We are tickled pink to announce the release of: octavia 4.1.2: OpenStack Octavia Scalable Load Balancer as a Service This release is part of the stein stable release series. The source is available from: https://opendev.org/openstack/octavia Download the package from: https://pypi.org/project/octavia Please report issues through: https://storyboard.openstack.org/#!/project/908 For more details, please see below. 4.1.2 ^^^^^ Upgrade Notes ************* * After this upgrade, users will no longer be able use network resources they cannot see or "show" on load balancers. Operators can revert this behavior by setting the "allow_invisible_resource_usage" configuration file setting to "True". * Any amphorae running a py3 based image must be recycled or else they will eventually fail on certificate rotation. * An amphora image update is recommended to pick up a workaround to an HAProxy issue where it would fail to reload on configuration change should the local peer name start with "-x". Security Issues *************** * Previously, if a user knew or could guess the UUID for a network resource, they could use that UUID to create load balancer resources using that UUID. Now the user must have permission to see or "show" the resource before it can be used with a load balancer. This will be the new default, but operators can disable this behavior via the setting the configuration file setting "allow_invisible_resource_usage" to "True". This issue falls under the "Class C1" security issue as the user would require a valid UUID. Bug Fixes ********* * Fixed an issue when a loadbalancer is disabled, Octavia Health Manager keeps failovering the amphorae * Add listener and pool protocol validation. The pool and listener can't be combined arbitrarily. We need some constraints on the protocol side. * Resolved broken certificate upload on py3 based amphora images. On a housekeeping certificate rotation event, the amphora would clear out its server certificate and return a 500, putting the amphora in ERROR status and breaking further communication. See upgrade notes. * Fixed an issue where the the amphora image create tool would checkout the master amphora-agent code and master upper constraints. * Fixes an issue where load balancers with more than one TLS enabled listener, using client authentication and/or backend re-encryption, may load incorrect certificates for the listener. * Fix a bug that could interrupt resource creation when performing a graceful shutdown of the house keeping service and leave resources such as amphorae in a BOOTING status. * Fixed an issue where load balancers would go into ERROR when setting data not visible to providers (e.g. tags). * Workaround an HAProxy issue where it would fail to reload on configuration change should the local peer name start with "-x". * Delay between checks on UDP healthmonitors was using the incorrect config value "timeout", when it should have been "delay". Changes in octavia 4.1.1..4.1.2 ------------------------------- 0c1e588d Fix multi-listener LB client auth/re-encryption 07ef9ef8 Fix allow_invisible_resource_usage typo in relnotes 8bd0fbc8 Workaround peer name starting with hyphen cac753d3 Fix healthmanager not update amphora health when LB disable e719a472 Validate resource access when creating loadbalancer or member 5f4fd9c5 Fix py3 amphora-agent cert-rotation type bug 80e389ad Correct delay between UDP healthchecks bdfaba4c Fix load balancer update with provider filtered params d3df7e43 Fix padding logic for UDP health daemon aefbef12 Do not install diskimage-builder from Git ae03653a Pick stale amphora randomly 5dd672c5 Do not run Tempest in octavia-grenade job 922c4987 Remove xenial based jobs from stein gates. e3a95c9b Remove the barbican "Grant access" from cookbook 372e047a Fix uncaught DB exception when trying to get a spare amphora 24858a5a Use stable upper-constraints.txt in Amphora builds 84020ae6 Fix pep8 failures on stable/stein branch 4ebdce39 Fix multi-listener LB with missing certificate c09d7299 Fix house keeping graceful shutdown db75e58e Fix update API when barbican secret is missing 1f37a73e Add listener and pool protocol validation d0ef7a82 Cap hacking version to <2 9904b26a Accept oslopolicy-policy-generator path arguments Diffstat (except docs and test files) ------------------------------------- api-ref/source/parameters.yaml | 15 +- api-ref/source/v2/general.inc | 52 +++++++ devstack/plugin.sh | 8 +- devstack/settings | 3 - .../amphora-agent/source-repository-amphora-agent | 4 +- etc/octavia.conf | 10 ++ .../agent/api_server/certificate_update.py | 2 +- .../amphorae/backends/utils/keepalivedlvs_query.py | 2 +- .../amphorae/drivers/haproxy/rest_api_driver.py | 98 ++++++++----- octavia/api/v2/controllers/base.py | 12 ++ octavia/api/v2/controllers/l7policy.py | 26 ++-- octavia/api/v2/controllers/listener.py | 19 ++- octavia/api/v2/controllers/load_balancer.py | 28 ++-- octavia/api/v2/controllers/member.py | 8 +- octavia/api/v2/controllers/pool.py | 3 +- octavia/cmd/house_keeping.py | 23 ++-- octavia/common/clients.py | 28 ++++ octavia/common/config.py | 6 + octavia/common/constants.py | 8 ++ .../jinja/haproxy/combined_listeners/jinja_cfg.py | 77 +++++------ octavia/common/jinja/lvs/templates/macros.j2 | 12 +- octavia/common/policy.py | 13 +- octavia/common/utils.py | 5 +- octavia/common/validate.py | 13 +- .../healthmanager/health_drivers/update_db.py | 15 +- octavia/controller/worker/tasks/database_tasks.py | 48 ++----- octavia/controller/worker/tasks/network_tasks.py | 2 +- octavia/db/repositories.py | 14 +- octavia/network/base.py | 9 +- octavia/network/drivers/neutron/base.py | 21 +-- octavia/network/drivers/noop_driver/driver.py | 6 +- .../drivers/haproxy/test_rest_api_driver_0_5.py | 30 ++-- .../drivers/haproxy/test_rest_api_driver_1_0.py | 31 +++-- .../unit/certificates/generator/test_local.py | 4 +- .../haproxy/combined_listeners/test_jinja_cfg.py | 32 +++-- .../unit/common/jinja/lvs/test_lvs_jinja_cfg.py | 40 ++---- .../sample_configs/sample_configs_combined.py | 8 +- .../healthmanager/health_drivers/test_update_db.py | 22 ++- .../controller/worker/tasks/test_database_tasks.py | 45 +----- .../controller/worker/tasks/test_network_tasks.py | 16 +++ .../unit/network/drivers/neutron/test_base.py | 67 +++++++++ playbooks/legacy/grenade-devstack-octavia/run.yaml | 11 +- ...a-health-when-LB-disabled-46a4fb295c6d0850.yaml | 6 + .../add-protocol-validation-0f9129a045e372ce.yaml | 5 + .../allow-invisible-subnets-e30b0b5fbd216294.yaml | 16 +++ ...nt-py3-cert-upload-binary-74e0ab35c5a85c68.yaml | 11 ++ ...ora-agent-branch-checkout-e2eeb19c6aa09535.yaml | 5 + ...lient-auth-single-process-749af7791454ff03.yaml | 6 + ...ix-house-keeping-shutdown-17b04417a2c4849f.yaml | 6 + ...ix-lb-update-with-no-data-abefe7860b8fb4c7.yaml | 5 + ...ix-peer-name-prefix-hypen-e74a87e9a01b4f4c.yaml | 10 ++ ...-based-on-correct-setting-6a60856de2927ccd.yaml | 5 + test-requirements.txt | 2 +- zuul.d/jobs.yaml | 7 +- zuul.d/projects.yaml | 21 ++- 66 files changed, 1090 insertions(+), 409 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 8e0b2e39..14be4f6d 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4 +4 @@ -hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 +hacking!=0.13.0,<0.14,>=0.12.0,<2 # Apache-2.0