Open Stack

We are tickled pink to announce the release of:

octavia 3.2.0: OpenStack Octavia Scalable Load Balancer as a Service

This release is part of the rocky stable release series.

The source is available from:

    https://opendev.org/openstack/octavia

Download the package from:

    https://pypi.org/project/octavia

Please report issues through:

    https://storyboard.openstack.org/#!/project/908

For more details, please see below.

3.2.0
^^^^^


Known Issues
************

* When a load balancer with a UDP listener is updated, the listener
  service is restarted, which causes an interruption of the flow of
  traffic during a short period of time. This issue is caused by a
  keepalived bug (https://github.com/acassen/keepalived/issues/1163)
  that was fixed in keepalived 2.0.14, but this package is not yet
  provided by distributions.


Upgrade Notes
*************

* To enable UDP listener monitoring when no pool is attached, the
  amphora image needs to be updated and load balancers with UDP
  listeners need to be failed over to the new image.


Security Issues
***************

* Correctly require two-way certificate authentication to connect to
  the amphora agent API (CVE-2019-17134).


Bug Fixes
*********

* Fixed an issue with the health manager reporting an
  UnboundLocalError if it gets an exception attempting to get a
  database connection.

* Fixes a potential DB deadlock in allocate_and_associate found in
  testing.

* Fixes an issue where, if we were unable to attach the base (VRRP)
  port to an amphora instance, the revert would not clean up the port
  in neutron.

* Add support for monitor_address and monitor_port attributes in UDP
  members. Previously, monitor_address and monitor_port were ignored
  and address and protocol_port attributes were used as monitoring
  address and port.

* Fix operating_status for pools and members that use UDP protocol.
  operating_status values are now consistant with the values of non-
  UDP load balancers.

* Fix a bug that prevented UDP servers to be restored as members of
  a pool after removing a health monitor resource.

* The passphrase for config option 'server_certs_key_passphrase' is
  used as a Fernet key in Octavia and thus must be 32, base64(url)
  compatible, characters long. Octavia will now validate the
  passphrase length and format.

* Adding a member with different IP protocol version than the VIP IP
  protocol version in a UDP load balancer caused a crash in the
  amphora. A validation step in the amphora driver now prevents mixing
  IP protocol versions in UDP load balancers.

Changes in octavia 3.1.1..3.2.0
-------------------------------

624ff08f Fix urgent amphora two-way auth security bug
0dc557cb Fix member API handling of None/null updates
1756b19e Validate server_certs_key_passphrase is 32 chars
e3cc8f8f Work around strptime threading issue
0aace571 Fix base (VRRP) port abandoned on revert
cf0fa1d7 Do not run non-voting jobs in gate
e0913562 Fix l7rule API handling of None updates
6906f9f8 Fix template that generates vrrp check script
3e3a6977 Revert "Use the infra pypi mirror for DIB"
7722133f Add failover logging to show the amphora details.
3e1d0abe only rollback DB when we have a connection to the DB
0f8eabab Fix L7 repository create methods
7486abcc Use the infra pypi mirror for DIB
f58b07fd Add warning log if auth_strategy is not keystone
4074dbd9 elements: add arch property for ``open-vm-tools``
4494c621 worker: Re-add FailoverPreparationForAmphora
14169cbc Prevent UDP LBs to use different IP protocol versions in amphora driver
7a2491ad Fixed down server issue after reloading keepalived
f08e21fd Fixed pool and members status with UDP loadbalancers
b97bfe64 Add support for monitor_{address,port} in UDP members
eb9ebe4c Add octavia-v2-dsvm jobs to the gate queue
af9ecfe0 Update tox.ini for new upper constraints strategy
5bc9a788 Add bindep.txt for Octavia
2f8fcedc Update amphora-agent to report UDP listener health
93123614 Fix auto setup Barbican's ACL in the legacy driver.
ac6ff98d Fix allocate_and_associate DB deadlock
7e865435 Fix for utils LB DM transformation function


Diffstat (except docs and test files)
-------------------------------------

bindep.txt                                         |   2 +
elements/amphora-agent/package-installs.yaml       |   1 +
lower-constraints.txt                              |   2 +-
.../backends/agent/api_server/keepalivedlvs.py     |   7 ++
.../templates/keepalived_check_script.conf.j2      |   2 +-
.../backends/health_daemon/health_daemon.py        |  12 +-
.../amphorae/backends/utils/keepalivedlvs_query.py |  64 +++++++++--
octavia/api/drivers/amphora_driver/driver.py       |  26 +++++
octavia/api/drivers/utils.py                       |   1 +
octavia/api/v2/controllers/l7rule.py               |   5 +
octavia/api/v2/controllers/load_balancer.py        |   4 +-
octavia/api/v2/controllers/member.py               |  18 +++
octavia/api/v2/types/member.py                     |   6 +-
octavia/certificates/common/local.py               |   6 +-
octavia/certificates/manager/barbican.py           |   8 ++
octavia/certificates/manager/barbican_legacy.py    |  28 +++--
octavia/cmd/agent.py                               |   3 +-
octavia/cmd/api.py                                 |   6 +
octavia/common/base_taskflow.py                    |   3 +
octavia/common/constants.py                        |   2 +
octavia/common/jinja/lvs/jinja_cfg.py              |   4 +-
octavia/common/jinja/lvs/templates/macros.j2       |  10 +-
octavia/common/validate.py                         |   2 +
octavia/controller/healthmanager/health_manager.py |   4 +-
octavia/controller/worker/controller_worker.py     |  26 ++++-
octavia/controller/worker/flows/amphora_flows.py   |   4 +
octavia/db/repositories.py                         |   9 ++
.../drivers/neutron/allowed_address_pairs.py       |  17 +++
.../backends/health_daemon/test_health_daemon.py   |  13 ++-
.../backends/utils/test_keepalivedlvs_query.py     |  89 +++++++++++++--
.../drivers/amphora_driver/test_amphora_driver.py  | 125 ++++++++++++++++++++-
.../unit/certificates/manager/test_barbican.py     |  15 +++
.../certificates/manager/test_barbican_legacy.py   |  16 ++-
.../unit/common/jinja/lvs/test_lvs_jinja_cfg.py    |  56 +++++++++
.../unit/common/sample_configs/sample_configs.py   |  22 +++-
.../healthmanager/test_health_manager.py           |  18 +++
.../drivers/neutron/test_allowed_address_pairs.py  |  37 ++++++
...DB-Rollback-no-connection-2664c4f7823ecaec.yaml |   5 +
...te_and_associate-deadlock-3ff1464421c1d464.yaml |   4 +
...evert-abandoned-vrrp-port-efff14edce62ad75.yaml |   5 +
.../UDP-listener-health-d8fdf64a32e022d4.yaml      |   6 +
...client-auth-vulnerability-6803f4bac2508e4c.yaml |   5 +
...s-and-port-in-udp-members-ff83395544f228cf.yaml |   6 +
.../fix-udp-members-status-ef3202849bfda29b.yaml   |   6 +
...fix-udp-server-status-bug-db4d3e38bcdf0554.yaml |  12 ++
...rver_certs_key_passphrase-6a9dfc190c9deba8.yaml |   6 +
...ame-ip-protocol-in-udp-lb-2813b545131097ec.yaml |   7 ++
requirements.txt                                   |   2 +-
test-requirements.txt                              |   3 +-
tox.ini                                            |  11 +-
zuul.d/projects.yaml                               |  20 ++--
58 files changed, 790 insertions(+), 80 deletions(-)


Requirements updates
--------------------

diff --git a/requirements.txt b/requirements.txt
index a067bd05..1f9afe61 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -24 +24 @@ oslo.log>=3.36.0 # Apache-2.0
-oslo.messaging>=5.29.0 # Apache-2.0
+oslo.messaging>=6.3.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index e28d2d92..2bedb05b 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -21 +21,2 @@ tempest>=17.1.0 # Apache-2.0
-sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD
+sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7' # BSD
+sphinx!=1.6.6,!=1.6.7,>=1.6.2;python_version>='3.4' # BSD