This patch refactors the failover flows to improve the performance
and reliability of failovers in Octavia.
Specific improvements are:
* More tasks and flows will retry when other OpenStack services are
failing.
* Failover can now succeed even when all of the amphora are missing
for a given load balancer.
* It will check and repair the load balancer VIP should the VIP
port(s) become corrupted in neutron.
* It will cleanup extra resources that may be associated with a
load balancer in the event of a cloud service failure.
This patch also removes some dead code.
Change-Id: I04cb2f1f10ec566298834f81df0cf8b100ca916c
Story: 2003084
Task: 23166
Story: 2004440
Task: 28108
Recent additions to the Octavia API did not update the Octavia API
CADF audit map. This patch corrects that by adding the new API
paths.
Change-Id: I22107317837e68e54a29f8a4051c464120b29809
There was a bug in the CADF audit map file for the "failover" action.
This patch corrects the audit map file to handle "failover" correctly
and stop keystonemiddleware from raising an exception.
Change-Id: If3954ba34740e26937dba10bdd8061acde758c88
Story: 2007831
Task: 40116
Assertions were using the same expressions on both side: optionals and
lb_listener are both parameters to the API (and the lb_listener dict
contains all optionals items).
Those assertions should compare the parameters to the API results.
Change-Id: I6f372a3f82fdf4f41e661e640e4a983cf484ed6d
We run the octavia scenario test failed when the OpenStack env
enable TLS. So we need add the verify for the session.
Story: 2007662
Task: 39754
Closes-Bug: #1877818
Change-Id: Ie71db27dc383c93496c1dfd69f486a4fd02b597e
In-line with devstack patch [1], switch invocations to find uwsgi in the
path.
[1] https://review.opendev.org/#/c/577779/
Change-Id: I5e6aee49f434820881051874c9ad2628b4fcada7
This patch changes 'defiend' to 'defined'
in the explanatory notes in octavia/
tests/functional/db/test_repositories.py
Change-Id: Ibb7f0f416a013b98edf72a5803aada71015cfade
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.
Also added and enabled a hacking check that would have caught this.
Change-Id: Idb10f84fd32c50db24f844352cb85de452181439
In https://review.opendev.org/#/c/613709/ octavia was
changed to use octavia-lib for a lot of API driver-related
code and deprecation warnings put in place. Now that
we're in Victoria remove all the deprecation shims and
use octavia-lib exclusively.
Change-Id: If92988150479a7daf465af5f8df22818664a0fce
Oslo.policy is moving away from using json format policy files[1].
This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.
Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.
[1] https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html
Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c
We missed updating the provider driver feature matrix for a few
new Octavia features. This patch updates the matrix.
Change-Id: I328830df19fb8df6ea93cee2ad2f0dbda03279a1
A previous patch[1] missed batch_member_update when adding database
repository "get" method retries for new object creation actions.
This patch fixes batch member create to retry the database get call
when new members are being created via batch member update.
This issue only impacts the v1 amphora driver as the v2 driver
does not need to get these objects from the database.
Story: 2007581
Task: 39503
[1] 48e85569f7
Change-Id: Ia3476ab7b24dc3fd6e29ff2abe6eb6bacd9908ed
Add field tls_versions to pools for restricing TLS versions used.
This is a colon-separated string of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_pool_tls_versions in octavia.conf
Note: TLSv1.3 connections will use haproxy's default ciphers
instead of the listener's tls_ciphers field
Change-Id: I480b7fb9756d98ba9dbcdfd1d4b193ce6868e291
Story: 2006733
Task: 37173
Depends-On: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Add field tls_versions to listeners for restricting TLS versions used.
This is a list of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_listener_tls_versions in octavia.conf.
Note that at this time TLS 1.3 ciphersuites are not impelemented,
so any TLS 1.3 connections will use haproxy's default ciphers
instead of what's specified by tls_ciphers.
Change-Id: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Story: 2006733
Task: 37170
Task: 37169
Python versions supported by OpenStack change over time, and for minor
versions of Python 3 it is tedious to keep this file updated.
Since this does not impact zuul jobs in any way, nor prevent local
tests against py37, it should be safe to simply make this more easily
compatible for users that don't care about the specific Python versions
and just need basic tests to run.
The *only* thing this does is changes the default versions tested if none
are explicitly provided with `-e`.
Change-Id: I2372178351e961eeed5a819f39e75d54ba148798
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Fixes failing unit tests in
octavia.tests.unit.certificates.manager.test_barbican_legacy.TestBarbicanManager
for Python 3.8
Some of the tests fail setting up a mock.Mock(spec=secrets.Secret)
because a ValueError exception is raised unexpectedly.
The reason is that test_get_cert_no_registration_raise_on_secret_access_failure
patches the `payload` property of barbicanclient.v1.secrets.Secret to
raise a ValueError.
When a subsequent test tries to set up a mock.Mock(spec=secrets.Secret)
in Python 3.8 the Mock class will try to look at the properties of the spec
class and accessing `payload` doesn't behave normally anymore: it raises
ValueError now.
Fixed by using a different approach of mocking `payload` in
test_get_cert_no_registration_raise_on_secret_access_failure
so that it does not influence subsequent tests.
Change-Id: Ic534a4715c85c2216c7251209507acf74a999153
Story: 2007490
Task: 39212
The base64_sha_string method is used to set a base64-encoded peer name
in HAProxy. There are cases where the peer name can start with
an hypen which is troublesome when used in HAProxy CLI. Specifically,
HAProxy fails to reload when local peer name starts with '-x' [1]. When
this is the case, an amphora goes to provisioning status ERROR and later
is scheduled for failover by the Octavia Health Manager service. A new
amphora UUUID is assigned and base64 encoded, hopefully not starting
with '-x' again. However, this is far from being ideal -- we incur in a
dataplane disruption (single topology) or reduce HA capabilities
(active-standby topology) for some time.
Four possible options:
a) add prefix to peer name
b) change b64encode altchars
c) quote peer name in haproxy CLI command
d) substitute first character if hyphen
Option a) and b) are not backward compatible with running amphorae. Peer
names of existing amphorae that do not start with hypen but contain
hyphen at any other position would get different peer names.
Option c) would nonetheless still require an amphora image update to add
quotes in the HAProxy init service file. Continuing to generate peer
names with hyphens at begininng of the string is avoidable and
recommended.
Option d), while also requiring an amphora image update, it would get
rid of hyphens in begining of the peer names. It is also backward
compatible with all running amphorae, except for those starting with
hyphen but are broken anyways.
This patch takes option d). It substitutes hyphen with 'x' character.
[1] https://github.com/haproxy/haproxy/issues/644
Task: 39850
Story: 2007714
Change-Id: Ib0fc26877710dea423a5ebcf1f71077665404377
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: I87889f73207ecd940963fbe601ccbb79863b96ac
Use token and endpoint URL to initialize neutron client for the
request user.
Story: 2007619
Task: 39641
Change-Id: I05a541a77f254a77ad5036e1062b61c8ce93b754
