[release-announce] octavia 11.0.1 (zed)

no-reply at openstack.org no-reply at openstack.org
Thu Jul 20 11:54:19 UTC 2023 

We contentedly announce the release of:

octavia 11.0.1: OpenStack Octavia Scalable Load Balancer as a Service

This release is part of the zed stable release series.

The source is available from:

    https://opendev.org/openstack/octavia

Download the package from:

    https://pypi.org/project/octavia

Please report issues through:

    https://storyboard.openstack.org/#!/project/908

For more details, please see below.

11.0.1
^^^^^^


Security Issues
***************

* Filter out private information from the taskflow logs when
  ''INFO'' level messages are enabled and when jobboard is enabled.
  Logs might have included TLS certificates and private_key. By
  default, in Octavia only WARNING and above messages are enabled in
  taskflow and jobboard is disabled.


Bug Fixes
*********

* Added a filter to hide a bogus ComputeWaitTimeoutException
  exception when creating an amphora when jobboard is disabled. This
  exception is part of the flow when creating a load balancer or an
  amphora and should not be shown to the user.

* The parameters of a taskflow Flow were logged in ''INFO'' level
  messages by taskflow, it included TLS-enabled listeners and pools
  parameters, such as certificates and private_key.

* Fix an authentication error with Barbican when creating a
  TERMINATED_HTTPS listener with application credential tokens or
  trust IDs.

* Fixed a potential race condition in the member batch update API
  call, the load balancers might not have been locked properly.

* Fixed a "corrupted global server state file" error in Centos 9
  Stream when reloading the state of the servers after restarting
  haproxy. It also fixed the recovering of the operational state of
  the servers in haproxy after its restart.

* Fix a bug when full graph of load balancer is created without
  listeners if jobboard_enabled=False

* Fixed a bug that prevented Octavia from creating listeners with
  the fully-populated load balancer API in SINGLE topology mode.

* Fixed backwards compatibility issue with the feature that
  preserves HAProxy server states between reloads. HAProxy version 1.5
  or below do not support this feature, so Octavia will not to
  activate it on amphorae with those versions.

* Fixed a bug that didn't set all the active load balancer Health
  Monitors ONLINE in populated LB single-create calls.

* Fix a bug that prevented the operating_status of a health-monitor
  to be set to ONLINE when ipv6 addresses were enclosed within square
  brackets in "controller_ip_port_list".

* Fixed a potential error when plugging a member from a new network
  after deleting another member and unplugging its network. Octavia
  may have tried to plug the new network to a new interface but with
  an already existing name. This fix requires to update the Amphora
  image.

* Fix an issue with PING health-monitors on Centos 8 Stream. Changes
  in Centos and systemd prevent an unprivileged user from sending ping
  requests from a network namespace.

* Fixed a bug that didn't set the correct provisioning_status for
  unattached pools when creating a fully-populated load balancer.

* Fixed an SELinux issues with TCP-based health-monitor on UDP
  pools, some specific monitoring ports were denied by SELinux. The
  Amphora image now enables the "keepalived_connect_any" SELinux
  boolean that allows connections to any ports.

* When plugging a new member subnet, the amphora sends an IP
  advertisement of the newly allocated IP. It allows the servers on
  the same L2 network to flush the ARP entries of a previously
  allocated IP address.

Changes in octavia 11.0.0..11.0.1
---------------------------------

4d52ce9c Fix TCP HMs on UDP pools with SELinux
2e034c1e Fix hm operating status to ONLINE in single lb call
05b33434 Avoid interface name collisions in the amphora
396785da Fix pool creation with single LB create call
ba0c244d Fix pep8 error
6a380e37 Send IP advertisements when plugging a new member subnet
332d7dee Fix octavia to accept [ipv6]:port
b2437857 Fix ORM caching for with_for_update calls
c87fbc07 Fix grenade job & pin pylint on stable/branches
4022aaf7 Filter out details from taskflow logs with v2+jobboard
0bc7d289 Filter ComputeWaitTimeoutException when jobboard is disabled
8cd697e8 Fix PING health-monitor with recent Centos releases
4e9203ad Fix listener creation with fully-populated API
cfd87ccb Fix full graph loadbalancer creation if jobboard is disabled
572c0dac Add a newline when writing the server state file
fb2e1d2e Handle feature compatibility of HAProxy server-state-file option
48fad7c2 Fix prometheus-proxy service name in Red Hat-based distros
960977cc Fix barbican client with application credentials/trusts
b7fc5b10 Add *.orig to .gitignore
4f2a019d Update TOX_CONSTRAINTS_FILE for stable/zed
d8ec4499 Update .gitreview for stable/zed


Diffstat (except docs and test files)
-------------------------------------

.gitignore                                         |  1 +
.gitreview                                         |  1 +
.../12-enable-prometheus-proxy-systemd             |  2 +-
.../amphora-agent/source-repository-amphora-agent  |  4 +-
elements/amphora-agent/svc-map                     |  3 +
.../post-install.d/50-selinux-policies             |  3 +
.../post-install.d/20-haproxy-tune-kernel          |  8 +++
elements/octavia-lib/source-repository-octavia-lib |  2 +-
octavia/amphorae/backends/agent/api_server/plug.py | 25 +++++--
octavia/amphorae/backends/agent/api_server/util.py | 21 ++++++
.../backends/health_daemon/health_sender.py        |  2 +
octavia/amphorae/backends/utils/haproxy_query.py   |  2 +-
octavia/certificates/common/auth/barbican_acl.py   | 27 ++++----
octavia/common/base_taskflow.py                    | 44 ++++++++++++
octavia/common/constants.py                        |  1 +
.../jinja/haproxy/combined_listeners/jinja_cfg.py  |  4 +-
.../haproxy/combined_listeners/templates/base.j2   |  2 +
.../combined_listeners/templates/haproxy.cfg.j2    |  2 +-
.../haproxy/combined_listeners/templates/macros.j2 |  4 +-
.../controller/worker/v1/flows/listener_flows.py   |  3 +
.../worker/v1/flows/load_balancer_flows.py         | 31 +++++----
.../controller/worker/v1/tasks/database_tasks.py   | 44 +++++++++++-
octavia/controller/worker/v2/controller_worker.py  |  7 +-
.../controller/worker/v2/flows/listener_flows.py   |  3 +
.../worker/v2/flows/load_balancer_flows.py         | 32 +++++----
.../controller/worker/v2/tasks/database_tasks.py   | 45 +++++++++++-
octavia/db/repositories.py                         | 80 +++++++++++++++-------
octavia/hacking/checks.py                          |  2 +-
.../backend/agent/api_server/test_server.py        | 19 +++--
.../agent/api_server/test_haproxy_compatibility.py |  2 -
.../backends/agent/api_server/test_plug.py         | 60 ++++++++++++++--
.../backends/agent/api_server/test_util.py         | 35 ++++++++++
.../backends/health_daemon/test_health_sender.py   | 18 +++++
.../amphorae/backends/utils/test_haproxy_query.py  |  2 +-
.../certificates/common/auth/test_barbican_acl.py  |  3 +-
.../haproxy/combined_listeners/test_jinja_cfg.py   | 69 +++++++------------
.../sample_configs/sample_configs_combined.py      |  5 +-
.../worker/v1/flows/test_load_balancer_flows.py    |  7 +-
.../worker/v1/tasks/test_database_tasks.py         | 63 +++++++++++++++--
.../worker/v2/flows/test_load_balancer_flows.py    |  7 +-
.../worker/v2/tasks/test_database_tasks.py         | 56 ++++++++++++++-
.../controller/worker/v2/test_controller_worker.py | 47 +++++++++++++
...on-when-jobboard-disabled-6f1375463f5a71dc.yaml |  7 ++
...mation-from-taskflow-logs-0d8697140423b4d5.yaml | 12 ++++
...tial-tokens-with-barbican-3b7d13283206c124.yaml |  5 ++
...ber-update-race-condition-09b82e2cc3121e03.yaml |  5 ++
...-global-server-state-file-325ab7c62e21ff14.yaml |  7 ++
...dbalancer-creation-if-jobboard-is-disabled.yaml |  5 ++
...opulated-lb-with-listener-92a369ea8d57e8f5.yaml |  5 ++
...y-about-server-state-file-df70e5ac859417e2.yaml |  7 ++
...-online-in-single-lb-call-214a7ca22937a877.yaml |  5 ++
...ress-enclosed-in-brackets-c1cfc4717465ba09.yaml |  6 ++
...twork-interface-collision-939fd32587ea3344.yaml |  8 +++
...-ping-hm-on-centos-stream-6624f19c8da86e22.yaml |  6 ++
...tatus-on-lb-single-create-897070aee0a42da6.yaml |  5 ++
...linux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml |  7 ++
...-subnet-ip-advertisements-af2264844079ef6b.yaml |  6 ++
test-requirements.txt                              |  2 +-
tox.ini                                            |  8 +--
zuul.d/jobs.yaml                                   |  9 +--
62 files changed, 811 insertions(+), 186 deletions(-)


Requirements updates
--------------------

diff --git a/test-requirements.txt b/test-requirements.txt
index 051ebbdf..9fc15cb1 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -11 +11 @@ oslotest>=3.2.0 # Apache-2.0
-pylint>=2.5.3 # GPLv2
+pylint>=2.5.3,<=2.15.10 # GPLv2

More information about the Release-announce mailing list