Workaround peer name starting with hyphen
The base64_sha_string method is used to set a base64-encoded peer name in HAProxy. There are cases where the peer name can start with an hypen which is troublesome when used in HAProxy CLI. Specifically, HAProxy fails to reload when local peer name starts with '-x' [1]. When this is the case, an amphora goes to provisioning status ERROR and later is scheduled for failover by the Octavia Health Manager service. A new amphora UUUID is assigned and base64 encoded, hopefully not starting with '-x' again. However, this is far from being ideal -- we incur in a dataplane disruption (single topology) or reduce HA capabilities (active-standby topology) for some time. Four possible options: a) add prefix to peer name b) change b64encode altchars c) quote peer name in haproxy CLI command d) substitute first character if hyphen Option a) and b) are not backward compatible with running amphorae. Peer names of existing amphorae that do not start with hypen but contain hyphen at any other position would get different peer names. Option c) would nonetheless still require an amphora image update to add quotes in the HAProxy init service file. Continuing to generate peer names with hyphens at begininng of the string is avoidable and recommended. Option d), while also requiring an amphora image update, it would get rid of hyphens in begining of the peer names. It is also backward compatible with all running amphorae, except for those starting with hyphen but are broken anyways. This patch takes option d). It substitutes hyphen with 'x' character. [1] https://github.com/haproxy/haproxy/issues/644 Task: 39850 Story: 2007714 Change-Id: Ib0fc26877710dea423a5ebcf1f71077665404377 (cherry picked from commitacc38391de
) (cherry picked from commitdf36c2c8ca
) (cherry picked from commite0b53b2cc7
)
This commit is contained in:
parent
174a34c74b
commit
8bd0fbc8ba
|
@ -20,6 +20,7 @@
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
import hashlib
|
import hashlib
|
||||||
|
import re
|
||||||
import socket
|
import socket
|
||||||
|
|
||||||
import netaddr
|
import netaddr
|
||||||
|
@ -45,7 +46,9 @@ def base64_sha1_string(string_to_hash):
|
||||||
# break backwards compatibility with existing loadbalancers.
|
# break backwards compatibility with existing loadbalancers.
|
||||||
hash_str = hashlib.sha1(string_to_hash.encode('utf-8')).digest() # nosec
|
hash_str = hashlib.sha1(string_to_hash.encode('utf-8')).digest() # nosec
|
||||||
b64_str = base64.b64encode(hash_str, str.encode('_-', 'ascii'))
|
b64_str = base64.b64encode(hash_str, str.encode('_-', 'ascii'))
|
||||||
return b64_str.decode('UTF-8')
|
b64_sha1 = b64_str.decode('UTF-8')
|
||||||
|
# https://github.com/haproxy/haproxy/issues/644
|
||||||
|
return re.sub(r"^-", "x", b64_sha1)
|
||||||
|
|
||||||
|
|
||||||
def get_network_driver():
|
def get_network_driver():
|
||||||
|
|
|
@ -60,3 +60,18 @@ class TestConfig(base.TestCase):
|
||||||
utils.ip_netmask_to_cidr('10.0.0.1', '255.255.240.0'))
|
utils.ip_netmask_to_cidr('10.0.0.1', '255.255.240.0'))
|
||||||
self.assertEqual('10.0.0.0/30', utils.ip_netmask_to_cidr(
|
self.assertEqual('10.0.0.0/30', utils.ip_netmask_to_cidr(
|
||||||
'10.0.0.1', '255.255.255.252'))
|
'10.0.0.1', '255.255.255.252'))
|
||||||
|
|
||||||
|
def test_base64_sha1_string(self):
|
||||||
|
str_to_sha1 = [
|
||||||
|
# no special cases str (no altchars)
|
||||||
|
('77e7d60d-e137-4246-8a84-a25db33571cd',
|
||||||
|
'iVZVQ5AKmk2Ae0uGLP0Ue4OseRM='),
|
||||||
|
# backward compat amphorae with - in str[1:]
|
||||||
|
('9c6e5f27-a0da-4ceb-afe5-5a81230be42e',
|
||||||
|
'NjrNgt3Egl-H5ScbYM5ChtUH3M8='),
|
||||||
|
# sha1 would start with -, now replaced with x
|
||||||
|
('4db4a3cf-9fef-4057-b1fd-b2afbf7a8a0f',
|
||||||
|
'xxqntK8jJ_gE3QEmh-D1-XgCW_E=')
|
||||||
|
]
|
||||||
|
for str, sha1 in str_to_sha1:
|
||||||
|
self.assertEqual(sha1, utils.base64_sha1_string(str))
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
An amphora image update is recommended to pick up a workaround to an
|
||||||
|
HAProxy issue where it would fail to reload on configuration change should
|
||||||
|
the local peer name start with "-x".
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Workaround an HAProxy issue where it would fail to reload on configuration
|
||||||
|
change should the local peer name start with "-x".
|
Loading…
Reference in New Issue