We contentedly announce the release of: octavia 11.0.1: OpenStack Octavia Scalable Load Balancer as a Service This release is part of the zed stable release series. The source is available from: https://opendev.org/openstack/octavia Download the package from: https://pypi.org/project/octavia Please report issues through: https://storyboard.openstack.org/#!/project/908 For more details, please see below. 11.0.1 ^^^^^^ Security Issues *************** * Filter out private information from the taskflow logs when ''INFO'' level messages are enabled and when jobboard is enabled. Logs might have included TLS certificates and private_key. By default, in Octavia only WARNING and above messages are enabled in taskflow and jobboard is disabled. Bug Fixes ********* * Added a filter to hide a bogus ComputeWaitTimeoutException exception when creating an amphora when jobboard is disabled. This exception is part of the flow when creating a load balancer or an amphora and should not be shown to the user. * The parameters of a taskflow Flow were logged in ''INFO'' level messages by taskflow, it included TLS-enabled listeners and pools parameters, such as certificates and private_key. * Fix an authentication error with Barbican when creating a TERMINATED_HTTPS listener with application credential tokens or trust IDs. * Fixed a potential race condition in the member batch update API call, the load balancers might not have been locked properly. * Fixed a "corrupted global server state file" error in Centos 9 Stream when reloading the state of the servers after restarting haproxy. It also fixed the recovering of the operational state of the servers in haproxy after its restart. * Fix a bug when full graph of load balancer is created without listeners if jobboard_enabled=False * Fixed a bug that prevented Octavia from creating listeners with the fully-populated load balancer API in SINGLE topology mode. * Fixed backwards compatibility issue with the feature that preserves HAProxy server states between reloads. HAProxy version 1.5 or below do not support this feature, so Octavia will not to activate it on amphorae with those versions. * Fixed a bug that didn't set all the active load balancer Health Monitors ONLINE in populated LB single-create calls. * Fix a bug that prevented the operating_status of a health-monitor to be set to ONLINE when ipv6 addresses were enclosed within square brackets in "controller_ip_port_list". * Fixed a potential error when plugging a member from a new network after deleting another member and unplugging its network. Octavia may have tried to plug the new network to a new interface but with an already existing name. This fix requires to update the Amphora image. * Fix an issue with PING health-monitors on Centos 8 Stream. Changes in Centos and systemd prevent an unprivileged user from sending ping requests from a network namespace. * Fixed a bug that didn't set the correct provisioning_status for unattached pools when creating a fully-populated load balancer. * Fixed an SELinux issues with TCP-based health-monitor on UDP pools, some specific monitoring ports were denied by SELinux. The Amphora image now enables the "keepalived_connect_any" SELinux boolean that allows connections to any ports. * When plugging a new member subnet, the amphora sends an IP advertisement of the newly allocated IP. It allows the servers on the same L2 network to flush the ARP entries of a previously allocated IP address. Changes in octavia 11.0.0..11.0.1 --------------------------------- 4d52ce9c Fix TCP HMs on UDP pools with SELinux 2e034c1e Fix hm operating status to ONLINE in single lb call 05b33434 Avoid interface name collisions in the amphora 396785da Fix pool creation with single LB create call ba0c244d Fix pep8 error 6a380e37 Send IP advertisements when plugging a new member subnet 332d7dee Fix octavia to accept [ipv6]:port b2437857 Fix ORM caching for with_for_update calls c87fbc07 Fix grenade job & pin pylint on stable/branches 4022aaf7 Filter out details from taskflow logs with v2+jobboard 0bc7d289 Filter ComputeWaitTimeoutException when jobboard is disabled 8cd697e8 Fix PING health-monitor with recent Centos releases 4e9203ad Fix listener creation with fully-populated API cfd87ccb Fix full graph loadbalancer creation if jobboard is disabled 572c0dac Add a newline when writing the server state file fb2e1d2e Handle feature compatibility of HAProxy server-state-file option 48fad7c2 Fix prometheus-proxy service name in Red Hat-based distros 960977cc Fix barbican client with application credentials/trusts b7fc5b10 Add *.orig to .gitignore 4f2a019d Update TOX_CONSTRAINTS_FILE for stable/zed d8ec4499 Update .gitreview for stable/zed Diffstat (except docs and test files) ------------------------------------- .gitignore | 1 + .gitreview | 1 + .../12-enable-prometheus-proxy-systemd | 2 +- .../amphora-agent/source-repository-amphora-agent | 4 +- elements/amphora-agent/svc-map | 3 + .../post-install.d/50-selinux-policies | 3 + .../post-install.d/20-haproxy-tune-kernel | 8 +++ elements/octavia-lib/source-repository-octavia-lib | 2 +- octavia/amphorae/backends/agent/api_server/plug.py | 25 +++++-- octavia/amphorae/backends/agent/api_server/util.py | 21 ++++++ .../backends/health_daemon/health_sender.py | 2 + octavia/amphorae/backends/utils/haproxy_query.py | 2 +- octavia/certificates/common/auth/barbican_acl.py | 27 ++++---- octavia/common/base_taskflow.py | 44 ++++++++++++ octavia/common/constants.py | 1 + .../jinja/haproxy/combined_listeners/jinja_cfg.py | 4 +- .../haproxy/combined_listeners/templates/base.j2 | 2 + .../combined_listeners/templates/haproxy.cfg.j2 | 2 +- .../haproxy/combined_listeners/templates/macros.j2 | 4 +- .../controller/worker/v1/flows/listener_flows.py | 3 + .../worker/v1/flows/load_balancer_flows.py | 31 +++++---- .../controller/worker/v1/tasks/database_tasks.py | 44 +++++++++++- octavia/controller/worker/v2/controller_worker.py | 7 +- .../controller/worker/v2/flows/listener_flows.py | 3 + .../worker/v2/flows/load_balancer_flows.py | 32 +++++---- .../controller/worker/v2/tasks/database_tasks.py | 45 +++++++++++- octavia/db/repositories.py | 80 +++++++++++++++------- octavia/hacking/checks.py | 2 +- .../backend/agent/api_server/test_server.py | 19 +++-- .../agent/api_server/test_haproxy_compatibility.py | 2 - .../backends/agent/api_server/test_plug.py | 60 ++++++++++++++-- .../backends/agent/api_server/test_util.py | 35 ++++++++++ .../backends/health_daemon/test_health_sender.py | 18 +++++ .../amphorae/backends/utils/test_haproxy_query.py | 2 +- .../certificates/common/auth/test_barbican_acl.py | 3 +- .../haproxy/combined_listeners/test_jinja_cfg.py | 69 +++++++------------ .../sample_configs/sample_configs_combined.py | 5 +- .../worker/v1/flows/test_load_balancer_flows.py | 7 +- .../worker/v1/tasks/test_database_tasks.py | 63 +++++++++++++++-- .../worker/v2/flows/test_load_balancer_flows.py | 7 +- .../worker/v2/tasks/test_database_tasks.py | 56 ++++++++++++++- .../controller/worker/v2/test_controller_worker.py | 47 +++++++++++++ ...on-when-jobboard-disabled-6f1375463f5a71dc.yaml | 7 ++ ...mation-from-taskflow-logs-0d8697140423b4d5.yaml | 12 ++++ ...tial-tokens-with-barbican-3b7d13283206c124.yaml | 5 ++ ...ber-update-race-condition-09b82e2cc3121e03.yaml | 5 ++ ...-global-server-state-file-325ab7c62e21ff14.yaml | 7 ++ ...dbalancer-creation-if-jobboard-is-disabled.yaml | 5 ++ ...opulated-lb-with-listener-92a369ea8d57e8f5.yaml | 5 ++ ...y-about-server-state-file-df70e5ac859417e2.yaml | 7 ++ ...-online-in-single-lb-call-214a7ca22937a877.yaml | 5 ++ ...ress-enclosed-in-brackets-c1cfc4717465ba09.yaml | 6 ++ ...twork-interface-collision-939fd32587ea3344.yaml | 8 +++ ...-ping-hm-on-centos-stream-6624f19c8da86e22.yaml | 6 ++ ...tatus-on-lb-single-create-897070aee0a42da6.yaml | 5 ++ ...linux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml | 7 ++ ...-subnet-ip-advertisements-af2264844079ef6b.yaml | 6 ++ test-requirements.txt | 2 +- tox.ini | 8 +-- zuul.d/jobs.yaml | 9 +-- 62 files changed, 811 insertions(+), 186 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 051ebbdf..9fc15cb1 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -11 +11 @@ oslotest>=3.2.0 # Apache-2.0 -pylint>=2.5.3 # GPLv2 +pylint>=2.5.3,<=2.15.10 # GPLv2