We are happy to announce the release of: octavia 3.2.1: OpenStack Octavia Scalable Load Balancer as a Service This release is part of the rocky stable release series. The source is available from: https://opendev.org/openstack/octavia Download the package from: https://pypi.org/project/octavia Please report issues through: https://storyboard.openstack.org/#!/project/908 For more details, please see below. 3.2.1 ^^^^^ Upgrade Notes ************* * A new amphora image is required to fix the potential certs-ramfs race condition. Security Issues *************** * A race condition between the certs-ramfs and the amphora agent may lead to tenant TLS content being stored on the amphora filesystem instead of in the encrypted RAM filesystem. Bug Fixes ********* * Fixed a potential race condition with the certs-ramfs and amphora agent services. * Fixes an issue in the selection of vip-subnet-id on multi-subnet networks by checking the IP availability of the subnets, ensuring enough IPs are available for loadbalancer when creating loadbalancer specifying vip-network-id. * Fix a bug that could interrupt resource creation when performing a graceful shutdown of the controller worker and leave resources in a PENDING_CREATE/PENDING_UPDATE/PENDING_DELETE provisioning status. If the duration of an Octavia flow is greater than the 'graceful_shutdown_timeout' configuration value, stopping the Octavia worker can still interrupt the creation of resources. Changes in octavia 3.2.0..3.2.1 ------------------------------- 6fe5df6f Fix controller worker graceful shutdown d4842728 Fix a potential race condition with certs-ramfs d5aba906 ipvsadm '--exact' arg to ensure outputs are ints f68460dd Fix issues with unavailable secrets 8faa4220 loadbalancer vip-network-id IP availability check 08916abd Improve the error message for bad pkcs12 bundles Diffstat (except docs and test files) ------------------------------------- devstack/plugin.sh | 5 ++ .../amphora-agent.conf | 2 +- .../amphora-agent.init | 2 +- .../amphora-agent.service | 3 +- .../init-scripts/systemd/certs-ramfs.service | 1 + etc/octavia.conf | 3 + .../amphorae/backends/utils/keepalivedlvs_query.py | 3 +- octavia/api/drivers/utils.py | 35 +++++---- octavia/api/v2/controllers/listener.py | 5 +- octavia/api/v2/controllers/load_balancer.py | 33 ++++++--- octavia/certificates/common/pkcs12.py | 6 +- octavia/certificates/manager/barbican.py | 2 + octavia/common/exceptions.py | 7 ++ octavia/common/tls_utils/cert_parser.py | 43 ++++++++--- octavia/common/utils.py | 7 ++ octavia/controller/queue/consumer.py | 10 +-- octavia/network/base.py | 9 +++ octavia/network/data_models.py | 14 ++++ octavia/network/drivers/neutron/base.py | 3 + octavia/network/drivers/neutron/utils.py | 9 +++ octavia/network/drivers/noop_driver/driver.py | 18 +++++ .../unit/certificates/manager/test_barbican.py | 18 +++++ .../unit/common/tls_utils/test_cert_parser.py | 34 +++++++++ .../unit/network/drivers/neutron/test_base.py | 15 ++++ .../unit/network/drivers/neutron/test_utils.py | 16 +++++ .../fix-certs-ramfs-race-561f355d13fc6d14.yaml | 14 ++++ ...p-network-ip-availability-2e924f32abf01052.yaml | 7 ++ ...-worker-graceful-shutdown-c44b6797637aa1b3.yaml | 9 +++ tox.ini | 3 +- 35 files changed, 453 insertions(+), 52 deletions(-)