Commit Graph

3232 Commits (8394633635af1045131b1ba5eeeafea8aa98416b)

Author SHA1 Message Date
Michael Johnson 8394633635 Prioritize policy validation
This patch makes sure that we validate RBAC compliance before
other validation tasks.

Change-Id: I670087163b265e7098af35063572d6aa9d068bb9
2020-06-19 14:18:40 -07:00
Gregory Thiemonge 3ee9bc0d65 Fix listener API's test_create* assertions
Assertions were using the same expressions on both side: optionals and
lb_listener are both parameters to the API (and the lb_listener dict
contains all optionals items).
Those assertions should compare the parameters to the API results.

Change-Id: I6f372a3f82fdf4f41e661e640e4a983cf484ed6d
2020-06-18 14:17:33 +02:00
ramboman f26ab8b97b add the verify for the session
We run the octavia scenario test failed when the OpenStack env
enable TLS. So we need add the verify for the session.

Story: 2007662
Task:  39754
Closes-Bug: #1877818
Change-Id: Ie71db27dc383c93496c1dfd69f486a4fd02b597e
2020-06-17 09:05:24 +00:00
Carlos Goncalves e5951ced5f Use uwsgi binary from path
In-line with devstack patch [1], switch invocations to find uwsgi in the


Change-Id: I5e6aee49f434820881051874c9ad2628b4fcada7
2020-06-17 10:59:29 +02:00
Zuul 24acbe099b Merge "Improve terminology in an old spec file" 2020-06-16 03:37:01 +00:00
Zuul 6418ae00c9 Merge "Fix netcat option in for CentOS/RHEL" 2020-06-11 23:24:53 +00:00
Zuul 0a697a352c Merge "Switch oslo.policy over to yaml" 2020-06-11 22:11:11 +00:00
Zuul 18918267e3 Merge "Fix batch member create for v1 amphora driver" 2020-06-11 22:06:04 +00:00
Zuul 647fae2822 Merge "Fix some typos in the explanatory notes" 2020-06-11 22:02:49 +00:00
Zuul b6e0221ca8 Merge "Remove all deprecated driver code that moved to octavia-lib" 2020-06-11 22:02:48 +00:00
Michael Johnson 958c3a18bd Improve terminology in an old spec file
Change-Id: I20bd0070c7eb24e981becbd24e8a98ca5eaff929
2020-06-11 07:37:51 -07:00
zhaoleilc 76616f35e7 Fix some typos in the explanatory notes
This patch changes 'defiend' to 'defined'
in the explanatory notes in octavia/

Change-Id: Ibb7f0f416a013b98edf72a5803aada71015cfade
2020-06-11 14:53:39 +08:00
Zuul aee9cd6fe4 Merge "Use unittest.mock instead of mock" 2020-06-11 03:16:30 +00:00
Hervé Beraud 6cce3a72ae Use unittest.mock instead of mock
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.

Also added and enabled a hacking check that would have caught this.

Change-Id: Idb10f84fd32c50db24f844352cb85de452181439
2020-06-09 11:25:00 -04:00
Zuul be2acaeb36 Merge "Fix test_barbican_legacy for Python 3.8" 2020-06-09 12:18:23 +00:00
Brian Haley de69b2c7ff Remove all deprecated driver code that moved to octavia-lib
In octavia was
changed to use octavia-lib for a lot of API driver-related
code and deprecation warnings put in place. Now that
we're in Victoria remove all the deprecation shims and
use octavia-lib exclusively.

Change-Id: If92988150479a7daf465af5f8df22818664a0fce
2020-06-08 14:41:00 -04:00
Michael Johnson fafabad042 Switch oslo.policy over to yaml
Oslo.policy is moving away from using json format policy files[1].

This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.

Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.


Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c
2020-06-08 08:54:07 -07:00
Zuul c9e9fd9335 Merge "Change default tox envs from python37 to python3" 2020-06-08 06:45:25 +00:00
Zuul 409b89f141 Merge "Update the feature matrix for new features" 2020-06-08 05:20:17 +00:00
Zuul daa28ffe21 Merge "Fixed typo in upgrade section" 2020-06-08 05:17:48 +00:00
Ross Martyn 611880cd15 Fixed typo in upgrade section
Change-Id: I9e7052bfbb990d526893e641236cbdb6e6203d67
2020-06-06 09:38:02 +01:00
Michael Johnson c2ff9bce99 Update the feature matrix for new features
We missed updating the provider driver feature matrix for a few
new Octavia features. This patch updates the matrix.

Change-Id: I328830df19fb8df6ea93cee2ad2f0dbda03279a1
2020-06-05 12:39:15 -07:00
Michael Johnson 630a4e6a3c Fix batch member create for v1 amphora driver
A previous patch[1] missed batch_member_update when adding database
repository "get" method retries for new object creation actions.
This patch fixes batch member create to retry the database get call
when new members are being created via batch member update.
This issue only impacts the v1 amphora driver as the v2 driver
does not need to get these objects from the database.

Story: 2007581
Task: 39503

[1] 48e85569f7

Change-Id: Ia3476ab7b24dc3fd6e29ff2abe6eb6bacd9908ed
2020-06-05 09:08:48 -07:00
Zuul 3980c90403 Merge "Remove Babel requirement" 2020-06-05 11:33:24 +00:00
Zuul e8db961ba4 Merge "Update cirros image to cirros-0.5.1-x86_64" 2020-06-05 11:33:22 +00:00
Zuul 0321c28588 Merge "Add TLS version configuration for pools" 2020-06-04 07:04:51 +00:00
Zuul 16b96baff9 Merge "Add TLS version configuration for listeners" 2020-06-04 06:27:40 +00:00
Dawson Coleman 9a6da86481 Add TLS version configuration for pools
Add field tls_versions to pools for restricing TLS versions used.
This is a colon-separated string of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

Add default_pool_tls_versions in octavia.conf

Note: TLSv1.3 connections will use haproxy's default ciphers
instead of the listener's tls_ciphers field

Change-Id: I480b7fb9756d98ba9dbcdfd1d4b193ce6868e291
Story: 2006733
Task: 37173
Depends-On: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
2020-06-03 21:58:47 +00:00
Dawson Coleman 6aad5d8b9f Add TLS version configuration for listeners
Add field tls_versions to listeners for restricting TLS versions used.
This is a list of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

Add default_listener_tls_versions in octavia.conf.

Note that at this time TLS 1.3 ciphersuites are not impelemented,
so any TLS 1.3 connections will use haproxy's default ciphers
instead of what's specified by tls_ciphers.

Change-Id: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Story: 2006733
Task: 37170
Task: 37169
2020-06-03 14:57:47 -07:00
Sean McGinnis 0deff25667 Change default tox envs from python37 to python3
Python versions supported by OpenStack change over time, and for minor
versions of Python 3 it is tedious to keep this file updated.

Since this does not impact zuul jobs in any way, nor prevent local
tests against py37, it should be safe to simply make this more easily
compatible for users that don't care about the specific Python versions
and just need basic tests to run.

The *only* thing this does is changes the default versions tested if none
are explicitly provided with `-e`.

Change-Id: I2372178351e961eeed5a819f39e75d54ba148798
Signed-off-by: Sean McGinnis <>
2020-06-03 07:28:27 -07:00
Zuul 2c7c7747b7 Merge "Workaround peer name starting with hyphen" 2020-05-31 14:55:45 +00:00
Zuul 8a38c1a82b Merge "Fixed a bug: replace 'startwith' with 'startswith'" 2020-05-30 11:36:57 +00:00
Bodo Petermann a84bf7d843 Fix test_barbican_legacy for Python 3.8
Fixes failing unit tests in
for Python 3.8

Some of the tests fail setting up a mock.Mock(spec=secrets.Secret)
because a ValueError exception is raised unexpectedly.

The reason is that test_get_cert_no_registration_raise_on_secret_access_failure
patches the `payload` property of barbicanclient.v1.secrets.Secret to
raise a ValueError.
When a subsequent test tries to set up a mock.Mock(spec=secrets.Secret)
in Python 3.8 the Mock class will try to look at the properties of the spec
class and accessing `payload` doesn't behave normally anymore: it raises
ValueError now.

Fixed by using a different approach of mocking `payload` in
so that it does not influence subsequent tests.

Change-Id: Ic534a4715c85c2216c7251209507acf74a999153
Story: 2007490
Task: 39212
2020-05-29 16:58:33 +02:00
Zuul 7e851d3f6e Merge "Fix the grenade plugin to also upgrade octavia-lib" 2020-05-29 13:48:39 +00:00
chimeng 7c96e455a9 Fixed a bug: replace 'startwith' with 'startswith'
story: 2007734
Change-Id: I6543fe5caf539c9b1167a7c58984b3474879e1de
2020-05-29 17:08:25 +08:00
Carlos Goncalves acc38391de Workaround peer name starting with hyphen
The base64_sha_string method is used to set a base64-encoded peer name
in HAProxy. There are cases where the peer name can start with
an hypen which is troublesome when used in HAProxy CLI. Specifically,
HAProxy fails to reload when local peer name starts with '-x' [1]. When
this is the case, an amphora goes to provisioning status ERROR and later
is scheduled for failover by the Octavia Health Manager service. A new
amphora UUUID is assigned and base64 encoded, hopefully not starting
with '-x' again. However, this is far from being ideal -- we incur in a
dataplane disruption (single topology) or reduce HA capabilities
(active-standby topology) for some time.

Four possible options:

a) add prefix to peer name
b) change b64encode altchars
c) quote peer name in haproxy CLI command
d) substitute first character if hyphen

Option a) and b) are not backward compatible with running amphorae. Peer
names of existing amphorae that do not start with hypen but contain
hyphen at any other position would get different peer names.

Option c) would nonetheless still require an amphora image update to add
quotes in the HAProxy init service file. Continuing to generate peer
names with hyphens at begininng of the string is avoidable and

Option d), while also requiring an amphora image update, it would get
rid of hyphens in begining of the peer names. It is also backward
compatible with all running amphorae, except for those starting with
hyphen but are broken anyways.

This patch takes option d). It substitutes hyphen with 'x' character.


Task: 39850
Story: 2007714

Change-Id: Ib0fc26877710dea423a5ebcf1f71077665404377
2020-05-26 12:51:57 +02:00
Zuul 8ef7d60c91 Merge "Switch to newer openstackdocstheme and reno versions" 2020-05-24 03:00:05 +00:00
Carlos Goncalves 59831f46f7 Fix the grenade plugin to also upgrade octavia-lib
Upgrade octavia-lib in target environment to make sure we are testing
the latest code.

Change-Id: I8003de0f71a5dee7438ab2f6a2c497386018c1ac
2020-05-22 19:46:31 +02:00
Zuul 04ea9bf4dd Merge "Make sure devstack aborts if DIB fails" 2020-05-21 22:41:47 +00:00
Andreas Jaeger acb4d7b4e1 Switch to newer openstackdocstheme and reno versions
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems

Update Sphinx version as well.

Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.

Disable openstackdocs_auto_name to use 'project' variable as name.

Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.

openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.

See also

Change-Id: I87889f73207ecd940963fbe601ccbb79863b96ac
2020-05-21 13:06:24 +02:00
Lingxian Kong b54f373cac Fix getting user neutron client
Use token and endpoint URL to initialize neutron client for the
request user.

Story: 2007619
Task:  39641

Change-Id: I05a541a77f254a77ad5036e1062b61c8ce93b754
2020-05-20 10:22:53 +00:00
Michael Johnson d0f0233061 Make sure devstack aborts if DIB fails
There are cases where DIB can fail to create an image but devstack
does not abort. This leads the gate job to run all the way down to
starting the tempest test before the job will fail out.
This adds a simple check for the image file and will abort early
if the image is not present.

Change-Id: I7ebf4137feb04827490dffc0dac3d6e4c8888075
2020-05-19 16:26:57 +00:00
Zuul bcef33a3ff Merge "Add TLS cipher blacklist to octavia.conf" 2020-05-19 15:54:33 +00:00
Gregory Thiemonge 6354f92ecc Fix netcat option in for CentOS/RHEL
-w (timeout) option doesn't do anything in nmap-ncat (default netcat in
CentOS/RHEL) for UDP datagrams, and nmap-ncat has a default idle timeout
set to 2 seconds.
We can get the same behavior as netcap-openbsd (Debian/Ubuntu) by
setting that idle timeout (-i) option to 1 second.

This commit detects the flavor of the netcat binary (nmap vs other) and
uses it to adapt the parameters.

Story: 2007688
Task: 39800

Change-Id: I0100aaa428477f011bd39a90dd4ec98199b4bebc
2020-05-19 13:55:08 +02:00
Brian Haley 9a1d6d3585 Fix E741 pep8 errors
E741 ambiguous variable name 'l'

Change 'l' to another variable in affected code.

Also had to set the latex_engine to 'xelatex' in doc/source/
in order to get past an openstackdocstheme change the broke the pdf
doc build.

Change-Id: Idd176e40ccf2a79832a5c99140bd30e5e1f9c0d8
2020-05-15 10:58:22 -04:00
Zuul 5ec5fb73f8 Merge "Migrate grenade job to native Zuul v3" 2020-05-08 23:48:56 +00:00
Zuul 837b7bf940 Merge "Add py38 package metadata" 2020-05-06 20:46:39 +00:00
Carlos Goncalves 8b8965bd7b Migrate grenade job to native Zuul v3
This patch also switches the job back to voting.

Change-Id: Iedc1d5c5b603753b171fe17816b4d9c3aff1a16c
2020-05-04 14:01:40 +02:00
Dawson Coleman 85f5b8181b Add TLS cipher blacklist to octavia.conf
Add new configuration option "tls_cipher_blacklist" to octavia.conf.
Blacklisted ciphers are blocked from being used in listeners, pools, or
default cipher strings.

Change-Id: I44fd4da1b47faee9cc01b9426898a28b6f13f223
Story: 2006627
Task: 37168
2020-05-03 16:56:40 -05:00
Zuul 07a93de755 Merge "Fix healthmanager not update amphora health when LB disable" 2020-04-28 18:03:00 +00:00