We are psyched to announce the release of: octavia 13.0.1 This release is part of the bobcat release series. The source is available from: https://opendev.org/openstack/octavia Download the package from: https://pypi.org/project/octavia Please report issues through: https://storyboard.openstack.org/#!/project/908 For more details, please see below. 13.0.1 ^^^^^^ Bug Fixes ********* * Fixed error on update UDP Health Monitor with empty "delay" parameter * Fixed an issue when a failover reverts, a neutron port may get abandoned. The issue was logged with "Failed to delete port", "Resources may still be in use for a port intended for amphora", and "Search for a port named octavia-lb-vrrp-<uuid>". * Fix the issue, when "limit" parameter in request less or equal 0. Now it returns resources according pagination_max_limit as expected, instead of error. * Fixed an issue when using certificates with a blank subject or missing CN. * Fixed wrong endpoint information in neutron client configuration. * Remove record in amphora_health table on revert. It's necessary, because record in amphora table for corresponding amphora also deleted. It allows to avoid false positive react of failover threshold due to orphan records in amphora_health table. * Fixed a bug that prevented the amphora from being updated by the Amphora Configure API call, the API call was succesfull but the internal flow for updating it failed. * Fixed potential AttributeError during listener update when security group rule had no protocol defined (ie. it was null). * Fixed a potential issue when deleting a load balancer with an amphora that was not fully created, the deletion may have failed when deallocating the VIP port, leaving the load balancer in ERROR state. * Added a validation step in the batch member API request that checks if a member is included multiple times in the list of updated members, this additional check prevents the load balancer from being stuck in PENDING_UPDATE. Duplicate members in the batch member flow triggered an exception in Taskflow. The API now returns 400 (ValidationException) if a member is already present in the body of the request. * Fixed an issue when filtering resources with a boolean attribute in the GET calls in the Octavia API. * Fixed a bug when creating a load balancer and a listener with "allowed_cidrs" with the fully-populated load balancer API, the call was rejected because Octavia could not validate that the IP addresses of the "allowed_cidrs" have the same family as the VIP address. * Fixed an issue with SINGLE topology load balancer with UDP listeners, the Amphora now sends a Gratuitous ARP packet when a UDP pool is added, it makes the VIP address more quickly reachable after a failover or when reusing a previously allocated IP address. * Bug fix: The response body of the LB API, when creating a new load balancer, now correctly includes information about the health monitor. Previously, this information was consistently null, despite configuring a health monitor. * Fixed a bug with HTTP/HTTPS health-monitors on pools with ALPN protocols in the amphora-driver. The healthchecks sent by haproxy were flagged as bad requests by the backend servers. Updated haproxy configuration to use ALPN for the heathchecks too. * Fixed an issue with load balancers stuck in a "PENDING_*" state during database outages. Now when a task fails in Octavia, it retries to update the "provisioning_status" of the load balancer until the database is back (or it gives up after a really long timeout - around 2h45) * Fix load balancer stuck in PENDING_DELETE if TLS storage unavailable or returns error * Fixed an issue when using UDP listeners in dual-stack (IPv4 and IPv6) load balancers, some masquerade rules needed by UDP were not correctly set on the member interfaces. * Fixed a bug when the deprecated settings ("endpoint", "endpoint_type", "ca_certificates_file") are used in the "[neutron]" section of the configuration file. The connection to the neutron service may have used some settings from the "[service_auth]" section or used undefined settings. * Fixed a race condition in the members batch update API call, the data passed to the Octavia worker service may have been incorrect when quickly sending successive API calls. Then the load balancer was stuck in PENDING_UPDATE provisioning_status. * Fixed a too long timeout when attempting to start the VRRP service in an unreachable amphora during a failover. A specific shorter timeout should be used during the failovers. * Fixed TLS-HELLO health-monitors in the amphora-driver. * Fix verification of certificates signed by a private CA when using Neutron endpoints. * Fix error on revert PlugVIPAmphora task, when db_lb is not defined and get_subnet raises NotFound error. It could happen when Amphora creation failed by timeout and before it VIP network was removed. As result revert failed with exception. * Reduce the duration of the failovers of ACTIVE_STANDBY load balancers. Many updates of an unreachable amphora may have been attempted during a failover, now if an amphora is not reachable at the first update, the other updates are skipped. * Reduce the duration of the failovers of ACTIVE_STANDBY load balancers when both amphorae are unreachable. * Fixed a bug with the *nopreempt* option in keepalived. The option didn't work properly because the default role of the *MASTER* amphora was set. Removing the default roles from the configuration files fixed that issue. Now after a failover, the newly created amphora doesn't preempt the *MASTER* role from the other amphora. Other Notes *********** * Noop certificate manager was added. Now any Octavia certificate operations using noop drivers will be faster (as they won't be validated). Changes in octavia 13.0.0..13.0.1 --------------------------------- 3142d13ab Cleanup duplicate DB sessions for quotas 37e6e6395 Fix amphora image builds to use DIB bindep c972ff9b8 Fix port abandonment on failover flow revert 5a23a8eca Fixed VRRP nopreempt option 2bae2e287 Fix test_prometheus_proxy.test_main 3497e769a Fix incorrect filtering when using bool attrs ce0066f03 Handle undefined protocol field in security group rules correctly 35817025b Update stable/2023.2 to use 2023.2 tests f1ea5ed2c Fix verification of certificates signed by a private CA 6987845c8 Fix missing GARP with UDP listeners on SINGLE LB ceb55b567 Remove amphora_health record on revert CreateAmphoraInDB 649f8967b Do not fail on revert PlugVIPAmphora due undefined db_lb b4adc98f6 Use cryptography to load PKCS12 certificates 09ea1e991 Fix loadbalancer stuck in cascade delete 70ecbcc8b Add check for duplicate members in batch update 80bbf2e56 Removing tips jobs on stable/2023.2 dbe59b8b4 When we failed to load pkcs12 cert print warning f548fa53a Fix DB deadlock in quotas 2f170b79a Fix health monitor information retrieval in API response 1f38d29b2 Fix incorrect masquerade rules in multivip LBs a9a3c64ee Fix neutron setting overrides a1d422fe7 Fix fully-populated API with allowed_cidrs b509b0795 Handle empty delay on update healthmonitor 06142805e Fix negative or 0 limit parameter in pagination 56cd4d3a9 Pin pylint (<=3.0.4) 33627fbb4 Fix error when deleting LB with broken amp c664c865b fix: specify endpoint info. for neutron client acf4a3064 fix pep8 use-yield-from rule d0725c084 Fix issue with certificates with no subject or CN 421c7fdce Stable-only: Cap hacking to < 6.1.0 0f9bc3b8c Fix TLS-HELLO healthmonitors in the amphora-driver 7c468ca4c Fix health-monitors with ALPN members 281379c6d Remove publish-openstack-octavia-amphora-image jobs be828d7cf Remove slqalchemy-tips job 88d7315a6 Add Noop Certificate Manager 7c67c1023 Fix Amphora Configure API call ef4b4d500 Retry to set loadbalancer prov status on failures 562243153 Fix amphorae in ERROR during the failover 6fdc2079d Reduce duration of failovers with amphora in ERROR 54eb1624f Fix timeout duration in start_vrrp_service during failovers a04e0f520 [stable/2023.2] Remove octavia-grenade-skip-level job 8a5bed4ce Fix race condition in members batch update API call 4f827c4a7 Fix remaining usage of [neutron] endpoint_type f5d56c0fd Update TOX_CONSTRAINTS_FILE for stable/2023.2 853d0f69e Update .gitreview for stable/2023.2 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .../amphora-agent/source-repository-amphora-agent | 4 +- elements/octavia-lib/source-repository-octavia-lib | 2 +- .../backends/agent/api_server/keepalivedlvs.py | 9 + .../amphorae/backends/agent/api_server/osutils.py | 3 +- octavia/amphorae/backends/agent/api_server/util.py | 37 ++- octavia/amphorae/backends/utils/interface.py | 9 +- octavia/amphorae/drivers/driver_base.py | 16 ++ .../amphorae/drivers/haproxy/rest_api_driver.py | 21 +- .../amphorae/drivers/keepalived/jinja/jinja_cfg.py | 1 - .../jinja/templates/keepalived_base.template | 1 - .../drivers/keepalived/vrrp_rest_driver.py | 3 +- octavia/amphorae/drivers/noop_driver/driver.py | 3 + octavia/api/common/pagination.py | 2 +- octavia/api/v2/controllers/health_monitor.py | 5 +- octavia/api/v2/controllers/l7policy.py | 1 - octavia/api/v2/controllers/l7rule.py | 1 - octavia/api/v2/controllers/listener.py | 1 - octavia/api/v2/controllers/load_balancer.py | 20 +- octavia/api/v2/controllers/member.py | 23 +- octavia/api/v2/controllers/pool.py | 13 +- octavia/api/v2/types/pool.py | 2 +- octavia/certificates/common/pkcs12.py | 18 +- octavia/certificates/manager/barbican.py | 40 ++-- octavia/certificates/manager/castellan_mgr.py | 19 +- octavia/certificates/manager/noop.py | 106 +++++++++ octavia/common/clients.py | 26 ++- octavia/common/config.py | 26 ++- octavia/common/constants.py | 4 + octavia/common/exceptions.py | 6 + .../haproxy/combined_listeners/templates/macros.j2 | 12 +- octavia/common/keystone.py | 14 +- octavia/common/tls_utils/cert_parser.py | 32 ++- octavia/controller/worker/task_utils.py | 34 ++- octavia/controller/worker/v2/controller_worker.py | 4 +- .../controller/worker/v2/flows/amphora_flows.py | 51 ++++- octavia/controller/worker/v2/flows/flow_utils.py | 10 +- .../worker/v2/flows/load_balancer_flows.py | 20 +- .../worker/v2/tasks/amphora_driver_tasks.py | 137 +++++++++-- .../controller/worker/v2/tasks/database_tasks.py | 83 +++---- .../controller/worker/v2/tasks/lifecycle_tasks.py | 136 +++++++---- .../controller/worker/v2/tasks/network_tasks.py | 25 +- octavia/db/base_models.py | 20 +- octavia/db/repositories.py | 67 +++--- .../drivers/neutron/allowed_address_pairs.py | 18 +- octavia/network/drivers/noop_driver/driver.py | 3 +- .../backends/agent/api_server/test_util.py | 90 +++++++- .../unit/amphorae/backends/utils/test_interface.py | 4 +- .../drivers/haproxy/test_rest_api_driver.py | 6 +- .../drivers/keepalived/jinja/test_jinja_cfg.py | 4 - .../drivers/keepalived/test_vrrp_rest_driver.py | 17 ++ .../unit/certificates/manager/test_barbican.py | 6 +- .../haproxy/combined_listeners/test_jinja_cfg.py | 33 ++- .../unit/controller/worker/test_task_utils.py | 60 ++++- .../worker/v2/flows/test_amphora_flows.py | 33 ++- .../worker/v2/flows/test_load_balancer_flows.py | 15 +- .../worker/v2/tasks/test_amphora_driver_tasks.py | 251 +++++++++++++++++++-- .../worker/v2/tasks/test_database_tasks.py | 34 ++- .../worker/v2/tasks/test_database_tasks_quota.py | 38 ++-- .../worker/v2/tasks/test_network_tasks.py | 59 ++++- .../controller/worker/v2/test_controller_worker.py | 57 ++++- .../drivers/neutron/test_allowed_address_pairs.py | 25 +- playbooks/image-build/run.yaml | 51 +---- ...itor-update-without-delay-c56240e59e15483f.yaml | 4 + ...failover-revert-port-leak-d9879523506c6ff3.yaml | 7 + ...nation-less-or-equal-zero-93a33f1318ea34e5.yaml | 6 + ...andle-blank-cert-subjects-b660d403ce56b0b8.yaml | 4 + ...ron-client-interface-info-06faaaad92886b8c.yaml | 4 + .../add-noop-cert-manager-7018d3933a0ce9c6.yaml | 4 + ...lth_row_on_amphora_revert-082f94459ecacaa2.yaml | 7 + ...x-amphora-update-api-call-d90853d7f75304a4.yaml | 6 + ...up-rule-has-protocol-none-9b7217c5477d01b6.yaml | 5 + ...on-delete-with-broken-amp-10d7f4e85754d7ee.yaml | 6 + ...e-members-in-batch-update-610ffbbf949927d0.yaml | 10 + ...g-with-boolean-attributes-15df51820753a900.yaml | 5 + ...ulated-with-allowed-cidrs-ad04ccf02bf9cbbc.yaml | 7 + ...ix-garp-for-udp-listeners-6bf2ec8d491d1e1b.yaml | 7 + ...retrieval-in-api-response-d3b2e02a3a966f60.yaml | 7 + ...thmonitor-with-alpn-pools-82249b2b9a025068.yaml | 7 + ...-in-PENDING-on-DB-failure-1ffea71a86cd4ea9.yaml | 7 + ...dbalancer-stuck-on-delete-da5950cf87fc8507.yaml | 5 + ...de-rules-in-dualstack-lbs-94f97606c5804b36.yaml | 6 + .../fix-neutron-overrides-710ed047ebf0c45c.yaml | 8 + ...ition-member-batch-update-1aed0e06004c5dad.yaml | 7 + ...eout-dict-when-start-vrrp-278d4837702bd247.yaml | 6 + ...-tls-hello-healthmonitors-a4b98a80f6de8394.yaml | 4 + ...te-ca-signed-certificates-b9386a0d92627b03.yaml | 5 + ..._db_lb_on_plug_vip_revert-5c24af124498b246.yaml | 7 + .../reduce-duration-failover-636032433984d911.yaml | 7 + ...-standby-amphora-in-error-3c1d75bc7d9b169f.yaml | 5 + ...ault-role-from-keepalived-c879bad3a42a6b4a.yaml | 8 + requirements.txt | 1 - setup.cfg | 1 + test-requirements.txt | 4 +- tox.ini | 8 +- zuul.d/jobs.yaml | 152 +++++++------ zuul.d/projects.yaml | 45 ++-- 111 files changed, 2266 insertions(+), 639 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index e20ed6e15..0905f0305 100644 --- a/requirements.txt +++ b/requirements.txt @@ -41 +40,0 @@ python-cinderclient>=3.3.0 # Apache-2.0 -pyOpenSSL>=19.1.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index 051ebbdf3..c1936926e 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4 +4 @@ -hacking>=3.0 # Apache-2.0 +hacking<6.1.0 # Apache-2.0 @@ -11 +11 @@ oslotest>=3.2.0 # Apache-2.0 -pylint>=2.5.3 # GPLv2 +pylint>=2.5.3,<=3.0.4 # GPLv2