We exuberantly announce the release of: octavia 12.0.1: OpenStack Octavia Scalable Load Balancer as a Service This release is part of the antelope release series. The source is available from: https://opendev.org/openstack/octavia Download the package from: https://pypi.org/project/octavia Please report issues through: https://storyboard.openstack.org/#!/project/908 For more details, please see below. 12.0.1 ^^^^^^ Upgrade Notes ************* * A patch that fixes an issue making the VIP port unreachable because of missing IP rules requires an update of the Amphora image. Bug Fixes ********* * Fixed error on update UDP Health Monitor with empty "delay" parameter * Fix the issue, when "limit" parameter in request less or equal 0. Now it returns resources according pagination_max_limit as expected, instead of error. * Fixed an issue when deleting the last listener from a load balancer may trigger a failover. * Fixed an issue when using certificates with a blank subject or missing CN. * The validation for the allowed_cidr parameter only took into account the IP version of the primary VIP. CIDRs which only matched the version of an additonal VIP were rejected. This if fixed and CIDRs are now matched against the IP version of all VIPs. * Fixed a bug in amphorav1, the subnet of a member that was being deleted was not immediately unplugged from the amphora, but only during the next update of the members. * Fixed an issue when adding or deleting a member, Octavia might have reconfigured the management port of the amphora by adding or removing additional subnets. Octavia no longer updates the management port during those tasks. * Fixed a potential race condition in the member batch update API call, the load balancers might not have been locked properly. * Fixed a bug in the amphora-agent, an exception was triggered when a LB with both IPv4 and IPv6 VIPs and with a UDP pool had only IPv4 members or only IPv6 members. * Fixed a potential issue when deleting a load balancer with an amphora that was not fully created, the deletion may have failed when deallocating the VIP port, leaving the load balancer in ERROR state. * Added a validation step in the batch member API request that checks if a member is included multiple times in the list of updated members, this additional check prevents the load balancer from being stuck in PENDING_UPDATE. Duplicate members in the batch member flow triggered an exception in Taskflow. The API now returns 400 (ValidationException) if a member is already present in the body of the request. * Fixed a bug when creating a load balancer and a listener with "allowed_cidrs" with the fully-populated load balancer API, the call was rejected because Octavia could not validate that the IP addresses of the "allowed_cidrs" have the same family as the VIP address. * Fixed the global number of concurrent connections in haproxy when disabling listeners. The connection-limit of disabled listeners was used to compute this value, disabled listeners are now skipped. * Bug fix: The response body of the LB API, when creating a new load balancer, now correctly includes information about the health monitor. Previously, this information was consistently null, despite configuring a health monitor. * Fixed a bug that didn't set all the active load balancer Health Monitors ONLINE in populated LB single-create calls. * Fixed a bug with HTTP/HTTPS health-monitors on pools with ALPN protocols in the amphora-driver. The healthchecks sent by haproxy were flagged as bad requests by the backend servers. Updated haproxy configuration to use ALPN for the heathchecks too. * Fixed a bug that could have made the VIP port unreachable because of the removal of some IP rules in the Amphora. It could have been triggered only when sending a request from a subnet that is not the VIP subnet but that is plugged as a member subnet. * Fix a bug that prevented the operating_status of a health-monitor to be set to ONLINE when ipv6 addresses were enclosed within square brackets in "controller_ip_port_list". * Fixed the issue with session persistence based on source IP not working for IPv6 load balancers. Session persistence now functions properly for IPv4, IPv6 and dual-stack load balancers. * Fixed an issue with load balancers stuck in a "PENDING_*" state during database outages. Now when a task fails in Octavia, it retries to update the "provisioning_status" of the load balancer until the database is back (or it gives up after a really long timeout - around 2h45) * Fixed an issue when using UDP listeners in dual-stack (IPv4 and IPv6) load balancers, some masquerade rules needed by UDP were not correctly set on the member interfaces. * Fixed a potential error when plugging a member from a new network after deleting another member and unplugging its network. Octavia may have tried to plug the new network to a new interface but with an already existing name. This fix requires to update the Amphora image. * Fixed a bug in octavia-status which reported an incorrect status for the *amphorav2* driver when using the default *amphora* alias. * Fixed a bug that didn't set the correct provisioning_status for unattached pools when creating a fully-populated load balancer. * Fixed a race condition in the members batch update API call, the data passed to the Octavia worker service may have been incorrect when quickly sending successive API calls. Then the load balancer was stuck in PENDING_UPDATE provisioning_status. * Fixed an SELinux issues with TCP-based health-monitor on UDP pools, some specific monitoring ports were denied by SELinux. The Amphora image now enables the "keepalived_connect_any" SELinux boolean that allows connections to any ports. * Fixed a too long timeout when attempting to start the VRRP service in an unreachable amphora during a failover. A specific shorter timeout should be used during the failovers. * Fixed TLS-HELLO health-monitors in the amphora-driver. * Fixed a bug with the status of the members of UDP pools in load balancer with IPv4 and IPv6 VIPs. Some members may have been incorrectly reported as DOWN by the Amphora. * Fixed the format of log messages related to quota decrement errors. They displayed unhelpful information, they now report the correct resource type for which the error occurs. * Fix the issue where nf_conntrack* opts values are lost after rebooting the Amphora VM. more details Story 2010795 * When plugging a new member subnet, the amphora sends an IP advertisement of the newly allocated IP. It allows the servers on the same L2 network to flush the ARP entries of a previously allocated IP address. * Reduce the duration of the failovers of ACTIVE_STANDBY load balancers. Many updates of an unreachable amphora may have been attempted during a failover, now if an amphora is not reachable at the first update, the other updates are skipped. * Reduce the duration of the failovers of ACTIVE_STANDBY load balancers when both amphorae are unreachable. Other Notes *********** * Noop certificate manager was added. Now any Octavia certificate operations using noop drivers will be faster (as they won't be validated). Changes in octavia 12.0.0..12.0.1 --------------------------------- f7abb00f Add check for duplicate members in batch update 540e3d34 Fix example policy file system-reader role 3cf3288c Remove grenade jobs [stable/2023.1] ab60d73b Removing tips jobs on stable/2023.1 cb79e7d7 Remove publish-openstack-octavia-amphora-image jobs 0ad935c7 When we failed to load pkcs12 cert print warning f12ddce8 Fix health monitor information retrieval in API response 5704cd97 Fix incorrect masquerade rules in multivip LBs 762b6875 Fix error when deleting LB with broken amp 5d207b15 Fix UDP pool's member status in LB with additional VIPs 19d9b66f Fix error in agent-agent with empty UDP pools in IPv4+IPv6 LBs c863723b Fix IPv6 session persistence failed bd9d474b Fix haproxy global maxconn with disabled listeners f65068f4 Fix quota error messages d943336c Fix fully-populated API with allowed_cidrs cfcc630d Fix negative or 0 limit parameter in pagination 1c7ceff9 Handle empty delay on update healthmonitor 6246cecd Fix the issue of losing nf_conntrace* values after a reboot. d6f32b19 Pin pylint (<=3.0.4) b3cd58c3 Don't update the management port when calculating delta [v1] be0c75c0 Don't update the management port when calculating delta 20a7a26c Fix issue with certificates with no subject or CN 7d9f2914 Stable-only: Cap hacking to < 6.1.0 353cafd8 Fix TLS-HELLO healthmonitors in the amphora-driver 121e0533 Fix health-monitors with ALPN members ec36152a Add Noop Certificate Manager 10cfd8c7 Fix amphorae in ERROR during the failover 97b1b838 Reduce duration of failovers with amphora in ERROR 57833dbd Retry to set loadbalancer prov status on failures 5c98d901 Fix timeout duration in start_vrrp_service during failovers 64d9bdb9 Fix race condition in members batch update API call 80c35d25 Fix incorrect removal of IP rules in the amphora e6e9f285 Fix octavia-status with amphorav2 81a39625 Fix upgrade check not working 7a2c472e Fix create_server_group in compute noop 8b196bb3 Fix amphorav1 member deletion bug c0ceebeb Fix TCP HMs on UDP pools with SELinux f19352ef Fix hm operating status to ONLINE in single lb call 1b17529b Avoid interface name collisions in the amphora 920dbfa5 Splitting scenario jobs in 2 abeaa550 Fix octavia-amphora-image-build periodic job 1f2aaaa7 Fix pool creation with single LB create call c940f7a0 Fix pep8 error f03a2df9 Send IP advertisements when plugging a new member subnet 5783c676 allowed_cidr validation for additional_vips e7f4b1b4 Fix failover when the last listener is deleted 487938f2 Add octavia-grenade-slurp CI job 11064a25 Fix ORM caching for with_for_update calls 4bbe88ee Fix octavia to accept [ipv6]:port 78dfb08f Purge some dev tools from the amphora image Diffstat (except docs and test files) ------------------------------------- elements/amphora-agent/package-installs.yaml | 25 ++ .../post-install.d/50-selinux-policies | 3 + etc/policy/keystone_default_roles-policy.yaml | 2 +- .../amphorae/backends/agent/api_server/osutils.py | 1 + octavia/amphorae/backends/agent/api_server/plug.py | 26 ++- .../api_server/templates/amphora-netns.systemd.j2 | 4 +- octavia/amphorae/backends/agent/api_server/util.py | 21 ++ .../backends/health_daemon/health_daemon.py | 12 +- .../backends/health_daemon/health_sender.py | 2 + octavia/amphorae/backends/utils/interface.py | 25 +- octavia/amphorae/backends/utils/interface_file.py | 9 +- .../amphorae/backends/utils/keepalivedlvs_query.py | 17 +- octavia/amphorae/drivers/driver_base.py | 16 ++ .../amphorae/drivers/haproxy/rest_api_driver.py | 21 +- .../drivers/keepalived/vrrp_rest_driver.py | 3 +- octavia/amphorae/drivers/noop_driver/driver.py | 3 + octavia/api/common/pagination.py | 2 +- octavia/api/v2/controllers/health_monitor.py | 4 +- octavia/api/v2/controllers/listener.py | 33 ++- octavia/api/v2/controllers/load_balancer.py | 7 + octavia/api/v2/controllers/member.py | 20 +- octavia/api/v2/types/pool.py | 2 +- octavia/certificates/manager/barbican.py | 5 +- octavia/certificates/manager/noop.py | 106 +++++++++ octavia/cmd/status.py | 5 +- octavia/common/config.py | 13 +- octavia/common/constants.py | 7 + octavia/common/exceptions.py | 6 + .../jinja/haproxy/combined_listeners/jinja_cfg.py | 2 + .../haproxy/combined_listeners/templates/macros.j2 | 16 +- octavia/common/tls_utils/cert_parser.py | 26 ++- octavia/compute/drivers/noop_driver/driver.py | 6 + octavia/controller/worker/task_utils.py | 34 ++- .../controller/worker/v1/flows/amphora_flows.py | 51 ++++- .../controller/worker/v1/flows/listener_flows.py | 3 + .../worker/v1/flows/load_balancer_flows.py | 42 ++-- .../worker/v1/tasks/amphora_driver_tasks.py | 129 +++++++++-- .../controller/worker/v1/tasks/database_tasks.py | 44 +++- .../controller/worker/v1/tasks/lifecycle_tasks.py | 109 ++++++--- .../controller/worker/v1/tasks/network_tasks.py | 27 ++- .../controller/worker/v2/flows/amphora_flows.py | 51 ++++- .../controller/worker/v2/flows/listener_flows.py | 3 + .../worker/v2/flows/load_balancer_flows.py | 43 ++-- .../worker/v2/tasks/amphora_driver_tasks.py | 125 ++++++++-- .../controller/worker/v2/tasks/database_tasks.py | 45 +++- .../controller/worker/v2/tasks/lifecycle_tasks.py | 136 +++++++---- .../controller/worker/v2/tasks/network_tasks.py | 23 +- octavia/db/repositories.py | 96 +++++--- octavia/hacking/checks.py | 2 +- .../drivers/neutron/allowed_address_pairs.py | 32 ++- .../backend/agent/api_server/test_server.py | 19 +- .../backends/agent/api_server/test_osutils.py | 2 +- .../backends/agent/api_server/test_plug.py | 60 ++++- .../backends/agent/api_server/test_util.py | 35 +++ .../backends/health_daemon/test_health_daemon.py | 8 + .../backends/health_daemon/test_health_sender.py | 18 ++ .../unit/amphorae/backends/utils/test_interface.py | 85 ++++++- .../amphorae/backends/utils/test_interface_file.py | 2 + .../backends/utils/test_keepalivedlvs_query.py | 134 ++++++++++- .../drivers/haproxy/test_rest_api_driver.py | 6 +- .../drivers/keepalived/test_vrrp_rest_driver.py | 17 ++ .../haproxy/combined_listeners/test_jinja_cfg.py | 57 +++-- .../unit/controller/worker/test_task_utils.py | 58 ++++- .../worker/v1/flows/test_amphora_flows.py | 33 ++- .../worker/v1/flows/test_load_balancer_flows.py | 27 ++- .../worker/v1/tasks/test_amphora_driver_tasks.py | 240 +++++++++++++++++++- .../worker/v1/tasks/test_database_tasks.py | 71 +++++- .../worker/v1/tasks/test_network_tasks.py | 30 +-- .../worker/v2/flows/test_amphora_flows.py | 33 ++- .../worker/v2/flows/test_load_balancer_flows.py | 16 +- .../worker/v2/tasks/test_amphora_driver_tasks.py | 251 +++++++++++++++++++-- .../worker/v2/tasks/test_database_tasks.py | 58 ++++- .../worker/v2/tasks/test_network_tasks.py | 11 - .../drivers/neutron/test_allowed_address_pairs.py | 57 ++++- ...itor-update-without-delay-c56240e59e15483f.yaml | 4 + ...nation-less-or-equal-zero-93a33f1318ea34e5.yaml | 6 + ...r-delete-causing-failover-251efdb79af24c0a.yaml | 5 + ...andle-blank-cert-subjects-b660d403ce56b0b8.yaml | 4 + .../add-noop-cert-manager-7018d3933a0ce9c6.yaml | 4 + ...ation-for-additional_vips-175c32824cc7ee95.yaml | 7 + ...x-amphorav1-subnet-member-9921d1ba387ff975.yaml | 6 + ...ad-management-port-update-3fa157f74ee8c7b2.yaml | 7 + ...ber-update-race-condition-09b82e2cc3121e03.yaml | 5 + ...t-udp-pools-dual-stack-lb-b298ded551ac97e1.yaml | 6 + ...on-delete-with-broken-amp-10d7f4e85754d7ee.yaml | 6 + ...e-members-in-batch-update-610ffbbf949927d0.yaml | 10 + ...ulated-with-allowed-cidrs-ad04ccf02bf9cbbc.yaml | 7 + ...n-with-disabled-listeners-fa89f762a94b8fe9.yaml | 6 + ...retrieval-in-api-response-d3b2e02a3a966f60.yaml | 7 + ...-online-in-single-lb-call-214a7ca22937a877.yaml | 5 + ...thmonitor-with-alpn-pools-82249b2b9a025068.yaml | 7 + .../fix-ip-rules-in-amphora-b74b7b616752c13b.yaml | 11 + ...ress-enclosed-in-brackets-c1cfc4717465ba09.yaml | 6 + ...ssion-persistence-failure-d649656a44fc3bbb.yaml | 6 + ...-in-PENDING-on-DB-failure-1ffea71a86cd4ea9.yaml | 7 + ...de-rules-in-dualstack-lbs-94f97606c5804b36.yaml | 6 + ...twork-interface-collision-939fd32587ea3344.yaml | 8 + ...-octavia-status-amphorav2-038fe77a2189b99f.yaml | 5 + ...tatus-on-lb-single-create-897070aee0a42da6.yaml | 5 + ...ition-member-batch-update-1aed0e06004c5dad.yaml | 7 + ...linux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml | 7 + ...eout-dict-when-start-vrrp-278d4837702bd247.yaml | 6 + ...-tls-hello-healthmonitors-a4b98a80f6de8394.yaml | 4 + ...atus-with-additional-vips-7511690a0c112b44.yaml | 6 + ...ixed-quota-error-messages-fe3ae81a43f93a17.yaml | 6 + ...-ipvs-before-setting-opts-c5b2f0871bc38c27.yaml | 5 + ...-subnet-ip-advertisements-af2264844079ef6b.yaml | 6 + .../reduce-duration-failover-636032433984d911.yaml | 7 + ...-standby-amphora-in-error-3c1d75bc7d9b169f.yaml | 5 + setup.cfg | 1 + test-requirements.txt | 4 +- zuul.d/jobs.yaml | 117 ++++++---- zuul.d/projects.yaml | 26 +-- 124 files changed, 3087 insertions(+), 547 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 051ebbdf..c1936926 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4 +4 @@ -hacking>=3.0 # Apache-2.0 +hacking<6.1.0 # Apache-2.0 @@ -11 +11 @@ oslotest>=3.2.0 # Apache-2.0 -pylint>=2.5.3 # GPLv2 +pylint>=2.5.3,<=3.0.4 # GPLv2