We are satisfied to announce the release of: octavia 5.0.1: OpenStack Octavia Scalable Load Balancer as a Service This release is part of the train stable release series. The source is available from: https://opendev.org/openstack/octavia Download the package from: https://pypi.org/project/octavia Please report issues through: https://storyboard.openstack.org/#!/project/908 For more details, please see below. 5.0.1 ^^^^^ Upgrade Notes ************* * A new amphora image is required to fix the potential certs-ramfs race condition. Security Issues *************** * A race condition between the certs-ramfs and the amphora agent may lead to tenant TLS content being stored on the amphora filesystem instead of in the encrypted RAM filesystem. Bug Fixes ********* * Fixes an issue where load balancers with more than one TLS enabled listener, one or more SNI enabled, may load certificates from other TLS enabled listeners for SNI use. * Fixed a potential race condition with the certs-ramfs and amphora agent services. * Fixes the ability to filter on the provider flavor capabilities API. * Fix a bug that could interrupt resource creation when performing a graceful shutdown of the controller worker and leave resources in a PENDING_CREATE/PENDING_UPDATE/PENDING_DELETE provisioning status. If the duration of an Octavia flow is greater than the 'graceful_shutdown_timeout' configuration value, stopping the Octavia worker can still interrupt the creation of resources. Changes in octavia 5.0.0..5.0.1 ------------------------------- 19202863 Fix filtering with API tags 3d28fd56 Fix gate issue with DIB 0fc1ea47 Fix controller worker graceful shutdown 735de5e1 Fix filtering for provider capabilities list API 7c1ab033 Fix a potential race condition with certs-ramfs cf1703be Fix listeners with SNI certificates 192c85b3 ipvsadm '--exact' arg to ensure outputs are ints 2fd3f6ef Fix issues with unavailable secrets d64576e3 Do not set log format when 'no log' is set Diffstat (except docs and test files) ------------------------------------- devstack/plugin.sh | 5 + .../amphora-agent.conf | 2 +- .../amphora-agent.init | 2 +- .../amphora-agent.service | 3 +- .../init-scripts/systemd/certs-ramfs.service | 1 + .../pre-install.d/05-rm-pydistutils | 5 + etc/octavia.conf | 3 + octavia/amphorae/backends/agent/api_server/util.py | 2 +- .../amphorae/backends/utils/keepalivedlvs_query.py | 3 +- .../amphorae/drivers/haproxy/rest_api_driver.py | 21 ++- octavia/api/common/pagination.py | 53 ++++--- octavia/api/drivers/utils.py | 81 +++++++--- octavia/api/v2/controllers/listener.py | 3 +- octavia/api/v2/controllers/load_balancer.py | 3 +- octavia/api/v2/controllers/pool.py | 3 +- octavia/api/v2/controllers/provider.py | 19 +++ octavia/common/constants.py | 2 + .../jinja/haproxy/combined_listeners/jinja_cfg.py | 44 +++--- .../haproxy/combined_listeners/templates/macros.j2 | 17 +-- .../jinja/haproxy/split_listeners/jinja_cfg.py | 50 +++--- .../haproxy/split_listeners/templates/macros.j2 | 17 +-- octavia/common/tls_utils/cert_parser.py | 31 ++-- octavia/controller/queue/v1/consumer.py | 10 +- octavia/controller/queue/v2/consumer.py | 10 +- .../agent/api_server/test_haproxy_compatibility.py | 9 +- .../backends/agent/api_server/test_util.py | 35 ++--- .../drivers/haproxy/test_rest_api_driver_0_5.py | 4 +- .../drivers/haproxy/test_rest_api_driver_1_0.py | 4 +- .../haproxy/combined_listeners/test_jinja_cfg.py | 167 +++++++++------------ .../haproxy/split_listeners/test_jinja_cfg.py | 163 +++++++++----------- .../sample_configs/sample_configs_combined.py | 15 +- .../common/sample_configs/sample_configs_split.py | 15 +- .../unit/common/tls_utils/test_cert_parser.py | 23 +++ .../unit/controller/queue/v1/test_consumer.py | 11 -- .../unit/controller/queue/v2/test_consumer.py | 11 -- .../fix-SNI-single-process-879ffce5eaa6c1c3.yaml | 6 + .../fix-certs-ramfs-race-561f355d13fc6d14.yaml | 14 ++ ...er-capabilities-filtering-8bd12b2cf7b37a84.yaml | 4 + ...-worker-graceful-shutdown-c44b6797637aa1b3.yaml | 9 ++ tox.ini | 3 +- 46 files changed, 735 insertions(+), 410 deletions(-)