[release-announce] octavia 5.0.2 (train)
no-reply at openstack.org
no-reply at openstack.org
Mon Jun 29 12:11:24 UTC 2020
We joyfully announce the release of:
octavia 5.0.2: OpenStack Octavia Scalable Load Balancer as a Service
This release is part of the train stable release series.
The source is available from:
https://opendev.org/openstack/octavia
Download the package from:
https://pypi.org/project/octavia
Please report issues through:
https://storyboard.openstack.org/#!/project/908
For more details, please see below.
5.0.2
^^^^^
Upgrade Notes
*************
* After this upgrade, users will no longer be able use network
resources they cannot see or "show" on load balancers. Operators can
revert this behavior by setting the "allow_invisible_reourece_usage"
configuration file setting to "True".
* Any amphorae running a py3 based image must be recycled or else
they will eventually fail on certificate rotation.
* An amphora image update is recommended to pick up a workaround to
an HAProxy issue where it would fail to reload on configuration
change should the local peer name start with "-x".
Security Issues
***************
* Previously, if a user knew or could guess the UUID for a network
resource, they could use that UUID to create load balancer resources
using that UUID. Now the user must have permission to see or "show"
the resource before it can be used with a load balancer. This will
be the new default, but operators can disable this behavior via the
setting the configuration file setting
"allow_invisible_resource_usage" to "True". This issue falls under
the "Class C1" security issue as the user would require a valid
UUID.
Bug Fixes
*********
* Fixed an issue when a loadbalancer is disabled, Octavia Health
Manager keeps failovering the amphorae
* Add listener and pool protocol validation. The pool and listener
can't be combined arbitrarily. We need some constraints on the
protocol side.
* Resolved broken certificate upload on py3 based amphora images. On
a housekeeping certificate rotation event, the amphora would clear
out its server certificate and return a 500, putting the amphora in
ERROR status and breaking further communication. See upgrade notes.
* Fixed an issue where the the amphora image create tool would
checkout the master amphora-agent code and master upper constraints.
* Fixes an issue where load balancers with more than one TLS enabled
listener, using client authentication and/or backend re-encryption,
may load incorrect certificates for the listener.
* Fix a bug that could interrupt resource creation when performing a
graceful shutdown of the house keeping service and leave resources
such as amphorae in a BOOTING status.
* Fixed an issue where load balancers would go into ERROR when
setting data not visible to providers (e.g. tags).
* Workaround an HAProxy issue where it would fail to reload on
configuration change should the local peer name start with "-x".
* Delay between checks on UDP healthmonitors was using the incorrect
config value "timeout", when it should have been "delay".
Other Notes
***********
* Amphorae that are booting for a specific loadbalancer will now be
linked to that loadbalancer immediately upon creation. Previously
this would not happen until near the end of the process, leaving a
gap during booting during which is was difficult to understand which
booting amphora belonged to which loadbalancer. This was especially
problematic when attempting to troubleshoot loadbalancers that
entered ERROR status due to boot issues.
Changes in octavia 5.0.1..5.0.2
-------------------------------
2a18b6cc Fix neutron subnet lookup ignoring endpoint_type
1a4ccf49 Fix netcat option in udp_check.sh for CentOS/RHEL
cc2c3c48 Fix batch member create for v1 amphora driver
ffeb030e Update the lb_id on an amp earlier if we know it
e358637a Fixed a bug: replace 'startwith' with 'startswith'
b35f77d3 Workaround peer name starting with hyphen
4a95b354 Do not install diskimage-builder from Git
09e863eb Fix getting user neutron client
fb8ec7a3 Fix padding logic for UDP health daemon
43a3897d Fix py3 amphora-agent cert-rotation type bug
17d66e26 Correct delay between UDP healthchecks
734a87b4 Fix healthmanager not update amphora health when LB disable
7fa2f933 Disable catching-non-exception in pylint
1933ede0 Validate resource access when creating loadbalancer or member
26dc84f5 Stop "dnf makecache" in the amphora images
5bdecaaf Pick stale amphora randomly
535dc7c6 Fix load balancer update with provider filtered params
cb55a8cf Remove the barbican "Grant access" from cookbook
b989f941 Add a periodic image build job
0c1cb417 Fix uncaught DB exception when trying to get a spare amphora
b0334859 Use stable upper-constraints.txt in Amphora builds
164aed0e Fix house keeping graceful shutdown
a59e7235 Use LUKS1 for certfs-ramfs for all distributions
84c10796 Fix multi-listener LB client auth/re-encryption
db26a3c9 Revert "Fix gate issue with DIB"
df5db0b0 Fix multi-listener LB with missing certificate
87704d42 Add listener and pool protocol validation
85f7abbb Cap hacking version to <2
343e3d8f Fix update API when barbican secret is missing
b91a6545 Accept oslopolicy-policy-generator path arguments
Diffstat (except docs and test files)
-------------------------------------
.pylintrc | 1 +
api-ref/source/parameters.yaml | 15 +-
api-ref/source/v2/general.inc | 52 +++++++
devstack/plugin.sh | 8 +-
devstack/settings | 3 -
diskimage-create/diskimage-create.sh | 5 +
.../amphora-agent/source-repository-amphora-agent | 4 +-
.../certs-ramfs/static/usr/local/bin/certfs-ramfs | 17 +--
elements/disable-makecache/README.rst | 6 +
.../post-install.d/80-disable-makecache | 18 +++
elements/disable-makecache/svc-map | 2 +
.../pre-install.d/05-rm-pydistutils | 5 -
etc/octavia.conf | 10 ++
.../agent/api_server/certificate_update.py | 2 +-
.../amphorae/backends/utils/keepalivedlvs_query.py | 2 +-
octavia/amphorae/backends/utils/udp_check.sh | 14 +-
.../amphorae/drivers/haproxy/rest_api_driver.py | 98 ++++++++-----
octavia/api/v2/controllers/base.py | 12 ++
octavia/api/v2/controllers/l7policy.py | 26 ++--
octavia/api/v2/controllers/listener.py | 13 +-
octavia/api/v2/controllers/load_balancer.py | 28 ++--
octavia/api/v2/controllers/member.py | 8 +-
octavia/api/v2/controllers/pool.py | 3 +-
octavia/cmd/house_keeping.py | 23 ++--
octavia/common/clients.py | 29 +++-
octavia/common/config.py | 6 +
octavia/common/constants.py | 8 ++
.../jinja/haproxy/combined_listeners/jinja_cfg.py | 77 +++++------
octavia/common/jinja/lvs/templates/macros.j2 | 12 +-
octavia/common/policy.py | 13 +-
octavia/common/utils.py | 5 +-
octavia/common/validate.py | 13 +-
.../healthmanager/health_drivers/update_db.py | 17 ++-
octavia/controller/worker/v1/controller_worker.py | 15 +-
.../controller/worker/v1/flows/amphora_flows.py | 1 +
.../controller/worker/v1/tasks/database_tasks.py | 50 ++-----
.../controller/worker/v1/tasks/network_tasks.py | 2 +-
.../controller/worker/v2/flows/amphora_flows.py | 1 +
.../controller/worker/v2/tasks/database_tasks.py | 35 +----
.../controller/worker/v2/tasks/network_tasks.py | 2 +-
octavia/db/repositories.py | 14 +-
octavia/network/base.py | 9 +-
octavia/network/drivers/neutron/base.py | 21 +--
octavia/network/drivers/noop_driver/driver.py | 6 +-
.../drivers/haproxy/test_rest_api_driver_0_5.py | 30 ++--
.../drivers/haproxy/test_rest_api_driver_1_0.py | 31 +++--
.../haproxy/combined_listeners/test_jinja_cfg.py | 32 +++--
.../unit/common/jinja/lvs/test_lvs_jinja_cfg.py | 40 ++----
.../sample_configs/sample_configs_combined.py | 8 +-
.../healthmanager/health_drivers/test_update_db.py | 22 ++-
.../worker/v1/tasks/test_database_tasks.py | 45 +-----
.../worker/v1/tasks/test_network_tasks.py | 16 +++
.../controller/worker/v1/test_controller_worker.py | 4 +-
.../worker/v2/flows/test_amphora_flows.py | 24 +++-
.../worker/v2/tasks/test_database_tasks.py | 46 +------
.../worker/v2/tasks/test_network_tasks.py | 16 +++
.../unit/network/drivers/neutron/test_base.py | 67 +++++++++
...a-health-when-LB-disabled-46a4fb295c6d0850.yaml | 6 +
.../add-protocol-validation-0f9129a045e372ce.yaml | 5 +
.../allow-invisible-subnets-e30b0b5fbd216294.yaml | 16 +++
...nt-py3-cert-upload-binary-74e0ab35c5a85c68.yaml | 11 ++
...ora-agent-branch-checkout-e2eeb19c6aa09535.yaml | 5 +
...lient-auth-single-process-749af7791454ff03.yaml | 6 +
...ix-house-keeping-shutdown-17b04417a2c4849f.yaml | 6 +
...ix-lb-update-with-no-data-abefe7860b8fb4c7.yaml | 5 +
...ix-peer-name-prefix-hypen-e74a87e9a01b4f4c.yaml | 10 ++
...a-to-loadbalancer-earlier-ab3dddec48b8da96.yaml | 9 ++
...-based-on-correct-setting-6a60856de2927ccd.yaml | 5 +
requirements.txt | 3 +-
test-requirements.txt | 4 +-
zuul.d/jobs.yaml | 14 ++
zuul.d/projects.yaml | 1 +
82 files changed, 1212 insertions(+), 482 deletions(-)
Requirements updates
--------------------
diff --git a/requirements.txt b/requirements.txt
index 239b8f99..c0f90407 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -60 +60,2 @@ pyroute2>=0.4.21;sys_platform!='win32' # Apache-2.0 (+ dual licensed GPL2)
-gunicorn>=19.9.0 # MIT
+gunicorn>=19.9.0,<20.0.0;python_version<'3.0' # MIT
+gunicorn>=19.9.0;python_version>='3.0' # MIT
diff --git a/test-requirements.txt b/test-requirements.txt
index 8e8b4466..18e1edeb 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -4 +4 @@
-hacking>=1.1.0 # Apache-2.0
+hacking>=1.1.0,<2 # Apache-2.0
@@ -23 +23 @@ sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7' # BSD
-sphinx!=1.6.6,!=1.6.7,>=1.6.2;python_version>='3.4' # BSD
+sphinx!=1.6.6,!=1.6.7,!=2.1.0,>=1.6.2;python_version>='3.4' # BSD
More information about the Release-announce
mailing list