Oslo.policy is moving away from using json format policy files.
This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.
Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.
The base64_sha_string method is used to set a base64-encoded peer name
in HAProxy. There are cases where the peer name can start with
an hypen which is troublesome when used in HAProxy CLI. Specifically,
HAProxy fails to reload when local peer name starts with '-x' . When
this is the case, an amphora goes to provisioning status ERROR and later
is scheduled for failover by the Octavia Health Manager service. A new
amphora UUUID is assigned and base64 encoded, hopefully not starting
with '-x' again. However, this is far from being ideal -- we incur in a
dataplane disruption (single topology) or reduce HA capabilities
(active-standby topology) for some time.
Four possible options:
a) add prefix to peer name
b) change b64encode altchars
c) quote peer name in haproxy CLI command
d) substitute first character if hyphen
Option a) and b) are not backward compatible with running amphorae. Peer
names of existing amphorae that do not start with hypen but contain
hyphen at any other position would get different peer names.
Option c) would nonetheless still require an amphora image update to add
quotes in the HAProxy init service file. Continuing to generate peer
names with hyphens at begininng of the string is avoidable and
Option d), while also requiring an amphora image update, it would get
rid of hyphens in begining of the peer names. It is also backward
compatible with all running amphorae, except for those starting with
hyphen but are broken anyways.
This patch takes option d). It substitutes hyphen with 'x' character.
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
There are cases where DIB can fail to create an image but devstack
does not abort. This leads the gate job to run all the way down to
starting the tempest test before the job will fail out.
This adds a simple check for the image file and will abort early
if the image is not present.
E741 ambiguous variable name 'l'
Change 'l' to another variable in affected code.
Also had to set the latex_engine to 'xelatex' in doc/source/conf.py
in order to get past an openstackdocstheme change the broke the pdf
Add new configuration option "tls_cipher_blacklist" to octavia.conf.
Blacklisted ciphers are blocked from being used in listeners, pools, or
default cipher strings.
These classes were deprecated in Stein and marked for removal in Ussuri.
By removing these classes, we fix pep8 issues (catching-non-exception)
we started seeing at the gate with the release of astroid 2.4.0.
Now that we are running the Victoria tests that include a
voting py38, we can now add the Python 3.8 metadata to the
package information to reflect that support.
Signed-off-by: Sean McGinnis <email@example.com>
Add file to the reno documentation build to show release notes for
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
When disable a loadbalancer have listener, the Heath Manager not update
amphora heath make it keep failover after heartbeat_timeout end time
In the section about creating a key pair for the amphora instance, there
were a few small typos. This change fixes those.
Signed-off-by: Raimund Hook <firstname.lastname@example.org>
* Make sure the user has access to the subnet in the request for
creating or updating pool member.
* Make sure the user has access to port or subnet or network for
creating load balancer
The python 3.8 unit test jobs are failing on a
mock.Mock(spec=secrets.Secret) call. Since this is legacy code and
we don't really need to be testing python-barbicanclient code here,
I'm removing the spec= for these tests to stop artificial failures
when running unit tests on python 3.8.
This patch adds a test skip for two tests that are impacted by the
recent sqlalchemy 1.3.16 release.
With this release, a patch, changes the default commit behavior
of a transaction. With this change we are seeing that the load
balancer created in the tree-create test disappears from the
transaction context during the test and the pool create call will
throw a foreign key error as the load balancer is not in the database.
It's not clear if this is purely a sqlalchemy, pysqlite, or sqlite3
bug at this time.
Given the requirements are already in freeze for the Ussuri release,
we are opting to disable the tests (we know only sqlite is impacted),
instead of attempt to blacklist 1.3.16 in requirements.
 9ebbf8614a (diff-e9762e21a27d8e6c44db6f9dd4edc694R455)
This patch introduces 2 macros in lvs.
1. Support HTTP GET, allow users create HTTP healthmonitor for udp pool.
2. Support TCP check, allow users create TCP healthmonitor for udp pool.
Co-Authored-By: Adam Harwell <email@example.com>
The devstack plugin code was sourcing a file that was
enabling bash errexit, which was then inheriting it in
later operations that could cause the shell to exit
Change both scripts to 'set +e' near exit so sourcing
them doesn't have issues.
Flask's stream always returns bytes, file write always takes string.
This causes py3 amps to return 500 on cert rotation AND wipe out the
certificate, so the amphora are no longer controllable and go to ERROR
state. Anyone running py3 amps prior to this patch will experience
amphorae breaking on a timer due to housekeeping cert rotation!
Template was using timeout value instead of delay value.
Also clean up redundant values in the templates (things like retry and
delay_before_retry only need to be specified once at the top level).