Commit Graph

126 Commits

Author SHA1 Message Date
Michael Johnson
7b1621789c ACTIVE-ACTIVE: Initial distributor driver
This patch is the initial implementation of a distributor driver for
Octavia Active/Active topology support.

This patch is a decompostion of the following patch:
https://review.openstack.org/#/c/313006

Story: 2001288
Task: 5836

Depends-On: I97b52b80efb33749647229a55147a08afa112dd2
Change-Id: I65e4a533caee692e1c98e8c6586c2e2132f2e34c
Co-Authored-By: Valeria Perelman <perelman@il.ibm.com>
2017-11-22 05:53:48 +00:00
German Eichberger
060fcc1503 Make the event streamer transport URL configurable
This adds a way to configure the event streamer transport URL
so it can post to a different queue, e.g. Neutron's

Change-Id: I69d3d6d30e33878052f2c56b8c79a14cc4ec1b24
2017-10-25 10:52:48 -07:00
Adam Harwell
7bf8804177 Add flag to disable SSHD on the amphora image
Also deprecate the amp_ssh_access_allowed option.

Change-Id: Icb61a65fac57e74235fac904639c411b0fa2b495
2017-08-16 11:18:10 -07:00
Santhosh Fernandes
94a8d5715a Option to enable provisioning status sync with neutron db
In large build situations, nova can be slow to build VMs, this means that the
default 100 second timeout may expire before the final status has been updated
in the neutron database. This patch will emit provisioning status to be sync
with neutron db

Change-Id: If6c0b81630fd1911518792d9947f8622f065ff4e
2017-07-18 12:02:18 +05:30
Michael Johnson
767ef161fb Make developer debugging easier
This patch makes developer debugging of Octavia easier.  It adds
a configuration option that disables the controller worker taskflow
flows from reverting and cleaning up resources.
It also changes the amphora agent to keep a copy of a haproxy
configuration that failed validation.

Change-Id: Iaca070a0ab9589fb25513eb5fad7d1e99974d572
2017-06-28 13:51:03 -07:00
Adam Harwell
38a5563abc Allow operators to disallow creation of TLS Termination listeners
Change-Id: I93fbc26c775d1a7f6c69a0ab0b5f47a573cb125d
2017-06-26 18:47:15 -07:00
Adam Harwell
c764abc355 Allow operators to disable v1 or v2.0 api endpoints
Also, create a section for API settings `api_settings` and move some
related settings there.

This patch also enables the configuration settings to be logged
when the api process is started if debug is True.

Change-Id: I31671789d186c4b8a775cc12a414acd2d439512d
2017-06-26 14:37:27 -07:00
Michael Johnson
335c00ac18 Add RBAC enforcement to quotas v2 API
This patch adds policies and enforcement to the Octavia v2 API for quotas.

Change-Id: I5f2fa38973fce595ea3ec03cdff924336e0e71c8
Partial-Bug: #1690481
2017-06-20 18:52:05 -07:00
Michael Johnson
0ce46fe8d0 Add RBAC enforcement to Octavia v2 API
This patch adds policies and enforcement to the Octavia v2 API for
load balancers and listeners.  Child patches will add the rest of the API.

In this patch I also correct some improper functional tests.

Change-Id: Id8a2d15c117c54bd45fc8bb76bf71aff1b3c8fe9
Closes-Bug: #1690481
2017-06-20 13:43:47 +03:00
Jenkins
e5ac4a0426 Merge "Remove deprecated signing_dir config setting" 2017-06-20 02:01:36 +00:00
Adam Harwell
041d15a4b2 Allow operators to tune VIP creation parameters
Change-Id: Iff46479d530e5e3b09f27fd9d335651521f77a11
2017-06-16 14:44:58 -07:00
Michael Johnson
be27e4f0e8 Remove deprecated signing_dir config setting
keystonemiddleware has deprecated the "signing_dir" configuration
option [1].
This patch also removes reference to it from octavia.

[1] https://review.openstack.org/#/c/391405

Change-Id: Idda46ab1459584eafd58097ec42b9f0fcea41759
2017-06-12 17:04:53 -07:00
Jenkins
3c1b9ae360 Merge "Remove lb_network_name from config (it was bogus)" 2017-06-01 18:14:19 +00:00
Adam Harwell
da81984492 Remove lb_network_name from config (it was bogus)
This option was NEVER read, so there is no point in continuing to allow
it to be configured (it is pointless).

Change-Id: I147abdd8d3d95164168ec606f5b92401cb24d1fe
Closes-Bug: #1691286
2017-05-24 12:41:03 +00:00
Adam Harwell
104149d9d7 Update example config to have more correct keystone_authtoken example
Change-Id: Id00ed2b901ab2e1ab75f7ad3451147786349b6ac
2017-05-17 17:08:13 -07:00
Carlos D. Garza
9bfa58af9f Implement sorting and pagination for octavia
Use glance sorting and pagination from inside the SQLAlchemy query
to handle the sorting and pagination for octavia.

Change-Id: I5489c5c89691b8871e32caf3f85ab1978bc3618c
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Co-Authored-By: Lubosz "diltram" Kosnik <lubosz.kosnik@intel.com>
Closes-Bug: #1596628
Closes-Bug: #1596625
2017-05-05 21:08:46 -07:00
Nir Magnezi
75c1c5f22a Change auth_strategy default to keystone
The current default for auth_strategy is noauth, which is not how it is
expected to be set in production environments.

Note: Functional tests should be good with noauth.

Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ifc80fff06a1d793d7cee0b207af10061784e48db
2017-05-01 11:33:37 +09:00
Jenkins
942afaacec Merge "Auto-detect haproxy user_group" 2017-04-23 23:24:29 +00:00
Nir Magnezi
26a55415ab Auto-detect haproxy user_group
As a followup to Id99948aec64656a0532afc68e146f0610bff1378, adding auto
detection to haproxy_amphora.user_group

haproxy is capable[1] handling a list of configuration files.
This patch leverages that capability by simply providing haproxy with an
additional configuration file, which is baked in the amphora image via a
diskimage-builder element.

The above-mentioned element will specify the following values for user group:
Ubuntu: 'nogroup'
RHEL/CentOS/Fedora: 'haproxy'

The amphora-agent will parse and remove any user_group configuration provided
by Octavia controller worker.
This is in order to maintain amphora-agent backward compatibility to old
Octavia workers, who still provide user_group to the amphora-agent.
Octavia Workers that include this patch will no longer provide user_group
configuration to the amphora-agent.

[1] https://cbonte.github.io/haproxy-dconv/1.7/management.html#3

Related-Bug #1548070

Change-Id: Ia8fede9d7da4709a48661d1fc595a16d04fcbfa9
2017-04-23 18:24:23 +03:00
Adam Harwell
9027154a5a Removing dependency on eventlet and oslo.service
Change-Id: I453e9b86d4edfedd63cc59e47bf745e166ff836f
2017-04-21 07:07:12 +09:00
German Eichberger
e58721c4e0 Adds a new config for soft-anti-affinity
Introduces a new config parameter to specify the anti-affinity
policy.

Bumps nova version.

Closes-Bug: 1677604

Change-Id: I8c50057bd43873182058097e802bc839d1be0554
2017-03-31 14:30:53 -04:00
Aishwarya Thangappa
e94ff2681f Adds a new feature to limit the amphora build rate
This patch limits the number of Amphora build requests handled by the
controller worker at a given time.

Also, the amphora build requests are assigned priorities based on
whether it is a normal loadbalancer create, failover or spares pool
loadbalancer create request. Based on the priority and the order in
which the requests were made if there is an available build slot the
amphora will be built.

Co-Authored-By: Lubosz "diltram" Kosnik <lubosz.kosnik@intel.com>
Change-Id: I967cf0668f82fb3a63e18dc7a457c58b526b7e66
Closes-Bug: #1571802
2017-03-16 16:50:31 +00:00
Jenkins
46252d0f5c Merge "Remove config option "amp_network"" 2017-02-15 01:42:31 +00:00
Jenkins
7c9baeb9d1 Merge "Add option to choose an availability_zone for amps" 2017-02-14 00:23:19 +00:00
Jenkins
bcd6f592d3 Merge "Allow a configuration option for random Amphora name" 2017-02-13 22:39:53 +00:00
Adam Harwell
e713f05b2a Add option to choose an availability_zone for amps
Change-Id: Id91c15da6caa656925184dda43d063aede89989e
2017-02-13 14:01:25 -08:00
johnsom
43949908e1 Remove mention of deprecated verbose option
oslo.log has deprecated the verbose option [1] so we should remove
mention of it as well.

[1] https://review.openstack.org/#/c/206437

Change-Id: I322e7b635f7337a6d399d7728bf55e581160b823
2017-02-13 08:50:55 -08:00
ZhaoBo
dc7c2967aa Remove config option "amp_network"
This option had been deprecated in N release. We could remove it from
master.

Change-Id: Ibd498f32a3c4f34621f3d814f1186a5bf9c5b75e
2017-02-13 09:59:41 +08:00
Adam Harwell
f345b4273b Allow a configuration option for random Amphora name
Also do a minor config file cleanup (looks like a bad previous merge).

Change-Id: I66e71795a4910c91cc2af4107fc60cc5aae72c79
Closes-Bug: #1663037
2017-02-08 16:26:29 -08:00
German Eichberger
bfb8195f16 Fixes misspelled amp_ssh_access_allowed config
The config is misspelled in the sample octavia.conf file
leading to confusion. This fixes that.

Change-Id: I0ed36f3e12a6a9f973918e3d233e54e8834be57f
2017-02-02 11:18:21 -05:00
Nir Magnezi
c00488143d Fix the amphora image support for RH Linux flavors
Not all Linux flavors accept the same type of configuration to manage
NICs. The amphora-agent must be able to distinguish between different
Linux flavors and choose the appropriate type of jinja2 NIC
configuration template for each one, respectively.

Up until now, The amphora-agent had no notion of the operating system
it is running on, therefore it used NIC configuration templates that
only match Debian based Linux flavors (mostly Ubuntu). Making it
unusable for flavors such as RHEL, Fedora and CentOS.

This fix enhances how the amphora-agent is handling NIC hot plugs.
It will use the appropriate jinja2 template by checking the Amphora
distribution name when needed.

Co-Authored-By: Michael Johnson <johnsomor@gmail.com>

Closes-Bug #1548070

Change-Id: Id99948aec64656a0532afc68e146f0610bff1378
2017-01-31 20:05:07 +02:00
He Qing
7468a2a6a4 Remove dumplicated config option 'cert_generator'
There are two 'cert_generator' options in config file. Remove one
of them.

Change-Id: I2daec1baf7832b14e6fe38ee73588bd86d55e060
Closes-Bug: #1629162
2017-01-18 19:21:35 +00:00
Jenkins
ae3204986e Merge "Add quota support to Octavia" 2017-01-13 18:11:08 +00:00
Trevor Vardeman
7d933da31e Add quota support to Octavia
Octavia has no quota definitions, but needs them for parity with Neutron LBaaS.
This will provide an endpoint and support for retrieving, updating, and deleting
quotas for projects, as well as adding enforcement of those those quotas.

Adds scenario test that simply validates quotas in a lb graph.

Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Co-Authored-By: Phillip Toohill <phillip.toohill@rackspace.com>
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>

Change-Id: Ia1d85dcd931a57a2fa3f6276d3fe6dabfeadd15e
Closes-Bug: #1596652
2017-01-13 02:45:14 +00:00
Nir Magnezi
e75c8ecc09 Adds user_group option under haproxy_amphora
This fix adds the user_group configuration option under the haproxy_amphora
section, which is currently available in the neutron-lbaas code base.

The incentive for the above-mentioned addition is that in CentOS, Fedora and
RHEL based amphora images, the 'nogroup' user group does not exist by default.
Therefore users who wish to use those type of amphora images should have the
option to configure a different user group such as 'haproxy'.

The default value for  user group is 'nogroup' so the default behavior
remains intact.

Related-Bug #1548070
Change-Id: Ifac59889fa8120d974840bae2913587292f474c1
2017-01-09 19:11:25 +00:00
ZhaoBo
8eddb0fd22 Fix multi-typo error in Octavia
This patch fix some typo in Octavia.

Change-Id: I2699f85f07e3207a0438b8127e9992c553fa40fc
2017-01-05 11:56:20 +08:00
Adam Harwell
e51a073614 oslo_messaging_rabbit settings are deprecated
Use [DEFAULT]/transport_url instead.

Change-Id: I6b8a44958570c970b6ce1a48e5d7c09cb2ec3c43
2016-12-19 16:23:40 -08:00
Jenkins
4f0571f64e Merge "Add keystone authentication of token" 2016-12-13 13:45:28 +00:00
Dustin Lundquist
6ce85349c9 Enable IPv6 load balancer networks
This patch addresses several places where IPv6 and IPv6 link-local
addresses where not considered for communication between amphora and the
controller worker.

In the devstack plugin we permit both IPv4 and IPv6 for health
monitoring and the amphora REST API.

In the amphora's UDP health sender we parse the IP port string in a
manner which permits IPv6 addresses by splitting on the last colon
rather than every colon.

In the controller REST API driver we append an interface scope if using
IPv6 link-local addresses. This interface can be specified by an
operator is they are using an interface other than o-hm0, this only is
required if using IPv6 link-local addresses.

Change-Id: I9d07bec4ac105e8876fadb72a83a590ffd4d2e66
2016-11-23 12:03:42 -08:00
Jenkins
8fef2f04a7 Merge "Run amphora agent with gunicorn" 2016-11-23 17:05:19 +00:00
Brandon Logan
1ace351fd8 Add keystone authentication of token
Closes-Bug: #1532075
Change-Id: Id45a0babc8e128d02bf648fedb7b66099bc3c7ae
Co-Authored-By: Lubosz "diltram" Kosnik <lubosz.kosnik@intel.com>
Depends-On: Id0deee2714040d271f43a537c27f410e2f4e3ef2
2016-11-22 12:57:07 -06:00
Jenkins
7f13dbc917 Merge "Backend Keystone authentication" 2016-11-18 13:57:44 +00:00
Lubosz "diltram" Kosnik
076e016bb2 Backend Keystone authentication
Change methods used in backend to authenticate with keystone.
Use autodetection mechanizm for API version and refactor config
options specified in Octavia.

Change-Id: Id0deee2714040d271f43a537c27f410e2f4e3ef2
Closes-Bug: #1620668
Closes-Bug: #1618691
2016-11-17 11:03:40 -06:00
Michael Johnson
c4408c4c78 Adds support for systemd amphora images
This patch enables auto-detection of the init system used in the
amphora image and adds support for systemd amphora.
This patch allows Ubuntu xenial amphora images to work.
It also merges two functional test files into one file to reduce
code duplication.

This is a scenario gate fix.

Change-Id: I5fec1680bd47719ae9f2fcb6abaaba8a78e2ae8b
Closes-Bug: #1640866
2016-11-16 00:42:37 +00:00
Adam Harwell
48a1e7cbe9 Run amphora agent with gunicorn
Flask's default runner (werkzeug) is plagued with bugs.
If we use gunicorn instead, we should have many less problems!

Depends-On: I211dc771aa95147c0f1d9e6ac1a65a7e164b33c2
Change-Id: I59897167f9285bf013f8a155dd2ea4f799ac1d3f
2016-10-26 17:42:49 +02:00
zhangyanxian
7feb462ea3 Fix typos in amphora_flows.py & octavia.conf
trivial fix

Change-Id: I8417740f03e4003714a5bbd9cde7ba520c5e36c1
2016-09-23 00:36:34 +00:00
Michael Johnson
d7d062a47a Option to restrict amp glance image owner
This patch adds an optional configuration setting that allows an
operator to restrict the amphora glance image selection to a specific
owner id.  This is a recommended security setting for clouds that
allow user uploadable images.

Change-Id: I73347b5b3e868d13974cd6ca6bada9cdf75773fe
Closes-Bug: #1620629
2016-09-15 19:46:46 +00:00
Paul Glass
e291a88210 Stop using bandit-baseline
bandit-baseline finds *new* issues introduced in a commit, by comparing
results between two git commits. If the git repository has uncommitted
changes, bandit-baseline refuses to run.

This switches over to using plain bandit instead of bandit-baseline,
and resolves or stifles existing bandit errors so we have a clean run.
These updates apply to bandit running as part of `tox -e pep8` or `tox
-e bandit`.

* Have bandit runs from tox ignore the octavia/tests directory
* Resolve several instances of `B701 jinja2_autoescape_false`
* Stifle several instances of `B303 md5`
* Resolve two instances of `B104 hardcoded_bind_all_interfaces`
* Stifle one instance of `B104 hardcoded_bind_all_interfaces` (see
https://bugs.launchpad.net/octavia/+bug/1489963)

Closes-Bug: #1621251
Related-Bug: #1489963

Change-Id: Iad3cbe5762949a6311bdd361b1f12c5a24c40633
2016-09-09 14:50:20 +00:00
Jenkins
de6bfc1629 Merge "Condense amphora-agent-ubuntu in to amphora-agent" 2016-08-23 04:47:21 +00:00
Michael Johnson
7ba33e6ee4 Fixes failover flow with namespace driver
This patch updates the haproxy service scripts to handle the case
where the network interfaces have not yet been plugged.  This can
occur in a failover situation.
This patch also makes sure we don't move the management lan interface
into the network namespace.

Closes-Bug: #1509706
Closes-Bug: #1577963
Change-Id: I04d267bd3cdedca11f0350c5255086233cba14ec
2016-08-19 17:48:46 +00:00