We joyfully announce the release of: octavia 5.0.2: OpenStack Octavia Scalable Load Balancer as a Service This release is part of the train stable release series. The source is available from: https://opendev.org/openstack/octavia Download the package from: https://pypi.org/project/octavia Please report issues through: https://storyboard.openstack.org/#!/project/908 For more details, please see below. 5.0.2 ^^^^^ Upgrade Notes ************* * After this upgrade, users will no longer be able use network resources they cannot see or "show" on load balancers. Operators can revert this behavior by setting the "allow_invisible_reourece_usage" configuration file setting to "True". * Any amphorae running a py3 based image must be recycled or else they will eventually fail on certificate rotation. * An amphora image update is recommended to pick up a workaround to an HAProxy issue where it would fail to reload on configuration change should the local peer name start with "-x". Security Issues *************** * Previously, if a user knew or could guess the UUID for a network resource, they could use that UUID to create load balancer resources using that UUID. Now the user must have permission to see or "show" the resource before it can be used with a load balancer. This will be the new default, but operators can disable this behavior via the setting the configuration file setting "allow_invisible_resource_usage" to "True". This issue falls under the "Class C1" security issue as the user would require a valid UUID. Bug Fixes ********* * Fixed an issue when a loadbalancer is disabled, Octavia Health Manager keeps failovering the amphorae * Add listener and pool protocol validation. The pool and listener can't be combined arbitrarily. We need some constraints on the protocol side. * Resolved broken certificate upload on py3 based amphora images. On a housekeeping certificate rotation event, the amphora would clear out its server certificate and return a 500, putting the amphora in ERROR status and breaking further communication. See upgrade notes. * Fixed an issue where the the amphora image create tool would checkout the master amphora-agent code and master upper constraints. * Fixes an issue where load balancers with more than one TLS enabled listener, using client authentication and/or backend re-encryption, may load incorrect certificates for the listener. * Fix a bug that could interrupt resource creation when performing a graceful shutdown of the house keeping service and leave resources such as amphorae in a BOOTING status. * Fixed an issue where load balancers would go into ERROR when setting data not visible to providers (e.g. tags). * Workaround an HAProxy issue where it would fail to reload on configuration change should the local peer name start with "-x". * Delay between checks on UDP healthmonitors was using the incorrect config value "timeout", when it should have been "delay". Other Notes *********** * Amphorae that are booting for a specific loadbalancer will now be linked to that loadbalancer immediately upon creation. Previously this would not happen until near the end of the process, leaving a gap during booting during which is was difficult to understand which booting amphora belonged to which loadbalancer. This was especially problematic when attempting to troubleshoot loadbalancers that entered ERROR status due to boot issues. Changes in octavia 5.0.1..5.0.2 ------------------------------- 2a18b6cc Fix neutron subnet lookup ignoring endpoint_type 1a4ccf49 Fix netcat option in udp_check.sh for CentOS/RHEL cc2c3c48 Fix batch member create for v1 amphora driver ffeb030e Update the lb_id on an amp earlier if we know it e358637a Fixed a bug: replace 'startwith' with 'startswith' b35f77d3 Workaround peer name starting with hyphen 4a95b354 Do not install diskimage-builder from Git 09e863eb Fix getting user neutron client fb8ec7a3 Fix padding logic for UDP health daemon 43a3897d Fix py3 amphora-agent cert-rotation type bug 17d66e26 Correct delay between UDP healthchecks 734a87b4 Fix healthmanager not update amphora health when LB disable 7fa2f933 Disable catching-non-exception in pylint 1933ede0 Validate resource access when creating loadbalancer or member 26dc84f5 Stop "dnf makecache" in the amphora images 5bdecaaf Pick stale amphora randomly 535dc7c6 Fix load balancer update with provider filtered params cb55a8cf Remove the barbican "Grant access" from cookbook b989f941 Add a periodic image build job 0c1cb417 Fix uncaught DB exception when trying to get a spare amphora b0334859 Use stable upper-constraints.txt in Amphora builds 164aed0e Fix house keeping graceful shutdown a59e7235 Use LUKS1 for certfs-ramfs for all distributions 84c10796 Fix multi-listener LB client auth/re-encryption db26a3c9 Revert "Fix gate issue with DIB" df5db0b0 Fix multi-listener LB with missing certificate 87704d42 Add listener and pool protocol validation 85f7abbb Cap hacking version to <2 343e3d8f Fix update API when barbican secret is missing b91a6545 Accept oslopolicy-policy-generator path arguments Diffstat (except docs and test files) ------------------------------------- .pylintrc | 1 + api-ref/source/parameters.yaml | 15 +- api-ref/source/v2/general.inc | 52 +++++++ devstack/plugin.sh | 8 +- devstack/settings | 3 - diskimage-create/diskimage-create.sh | 5 + .../amphora-agent/source-repository-amphora-agent | 4 +- .../certs-ramfs/static/usr/local/bin/certfs-ramfs | 17 +-- elements/disable-makecache/README.rst | 6 + .../post-install.d/80-disable-makecache | 18 +++ elements/disable-makecache/svc-map | 2 + .../pre-install.d/05-rm-pydistutils | 5 - etc/octavia.conf | 10 ++ .../agent/api_server/certificate_update.py | 2 +- .../amphorae/backends/utils/keepalivedlvs_query.py | 2 +- octavia/amphorae/backends/utils/udp_check.sh | 14 +- .../amphorae/drivers/haproxy/rest_api_driver.py | 98 ++++++++----- octavia/api/v2/controllers/base.py | 12 ++ octavia/api/v2/controllers/l7policy.py | 26 ++-- octavia/api/v2/controllers/listener.py | 13 +- octavia/api/v2/controllers/load_balancer.py | 28 ++-- octavia/api/v2/controllers/member.py | 8 +- octavia/api/v2/controllers/pool.py | 3 +- octavia/cmd/house_keeping.py | 23 ++-- octavia/common/clients.py | 29 +++- octavia/common/config.py | 6 + octavia/common/constants.py | 8 ++ .../jinja/haproxy/combined_listeners/jinja_cfg.py | 77 +++++------ octavia/common/jinja/lvs/templates/macros.j2 | 12 +- octavia/common/policy.py | 13 +- octavia/common/utils.py | 5 +- octavia/common/validate.py | 13 +- .../healthmanager/health_drivers/update_db.py | 17 ++- octavia/controller/worker/v1/controller_worker.py | 15 +- .../controller/worker/v1/flows/amphora_flows.py | 1 + .../controller/worker/v1/tasks/database_tasks.py | 50 ++----- .../controller/worker/v1/tasks/network_tasks.py | 2 +- .../controller/worker/v2/flows/amphora_flows.py | 1 + .../controller/worker/v2/tasks/database_tasks.py | 35 +---- .../controller/worker/v2/tasks/network_tasks.py | 2 +- octavia/db/repositories.py | 14 +- octavia/network/base.py | 9 +- octavia/network/drivers/neutron/base.py | 21 +-- octavia/network/drivers/noop_driver/driver.py | 6 +- .../drivers/haproxy/test_rest_api_driver_0_5.py | 30 ++-- .../drivers/haproxy/test_rest_api_driver_1_0.py | 31 +++-- .../haproxy/combined_listeners/test_jinja_cfg.py | 32 +++-- .../unit/common/jinja/lvs/test_lvs_jinja_cfg.py | 40 ++---- .../sample_configs/sample_configs_combined.py | 8 +- .../healthmanager/health_drivers/test_update_db.py | 22 ++- .../worker/v1/tasks/test_database_tasks.py | 45 +----- .../worker/v1/tasks/test_network_tasks.py | 16 +++ .../controller/worker/v1/test_controller_worker.py | 4 +- .../worker/v2/flows/test_amphora_flows.py | 24 +++- .../worker/v2/tasks/test_database_tasks.py | 46 +------ .../worker/v2/tasks/test_network_tasks.py | 16 +++ .../unit/network/drivers/neutron/test_base.py | 67 +++++++++ ...a-health-when-LB-disabled-46a4fb295c6d0850.yaml | 6 + .../add-protocol-validation-0f9129a045e372ce.yaml | 5 + .../allow-invisible-subnets-e30b0b5fbd216294.yaml | 16 +++ ...nt-py3-cert-upload-binary-74e0ab35c5a85c68.yaml | 11 ++ ...ora-agent-branch-checkout-e2eeb19c6aa09535.yaml | 5 + ...lient-auth-single-process-749af7791454ff03.yaml | 6 + ...ix-house-keeping-shutdown-17b04417a2c4849f.yaml | 6 + ...ix-lb-update-with-no-data-abefe7860b8fb4c7.yaml | 5 + ...ix-peer-name-prefix-hypen-e74a87e9a01b4f4c.yaml | 10 ++ ...a-to-loadbalancer-earlier-ab3dddec48b8da96.yaml | 9 ++ ...-based-on-correct-setting-6a60856de2927ccd.yaml | 5 + requirements.txt | 3 +- test-requirements.txt | 4 +- zuul.d/jobs.yaml | 14 ++ zuul.d/projects.yaml | 1 + 82 files changed, 1212 insertions(+), 482 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index 239b8f99..c0f90407 100644 --- a/requirements.txt +++ b/requirements.txt @@ -60 +60,2 @@ pyroute2>=0.4.21;sys_platform!='win32' # Apache-2.0 (+ dual licensed GPL2) -gunicorn>=19.9.0 # MIT +gunicorn>=19.9.0,<20.0.0;python_version<'3.0' # MIT +gunicorn>=19.9.0;python_version>='3.0' # MIT diff --git a/test-requirements.txt b/test-requirements.txt index 8e8b4466..18e1edeb 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4 +4 @@ -hacking>=1.1.0 # Apache-2.0 +hacking>=1.1.0,<2 # Apache-2.0 @@ -23 +23 @@ sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7' # BSD -sphinx!=1.6.6,!=1.6.7,>=1.6.2;python_version>='3.4' # BSD +sphinx!=1.6.6,!=1.6.7,!=2.1.0,>=1.6.2;python_version>='3.4' # BSD