- octavia/db/repositories.py | 15 +- .../drivers/neutron/allowed_address_pairs.py | 17 + .../backend/agent/api_server/test_keepalivedlvs.py | 62 - .../backend/agent/api_server/test_server.py | 310 ++--- .../functional/api/v2/test_flavor_profiles.py | 21 +- .../backends/agent/api_server/test_amphora_info.py | 44 +- .../agent/api_server/test_haproxy_compatibility.py | 14 +- .../agent/api_server/test_keepalivedlvs.py | 8 - .../backends/agent/api_server/test_listener.py | 192 --- .../backends/agent/api_server/test_loadbalancer.py | 279 ++++ .../backends/agent/api_server/test_util.py | 106 +- .../backends/health_daemon/test_health_daemon.py | 68 +- .../amphorae/backends/utils/test_haproxy_query.py | 49 +- .../backends/utils/test_keepalivedlvs_query.py | 87 +- ...t_api_driver.py => test_rest_api_driver_0_5.py} | 649 ++++----- .../drivers/haproxy/test_rest_api_driver_1_0.py | 1379 ++++++++++++++++++++ .../drivers/keepalived/test_vrrp_rest_driver.py | 22 +- .../test_noop_amphoraloadbalancer_driver.py | 29 +- .../drivers/amphora_driver/test_amphora_driver.py | 125 +- .../unit/certificates/manager/test_barbican.py | 3 +- .../jinja/haproxy/combined_listeners/__init__.py | 0 .../haproxy/combined_listeners/test_jinja_cfg.py | 1171 +++++++++++++++++ .../jinja/haproxy/split_listeners/__init__.py | 0 .../{ => split_listeners}/test_jinja_cfg.py | 298 ++--- .../unit/common/jinja/lvs/test_lvs_jinja_cfg.py | 111 +- .../sample_configs/sample_configs_combined.py | 1083 +++++++++++++++ .../{sample_configs.py => sample_configs_split.py} | 83 +- .../unit/common/tls_utils/test_cert_parser.py | 12 +- .../healthmanager/health_drivers/test_update_db.py | 127 +- .../healthmanager/test_health_manager.py | 18 + .../worker/flows/test_load_balancer_flows.py | 3 +- .../worker/tasks/test_amphora_driver_tasks.py | 115 +- .../controller/worker/test_controller_worker.py | 3 +- .../drivers/neutron/test_allowed_address_pairs.py | 37 + .../Fix-API-update-null-None-1b400962017a3d56.yaml | 6 + ...DB-Rollback-no-connection-2664c4f7823ecaec.yaml | 5 + ...te_and_associate-deadlock-3ff1464421c1d464.yaml | 4 + ...evert-abandoned-vrrp-port-efff14edce62ad75.yaml | 5 + ...client-auth-vulnerability-6803f4bac2508e4c.yaml | 5 + .../notes/fix-driver-errors-81d33948288bf8cf.yaml | 4 + ...x-loadbalancer-db-cleanup-61ee81a4fd597067.yaml | 5 + ...s-and-port-in-udp-members-ff83395544f228cf.yaml | 6 + .../fix-udp-members-status-ef3202849bfda29b.yaml | 6 + ...fix-udp-server-status-bug-db4d3e38bcdf0554.yaml | 12 + .../haproxy-single-process-b17a3af3a97accea.yaml | 11 + ...rver_certs_key_passphrase-6a9dfc190c9deba8.yaml | 6 + ...leware-http_proxy_to_wsgi-928c6fc5ec3d421c.yaml | 8 + ...ame-ip-protocol-in-udp-lb-2813b545131097ec.yaml | 7 + requirements.txt | 2 +- test-requirements.txt | 3 +- tox.ini | 5 +- zuul.d/projects.yaml | 2 + 130 files changed, 7883 insertions(+), 2172 deletions(-)
Requirements updates --------------------
diff --git a/requirements.txt b/requirements.txt index fb25bd33..c08fbdb9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -24 +24 @@ oslo.log>=3.36.0 # Apache-2.0 -oslo.messaging>=5.29.0 # Apache-2.0 +oslo.messaging>=6.3.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index bc3205fa..8e0b2e39 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -20 +20,2 @@ tempest>=17.1.0 # Apache-2.0 -sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD +sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7' # BSD +sphinx!=1.6.6,!=1.6.7,>=1.6.2;python_version>='3.4' # BSD