We are tickled pink to announce the release of: octavia 3.2.0: OpenStack Octavia Scalable Load Balancer as a Service This release is part of the rocky stable release series. The source is available from: https://opendev.org/openstack/octavia Download the package from: https://pypi.org/project/octavia Please report issues through: https://storyboard.openstack.org/#!/project/908 For more details, please see below. 3.2.0 ^^^^^ Known Issues ************ * When a load balancer with a UDP listener is updated, the listener service is restarted, which causes an interruption of the flow of traffic during a short period of time. This issue is caused by a keepalived bug (https://github.com/acassen/keepalived/issues/1163) that was fixed in keepalived 2.0.14, but this package is not yet provided by distributions. Upgrade Notes ************* * To enable UDP listener monitoring when no pool is attached, the amphora image needs to be updated and load balancers with UDP listeners need to be failed over to the new image. Security Issues *************** * Correctly require two-way certificate authentication to connect to the amphora agent API (CVE-2019-17134). Bug Fixes ********* * Fixed an issue with the health manager reporting an UnboundLocalError if it gets an exception attempting to get a database connection. * Fixes a potential DB deadlock in allocate_and_associate found in testing. * Fixes an issue where, if we were unable to attach the base (VRRP) port to an amphora instance, the revert would not clean up the port in neutron. * Add support for monitor_address and monitor_port attributes in UDP members. Previously, monitor_address and monitor_port were ignored and address and protocol_port attributes were used as monitoring address and port. * Fix operating_status for pools and members that use UDP protocol. operating_status values are now consistant with the values of non- UDP load balancers. * Fix a bug that prevented UDP servers to be restored as members of a pool after removing a health monitor resource. * The passphrase for config option 'server_certs_key_passphrase' is used as a Fernet key in Octavia and thus must be 32, base64(url) compatible, characters long. Octavia will now validate the passphrase length and format. * Adding a member with different IP protocol version than the VIP IP protocol version in a UDP load balancer caused a crash in the amphora. A validation step in the amphora driver now prevents mixing IP protocol versions in UDP load balancers. Changes in octavia 3.1.1..3.2.0 ------------------------------- 624ff08f Fix urgent amphora two-way auth security bug 0dc557cb Fix member API handling of None/null updates 1756b19e Validate server_certs_key_passphrase is 32 chars e3cc8f8f Work around strptime threading issue 0aace571 Fix base (VRRP) port abandoned on revert cf0fa1d7 Do not run non-voting jobs in gate e0913562 Fix l7rule API handling of None updates 6906f9f8 Fix template that generates vrrp check script 3e3a6977 Revert "Use the infra pypi mirror for DIB" 7722133f Add failover logging to show the amphora details. 3e1d0abe only rollback DB when we have a connection to the DB 0f8eabab Fix L7 repository create methods 7486abcc Use the infra pypi mirror for DIB f58b07fd Add warning log if auth_strategy is not keystone 4074dbd9 elements: add arch property for ``open-vm-tools`` 4494c621 worker: Re-add FailoverPreparationForAmphora 14169cbc Prevent UDP LBs to use different IP protocol versions in amphora driver 7a2491ad Fixed down server issue after reloading keepalived f08e21fd Fixed pool and members status with UDP loadbalancers b97bfe64 Add support for monitor_{address,port} in UDP members eb9ebe4c Add octavia-v2-dsvm jobs to the gate queue af9ecfe0 Update tox.ini for new upper constraints strategy 5bc9a788 Add bindep.txt for Octavia 2f8fcedc Update amphora-agent to report UDP listener health 93123614 Fix auto setup Barbican's ACL in the legacy driver. ac6ff98d Fix allocate_and_associate DB deadlock 7e865435 Fix for utils LB DM transformation function Diffstat (except docs and test files) ------------------------------------- bindep.txt | 2 + elements/amphora-agent/package-installs.yaml | 1 + lower-constraints.txt | 2 +- .../backends/agent/api_server/keepalivedlvs.py | 7 ++ .../templates/keepalived_check_script.conf.j2 | 2 +- .../backends/health_daemon/health_daemon.py | 12 +- .../amphorae/backends/utils/keepalivedlvs_query.py | 64 +++++++++-- octavia/api/drivers/amphora_driver/driver.py | 26 +++++ octavia/api/drivers/utils.py | 1 + octavia/api/v2/controllers/l7rule.py | 5 + octavia/api/v2/controllers/load_balancer.py | 4 +- octavia/api/v2/controllers/member.py | 18 +++ octavia/api/v2/types/member.py | 6 +- octavia/certificates/common/local.py | 6 +- octavia/certificates/manager/barbican.py | 8 ++ octavia/certificates/manager/barbican_legacy.py | 28 +++-- octavia/cmd/agent.py | 3 +- octavia/cmd/api.py | 6 + octavia/common/base_taskflow.py | 3 + octavia/common/constants.py | 2 + octavia/common/jinja/lvs/jinja_cfg.py | 4 +- octavia/common/jinja/lvs/templates/macros.j2 | 10 +- octavia/common/validate.py | 2 + octavia/controller/healthmanager/health_manager.py | 4 +- octavia/controller/worker/controller_worker.py | 26 ++++- octavia/controller/worker/flows/amphora_flows.py | 4 + octavia/db/repositories.py | 9 ++ .../drivers/neutron/allowed_address_pairs.py | 17 +++ .../backends/health_daemon/test_health_daemon.py | 13 ++- .../backends/utils/test_keepalivedlvs_query.py | 89 +++++++++++++-- .../drivers/amphora_driver/test_amphora_driver.py | 125 ++++++++++++++++++++- .../unit/certificates/manager/test_barbican.py | 15 +++ .../certificates/manager/test_barbican_legacy.py | 16 ++- .../unit/common/jinja/lvs/test_lvs_jinja_cfg.py | 56 +++++++++ .../unit/common/sample_configs/sample_configs.py | 22 +++- .../healthmanager/test_health_manager.py | 18 +++ .../drivers/neutron/test_allowed_address_pairs.py | 37 ++++++ ...DB-Rollback-no-connection-2664c4f7823ecaec.yaml | 5 + ...te_and_associate-deadlock-3ff1464421c1d464.yaml | 4 + ...evert-abandoned-vrrp-port-efff14edce62ad75.yaml | 5 + .../UDP-listener-health-d8fdf64a32e022d4.yaml | 6 + ...client-auth-vulnerability-6803f4bac2508e4c.yaml | 5 + ...s-and-port-in-udp-members-ff83395544f228cf.yaml | 6 + .../fix-udp-members-status-ef3202849bfda29b.yaml | 6 + ...fix-udp-server-status-bug-db4d3e38bcdf0554.yaml | 12 ++ ...rver_certs_key_passphrase-6a9dfc190c9deba8.yaml | 6 + ...ame-ip-protocol-in-udp-lb-2813b545131097ec.yaml | 7 ++ requirements.txt | 2 +- test-requirements.txt | 3 +- tox.ini | 11 +- zuul.d/projects.yaml | 20 ++-- 58 files changed, 790 insertions(+), 80 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index a067bd05..1f9afe61 100644 --- a/requirements.txt +++ b/requirements.txt @@ -24 +24 @@ oslo.log>=3.36.0 # Apache-2.0 -oslo.messaging>=5.29.0 # Apache-2.0 +oslo.messaging>=6.3.0 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index e28d2d92..2bedb05b 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -21 +21,2 @@ tempest>=17.1.0 # Apache-2.0 -sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD +sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7' # BSD +sphinx!=1.6.6,!=1.6.7,>=1.6.2;python_version>='3.4' # BSD