This patch is the initial implementation of a distributor driver for
Octavia Active/Active topology support.
This patch is a decompostion of the following patch:
https://review.openstack.org/#/c/313006
Story: 2001288
Task: 5836
Depends-On: I97b52b80efb33749647229a55147a08afa112dd2
Change-Id: I65e4a533caee692e1c98e8c6586c2e2132f2e34c
Co-Authored-By: Valeria Perelman <perelman@il.ibm.com>
This adds a way to configure the event streamer transport URL
so it can post to a different queue, e.g. Neutron's
Change-Id: I69d3d6d30e33878052f2c56b8c79a14cc4ec1b24
In large build situations, nova can be slow to build VMs, this means that the
default 100 second timeout may expire before the final status has been updated
in the neutron database. This patch will emit provisioning status to be sync
with neutron db
Change-Id: If6c0b81630fd1911518792d9947f8622f065ff4e
This patch makes developer debugging of Octavia easier. It adds
a configuration option that disables the controller worker taskflow
flows from reverting and cleaning up resources.
It also changes the amphora agent to keep a copy of a haproxy
configuration that failed validation.
Change-Id: Iaca070a0ab9589fb25513eb5fad7d1e99974d572
Also, create a section for API settings `api_settings` and move some
related settings there.
This patch also enables the configuration settings to be logged
when the api process is started if debug is True.
Change-Id: I31671789d186c4b8a775cc12a414acd2d439512d
This patch adds policies and enforcement to the Octavia v2 API for
load balancers and listeners. Child patches will add the rest of the API.
In this patch I also correct some improper functional tests.
Change-Id: Id8a2d15c117c54bd45fc8bb76bf71aff1b3c8fe9
Closes-Bug: #1690481
keystonemiddleware has deprecated the "signing_dir" configuration
option [1].
This patch also removes reference to it from octavia.
[1] https://review.openstack.org/#/c/391405
Change-Id: Idda46ab1459584eafd58097ec42b9f0fcea41759
This option was NEVER read, so there is no point in continuing to allow
it to be configured (it is pointless).
Change-Id: I147abdd8d3d95164168ec606f5b92401cb24d1fe
Closes-Bug: #1691286
Use glance sorting and pagination from inside the SQLAlchemy query
to handle the sorting and pagination for octavia.
Change-Id: I5489c5c89691b8871e32caf3f85ab1978bc3618c
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Co-Authored-By: Lubosz "diltram" Kosnik <lubosz.kosnik@intel.com>
Closes-Bug: #1596628
Closes-Bug: #1596625
The current default for auth_strategy is noauth, which is not how it is
expected to be set in production environments.
Note: Functional tests should be good with noauth.
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ifc80fff06a1d793d7cee0b207af10061784e48db
As a followup to Id99948aec64656a0532afc68e146f0610bff1378, adding auto
detection to haproxy_amphora.user_group
haproxy is capable[1] handling a list of configuration files.
This patch leverages that capability by simply providing haproxy with an
additional configuration file, which is baked in the amphora image via a
diskimage-builder element.
The above-mentioned element will specify the following values for user group:
Ubuntu: 'nogroup'
RHEL/CentOS/Fedora: 'haproxy'
The amphora-agent will parse and remove any user_group configuration provided
by Octavia controller worker.
This is in order to maintain amphora-agent backward compatibility to old
Octavia workers, who still provide user_group to the amphora-agent.
Octavia Workers that include this patch will no longer provide user_group
configuration to the amphora-agent.
[1] https://cbonte.github.io/haproxy-dconv/1.7/management.html#3
Related-Bug #1548070
Change-Id: Ia8fede9d7da4709a48661d1fc595a16d04fcbfa9
Introduces a new config parameter to specify the anti-affinity
policy.
Bumps nova version.
Closes-Bug: 1677604
Change-Id: I8c50057bd43873182058097e802bc839d1be0554
This patch limits the number of Amphora build requests handled by the
controller worker at a given time.
Also, the amphora build requests are assigned priorities based on
whether it is a normal loadbalancer create, failover or spares pool
loadbalancer create request. Based on the priority and the order in
which the requests were made if there is an available build slot the
amphora will be built.
Co-Authored-By: Lubosz "diltram" Kosnik <lubosz.kosnik@intel.com>
Change-Id: I967cf0668f82fb3a63e18dc7a457c58b526b7e66
Closes-Bug: #1571802
oslo.log has deprecated the verbose option [1] so we should remove
mention of it as well.
[1] https://review.openstack.org/#/c/206437
Change-Id: I322e7b635f7337a6d399d7728bf55e581160b823
Not all Linux flavors accept the same type of configuration to manage
NICs. The amphora-agent must be able to distinguish between different
Linux flavors and choose the appropriate type of jinja2 NIC
configuration template for each one, respectively.
Up until now, The amphora-agent had no notion of the operating system
it is running on, therefore it used NIC configuration templates that
only match Debian based Linux flavors (mostly Ubuntu). Making it
unusable for flavors such as RHEL, Fedora and CentOS.
This fix enhances how the amphora-agent is handling NIC hot plugs.
It will use the appropriate jinja2 template by checking the Amphora
distribution name when needed.
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Closes-Bug #1548070
Change-Id: Id99948aec64656a0532afc68e146f0610bff1378
Octavia has no quota definitions, but needs them for parity with Neutron LBaaS.
This will provide an endpoint and support for retrieving, updating, and deleting
quotas for projects, as well as adding enforcement of those those quotas.
Adds scenario test that simply validates quotas in a lb graph.
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Co-Authored-By: Phillip Toohill <phillip.toohill@rackspace.com>
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Change-Id: Ia1d85dcd931a57a2fa3f6276d3fe6dabfeadd15e
Closes-Bug: #1596652
This fix adds the user_group configuration option under the haproxy_amphora
section, which is currently available in the neutron-lbaas code base.
The incentive for the above-mentioned addition is that in CentOS, Fedora and
RHEL based amphora images, the 'nogroup' user group does not exist by default.
Therefore users who wish to use those type of amphora images should have the
option to configure a different user group such as 'haproxy'.
The default value for user group is 'nogroup' so the default behavior
remains intact.
Related-Bug #1548070
Change-Id: Ifac59889fa8120d974840bae2913587292f474c1
This patch addresses several places where IPv6 and IPv6 link-local
addresses where not considered for communication between amphora and the
controller worker.
In the devstack plugin we permit both IPv4 and IPv6 for health
monitoring and the amphora REST API.
In the amphora's UDP health sender we parse the IP port string in a
manner which permits IPv6 addresses by splitting on the last colon
rather than every colon.
In the controller REST API driver we append an interface scope if using
IPv6 link-local addresses. This interface can be specified by an
operator is they are using an interface other than o-hm0, this only is
required if using IPv6 link-local addresses.
Change-Id: I9d07bec4ac105e8876fadb72a83a590ffd4d2e66
Change methods used in backend to authenticate with keystone.
Use autodetection mechanizm for API version and refactor config
options specified in Octavia.
Change-Id: Id0deee2714040d271f43a537c27f410e2f4e3ef2
Closes-Bug: #1620668
Closes-Bug: #1618691
This patch enables auto-detection of the init system used in the
amphora image and adds support for systemd amphora.
This patch allows Ubuntu xenial amphora images to work.
It also merges two functional test files into one file to reduce
code duplication.
This is a scenario gate fix.
Change-Id: I5fec1680bd47719ae9f2fcb6abaaba8a78e2ae8b
Closes-Bug: #1640866
Flask's default runner (werkzeug) is plagued with bugs.
If we use gunicorn instead, we should have many less problems!
Depends-On: I211dc771aa95147c0f1d9e6ac1a65a7e164b33c2
Change-Id: I59897167f9285bf013f8a155dd2ea4f799ac1d3f
This patch adds an optional configuration setting that allows an
operator to restrict the amphora glance image selection to a specific
owner id. This is a recommended security setting for clouds that
allow user uploadable images.
Change-Id: I73347b5b3e868d13974cd6ca6bada9cdf75773fe
Closes-Bug: #1620629
bandit-baseline finds *new* issues introduced in a commit, by comparing
results between two git commits. If the git repository has uncommitted
changes, bandit-baseline refuses to run.
This switches over to using plain bandit instead of bandit-baseline,
and resolves or stifles existing bandit errors so we have a clean run.
These updates apply to bandit running as part of `tox -e pep8` or `tox
-e bandit`.
* Have bandit runs from tox ignore the octavia/tests directory
* Resolve several instances of `B701 jinja2_autoescape_false`
* Stifle several instances of `B303 md5`
* Resolve two instances of `B104 hardcoded_bind_all_interfaces`
* Stifle one instance of `B104 hardcoded_bind_all_interfaces` (see
https://bugs.launchpad.net/octavia/+bug/1489963)
Closes-Bug: #1621251
Related-Bug: #1489963
Change-Id: Iad3cbe5762949a6311bdd361b1f12c5a24c40633
This patch updates the haproxy service scripts to handle the case
where the network interfaces have not yet been plugged. This can
occur in a failover situation.
This patch also makes sure we don't move the management lan interface
into the network namespace.
Closes-Bug: #1509706
Closes-Bug: #1577963
Change-Id: I04d267bd3cdedca11f0350c5255086233cba14ec