Open Stack

We are tickled pink to announce the release of:

octavia 4.1.2: OpenStack Octavia Scalable Load Balancer as a Service

This release is part of the stein stable release series.

The source is available from:

    https://opendev.org/openstack/octavia

Download the package from:

    https://pypi.org/project/octavia

Please report issues through:

    https://storyboard.openstack.org/#!/project/908

For more details, please see below.

4.1.2
^^^^^


Upgrade Notes
*************

* After this upgrade, users will no longer be able use network
  resources they cannot see or "show" on load balancers. Operators can
  revert this behavior by setting the "allow_invisible_resource_usage"
  configuration file setting to "True".

* Any amphorae running a py3 based image must be recycled or else
  they will eventually fail on certificate rotation.

* An amphora image update is recommended to pick up a workaround to
  an HAProxy issue where it would fail to reload on configuration
  change should the local peer name start with "-x".


Security Issues
***************

* Previously, if a user knew or could guess the UUID for a network
  resource, they could use that UUID to create load balancer resources
  using that UUID. Now the user must have permission to see or "show"
  the resource before it can be used with a load balancer. This will
  be the new default, but operators can disable this behavior via the
  setting the configuration file setting
  "allow_invisible_resource_usage" to "True". This issue falls under
  the "Class C1" security issue as the user would require a valid
  UUID.


Bug Fixes
*********

* Fixed an issue when a loadbalancer is disabled, Octavia Health
  Manager keeps failovering the amphorae

* Add listener and pool protocol validation. The pool and listener
  can't be combined arbitrarily. We need some constraints on the
  protocol side.

* Resolved broken certificate upload on py3 based amphora images. On
  a housekeeping certificate rotation event, the amphora would clear
  out its server certificate and return a 500, putting the amphora in
  ERROR status and breaking further communication. See upgrade notes.

* Fixed an issue where the the amphora image create tool would
  checkout the master amphora-agent code and master upper constraints.

* Fixes an issue where load balancers with more than one TLS enabled
  listener, using client authentication and/or backend re-encryption,
  may load incorrect certificates for the listener.

* Fix a bug that could interrupt resource creation when performing a
  graceful shutdown of the house keeping service and leave resources
  such as amphorae in a BOOTING status.

* Fixed an issue where load balancers would go into ERROR when
  setting data not visible to providers (e.g. tags).

* Workaround an HAProxy issue where it would fail to reload on
  configuration change should the local peer name start with "-x".

* Delay between checks on UDP healthmonitors was using the incorrect
  config value "timeout", when it should have been "delay".

Changes in octavia 4.1.1..4.1.2
-------------------------------

0c1e588d Fix multi-listener LB client auth/re-encryption
07ef9ef8 Fix allow_invisible_resource_usage typo in relnotes
8bd0fbc8 Workaround peer name starting with hyphen
cac753d3 Fix healthmanager not update amphora health when LB disable
e719a472 Validate resource access when creating loadbalancer or member
5f4fd9c5 Fix py3 amphora-agent cert-rotation type bug
80e389ad Correct delay between UDP healthchecks
bdfaba4c Fix load balancer update with provider filtered params
d3df7e43 Fix padding logic for UDP health daemon
aefbef12 Do not install diskimage-builder from Git
ae03653a Pick stale amphora randomly
5dd672c5 Do not run Tempest in octavia-grenade job
922c4987 Remove xenial based jobs from stein gates.
e3a95c9b Remove the barbican "Grant access" from cookbook
372e047a Fix uncaught DB exception when trying to get a spare amphora
24858a5a Use stable upper-constraints.txt in Amphora builds
84020ae6 Fix pep8 failures on stable/stein branch
4ebdce39 Fix multi-listener LB with missing certificate
c09d7299 Fix house keeping graceful shutdown
db75e58e Fix update API when barbican secret is missing
1f37a73e Add listener and pool protocol validation
d0ef7a82 Cap hacking version to <2
9904b26a Accept oslopolicy-policy-generator path arguments


Diffstat (except docs and test files)
-------------------------------------

api-ref/source/parameters.yaml                     |  15 +-
api-ref/source/v2/general.inc                      |  52 +++++++
devstack/plugin.sh                                 |   8 +-
devstack/settings                                  |   3 -
.../amphora-agent/source-repository-amphora-agent  |   4 +-
etc/octavia.conf                                   |  10 ++
.../agent/api_server/certificate_update.py         |   2 +-
.../amphorae/backends/utils/keepalivedlvs_query.py |   2 +-
.../amphorae/drivers/haproxy/rest_api_driver.py    |  98 ++++++++-----
octavia/api/v2/controllers/base.py                 |  12 ++
octavia/api/v2/controllers/l7policy.py             |  26 ++--
octavia/api/v2/controllers/listener.py             |  19 ++-
octavia/api/v2/controllers/load_balancer.py        |  28 ++--
octavia/api/v2/controllers/member.py               |   8 +-
octavia/api/v2/controllers/pool.py                 |   3 +-
octavia/cmd/house_keeping.py                       |  23 ++--
octavia/common/clients.py                          |  28 ++++
octavia/common/config.py                           |   6 +
octavia/common/constants.py                        |   8 ++
.../jinja/haproxy/combined_listeners/jinja_cfg.py  |  77 +++++------
octavia/common/jinja/lvs/templates/macros.j2       |  12 +-
octavia/common/policy.py                           |  13 +-
octavia/common/utils.py                            |   5 +-
octavia/common/validate.py                         |  13 +-
.../healthmanager/health_drivers/update_db.py      |  15 +-
octavia/controller/worker/tasks/database_tasks.py  |  48 ++-----
octavia/controller/worker/tasks/network_tasks.py   |   2 +-
octavia/db/repositories.py                         |  14 +-
octavia/network/base.py                            |   9 +-
octavia/network/drivers/neutron/base.py            |  21 +--
octavia/network/drivers/noop_driver/driver.py      |   6 +-
.../drivers/haproxy/test_rest_api_driver_0_5.py    |  30 ++--
.../drivers/haproxy/test_rest_api_driver_1_0.py    |  31 +++--
.../unit/certificates/generator/test_local.py      |   4 +-
.../haproxy/combined_listeners/test_jinja_cfg.py   |  32 +++--
.../unit/common/jinja/lvs/test_lvs_jinja_cfg.py    |  40 ++----
.../sample_configs/sample_configs_combined.py      |   8 +-
.../healthmanager/health_drivers/test_update_db.py |  22 ++-
.../controller/worker/tasks/test_database_tasks.py |  45 +-----
.../controller/worker/tasks/test_network_tasks.py  |  16 +++
.../unit/network/drivers/neutron/test_base.py      |  67 +++++++++
playbooks/legacy/grenade-devstack-octavia/run.yaml |  11 +-
...a-health-when-LB-disabled-46a4fb295c6d0850.yaml |   6 +
.../add-protocol-validation-0f9129a045e372ce.yaml  |   5 +
.../allow-invisible-subnets-e30b0b5fbd216294.yaml  |  16 +++
...nt-py3-cert-upload-binary-74e0ab35c5a85c68.yaml |  11 ++
...ora-agent-branch-checkout-e2eeb19c6aa09535.yaml |   5 +
...lient-auth-single-process-749af7791454ff03.yaml |   6 +
...ix-house-keeping-shutdown-17b04417a2c4849f.yaml |   6 +
...ix-lb-update-with-no-data-abefe7860b8fb4c7.yaml |   5 +
...ix-peer-name-prefix-hypen-e74a87e9a01b4f4c.yaml |  10 ++
...-based-on-correct-setting-6a60856de2927ccd.yaml |   5 +
test-requirements.txt                              |   2 +-
zuul.d/jobs.yaml                                   |   7 +-
zuul.d/projects.yaml                               |  21 ++-
66 files changed, 1090 insertions(+), 409 deletions(-)


Requirements updates
--------------------

diff --git a/test-requirements.txt b/test-requirements.txt
index 8e0b2e39..14be4f6d 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -4 +4 @@
-hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
+hacking!=0.13.0,<0.14,>=0.12.0,<2 # Apache-2.0