Commit Graph

3199 Commits (fafabad0422462e713da84b2467ba791b6af83dc)

Author SHA1 Message Date
Michael Johnson fafabad042 Switch oslo.policy over to yaml
Oslo.policy is moving away from using json format policy files[1].

This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.

Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.


Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c
2020-06-08 08:54:07 -07:00
Zuul 2c7c7747b7 Merge "Workaround peer name starting with hyphen" 2020-05-31 14:55:45 +00:00
Zuul 8a38c1a82b Merge "Fixed a bug: replace 'startwith' with 'startswith'" 2020-05-30 11:36:57 +00:00
Zuul 7e851d3f6e Merge "Fix the grenade plugin to also upgrade octavia-lib" 2020-05-29 13:48:39 +00:00
chimeng 7c96e455a9 Fixed a bug: replace 'startwith' with 'startswith'
story: 2007734
Change-Id: I6543fe5caf539c9b1167a7c58984b3474879e1de
2020-05-29 17:08:25 +08:00
Carlos Goncalves acc38391de Workaround peer name starting with hyphen
The base64_sha_string method is used to set a base64-encoded peer name
in HAProxy. There are cases where the peer name can start with
an hypen which is troublesome when used in HAProxy CLI. Specifically,
HAProxy fails to reload when local peer name starts with '-x' [1]. When
this is the case, an amphora goes to provisioning status ERROR and later
is scheduled for failover by the Octavia Health Manager service. A new
amphora UUUID is assigned and base64 encoded, hopefully not starting
with '-x' again. However, this is far from being ideal -- we incur in a
dataplane disruption (single topology) or reduce HA capabilities
(active-standby topology) for some time.

Four possible options:

a) add prefix to peer name
b) change b64encode altchars
c) quote peer name in haproxy CLI command
d) substitute first character if hyphen

Option a) and b) are not backward compatible with running amphorae. Peer
names of existing amphorae that do not start with hypen but contain
hyphen at any other position would get different peer names.

Option c) would nonetheless still require an amphora image update to add
quotes in the HAProxy init service file. Continuing to generate peer
names with hyphens at begininng of the string is avoidable and

Option d), while also requiring an amphora image update, it would get
rid of hyphens in begining of the peer names. It is also backward
compatible with all running amphorae, except for those starting with
hyphen but are broken anyways.

This patch takes option d). It substitutes hyphen with 'x' character.


Task: 39850
Story: 2007714

Change-Id: Ib0fc26877710dea423a5ebcf1f71077665404377
2020-05-26 12:51:57 +02:00
Zuul 8ef7d60c91 Merge "Switch to newer openstackdocstheme and reno versions" 2020-05-24 03:00:05 +00:00
Carlos Goncalves 59831f46f7 Fix the grenade plugin to also upgrade octavia-lib
Upgrade octavia-lib in target environment to make sure we are testing
the latest code.

Change-Id: I8003de0f71a5dee7438ab2f6a2c497386018c1ac
2020-05-22 19:46:31 +02:00
Zuul 04ea9bf4dd Merge "Make sure devstack aborts if DIB fails" 2020-05-21 22:41:47 +00:00
Andreas Jaeger acb4d7b4e1 Switch to newer openstackdocstheme and reno versions
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems

Update Sphinx version as well.

Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.

Disable openstackdocs_auto_name to use 'project' variable as name.

Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.

openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.

See also

Change-Id: I87889f73207ecd940963fbe601ccbb79863b96ac
2020-05-21 13:06:24 +02:00
Lingxian Kong b54f373cac Fix getting user neutron client
Use token and endpoint URL to initialize neutron client for the
request user.

Story: 2007619
Task:  39641

Change-Id: I05a541a77f254a77ad5036e1062b61c8ce93b754
2020-05-20 10:22:53 +00:00
Michael Johnson d0f0233061 Make sure devstack aborts if DIB fails
There are cases where DIB can fail to create an image but devstack
does not abort. This leads the gate job to run all the way down to
starting the tempest test before the job will fail out.
This adds a simple check for the image file and will abort early
if the image is not present.

Change-Id: I7ebf4137feb04827490dffc0dac3d6e4c8888075
2020-05-19 16:26:57 +00:00
Zuul bcef33a3ff Merge "Add TLS cipher blacklist to octavia.conf" 2020-05-19 15:54:33 +00:00
Brian Haley 9a1d6d3585 Fix E741 pep8 errors
E741 ambiguous variable name 'l'

Change 'l' to another variable in affected code.

Also had to set the latex_engine to 'xelatex' in doc/source/
in order to get past an openstackdocstheme change the broke the pdf
doc build.

Change-Id: Idd176e40ccf2a79832a5c99140bd30e5e1f9c0d8
2020-05-15 10:58:22 -04:00
Zuul 5ec5fb73f8 Merge "Migrate grenade job to native Zuul v3" 2020-05-08 23:48:56 +00:00
Zuul 837b7bf940 Merge "Add py38 package metadata" 2020-05-06 20:46:39 +00:00
Carlos Goncalves 8b8965bd7b Migrate grenade job to native Zuul v3
This patch also switches the job back to voting.

Change-Id: Iedc1d5c5b603753b171fe17816b4d9c3aff1a16c
2020-05-04 14:01:40 +02:00
Dawson Coleman 85f5b8181b Add TLS cipher blacklist to octavia.conf
Add new configuration option "tls_cipher_blacklist" to octavia.conf.
Blacklisted ciphers are blocked from being used in listeners, pools, or
default cipher strings.

Change-Id: I44fd4da1b47faee9cc01b9426898a28b6f13f223
Story: 2006627
Task: 37168
2020-05-03 16:56:40 -05:00
Zuul 07a93de755 Merge "Fix healthmanager not update amphora health when LB disable" 2020-04-28 18:03:00 +00:00
Carlos Goncalves 0056b5175f Remove deprecated exception classes
These classes were deprecated in Stein and marked for removal in Ussuri.
By removing these classes, we fix pep8 issues (catching-non-exception)
we started seeing at the gate with the release of astroid 2.4.0.

Change-Id: I66b2d0687f4edfbcbff99c29c9c5d539e4e7ea7f
2020-04-27 19:22:06 +00:00
Sean McGinnis 526b15841f
Add py38 package metadata
Now that we are running the Victoria tests that include a
voting py38, we can now add the Python 3.8 metadata to the
package information to reflect that support.

Change-Id: I3c1e65466fa22747e66b25ea09dd518fcc311723
Signed-off-by: Sean McGinnis <>
2020-04-24 08:22:38 -05:00
Zuul c037a9b374 Merge "Add Python3 master unit tests" 2020-04-24 09:52:53 +00:00
Zuul a570d92e04 Merge "Update master for stable/ussuri" 2020-04-24 07:58:30 +00:00
Zuul 8ceb7efecf Merge "Fix Octavia unit tests for python 3.8" 2020-04-24 00:28:50 +00:00
Sean McGinnis 707c70d912 Add Python3 master unit tests
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for victoria.

See also the PTI in governance [1].


Change-Id: I7465f908f4f632d7615df52f1c34f30fee0b0b9f
2020-04-23 20:46:13 +00:00
Sean McGinnis a5806960b9 Update master for stable/ussuri
Add file to the reno documentation build to show release notes for

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on

Change-Id: I49c63fb53c425a980b7f657acbf25a56688ab9c9
Sem-Ver: feature
2020-04-23 15:45:08 -05:00
Zuul 0f0e594e17 Merge "Small fix of wording in Ubuntu install doc" 2020-04-23 18:30:56 +00:00
archiephan fe771a456d Fix healthmanager not update amphora health when LB disable
When disable a loadbalancer have listener, the Heath Manager not update
amphora heath make it keep failover after heartbeat_timeout end time

Story: 2007587
Task: 39521

Change-Id: Ia6d3f40ae1b9b352492162513c9262748ee67e6f
2020-04-23 17:38:41 +07:00
Raimund Hook 908abe6e09 Small fix of wording in Ubuntu install doc
In the section about creating a key pair for the amphora instance, there
were a few small typos. This change fixes those.


Change-Id: Ic6af32cc566abb6931ef61c979407780121e4bb6
Signed-off-by: Raimund Hook <>
2020-04-22 14:42:18 +01:00
Lingxian Kong a33d42fa59 Validate resource access when creating loadbalancer or member
* Make sure the user has access to the subnet in the request for
  creating or updating pool member.
* Make sure the user has access to port or subnet or network for
  creating load balancer

Story: 2007531
Task: 39339

Change-Id: I479019a911b5a1acfc1951d1cbbc2a351089cb4d
2020-04-22 16:19:38 +12:00
Michael Johnson 5ee26a2035 Fix Octavia unit tests for python 3.8
The python 3.8 unit test jobs are failing on a
mock.Mock(spec=secrets.Secret) call. Since this is legacy code and
we don't really need to be testing python-barbicanclient code here,
I'm removing the spec= for these tests to stop artificial failures
when running unit tests on python 3.8.

Change-Id: I9132e2d05bf67ddff4f2d7879d799c8dd25bd3c7
2020-04-20 10:57:21 -07:00
Zuul 9d50c7918f Merge "Healthmanager opts aren't CLI-related" 2020-04-19 15:23:12 +00:00
Zuul 1b52ccd20f Merge "Support HTTP and TCP checks in UDP healthmonitor" 2020-04-17 23:11:06 +00:00
Zuul 36daa28df2 Merge "Fix py3 amphora-agent cert-rotation type bug" 2020-04-17 22:54:46 +00:00
Zuul 0f52069be8 Merge "Don't inherit enforcing bash errexit in devstack plugin" 2020-04-17 04:52:57 +00:00
Zuul 0ccb997793 Merge "Run taskflow jobboard conductor conditionally" 2020-04-16 11:41:24 +00:00
Zuul d9e029960d Merge "Correct delay between UDP healthchecks" 2020-04-16 00:18:29 +00:00
Adam Harwell f4057134a8 Healthmanager opts aren't CLI-related
This impacts local testing and is just a weird bug to have in general...

Change-Id: Ie1b53f5175bf3c827090650d0229579b0a33e7f2
2020-04-15 20:10:06 +00:00
Michael Johnson ccd6c3875e Disable two tests due to sqlalchemy/sqlite bug
This patch adds a test skip for two tests that are impacted by the
recent sqlalchemy 1.3.16 release.
With this release, a patch[1], changes the default commit behavior
of a transaction. With this change we are seeing that the load
balancer created in the tree-create test disappears from the
transaction context during the test and the pool create call will
throw a foreign key error as the load balancer is not in the database.

It's not clear if this is purely a sqlalchemy, pysqlite, or sqlite3
bug at this time.
Given the requirements are already in freeze for the Ussuri release,
we are opting to disable the tests (we know only sqlite is impacted),
instead of attempt to blacklist 1.3.16 in requirements.

[1] 9ebbf8614a (diff-e9762e21a27d8e6c44db6f9dd4edc694R455)

Change-Id: I7910ebe4cff692bab67349bbf3e4ee4e24b5fa7a
2020-04-15 10:08:00 -07:00
ZhaoBo 6e61991833 Support HTTP and TCP checks in UDP healthmonitor
This patch introduces 2 macros in lvs.

1. Support HTTP GET, allow users create HTTP healthmonitor for udp pool.
2. Support TCP check, allow users create TCP healthmonitor for udp pool.

Co-Authored-By: Adam Harwell <>
Change-Id: I61c7d8d4df54710a92b8c055be84bba29bf3d7e6
Story: 2003200
Task: 23356
Story: 2003199
Task: 23355
2020-04-15 16:18:35 +00:00
Ann Taraday fb70e3b3c1 Run taskflow jobboard conductor conditionally
Run taskflow jobboard conductor only if amphorav2 provider is

Fixes devstack conditions for amphorav2 provider.

Change-Id: I49b587cf748996658859667485400307205d209b
2020-04-15 20:11:07 +04:00
Brian Haley 1c639f01a0 Don't inherit enforcing bash errexit in devstack plugin
The devstack plugin code was sourcing a file that was
enabling bash errexit, which was then inheriting it in
later operations that could cause the shell to exit

Change both scripts to 'set +e' near exit so sourcing
them doesn't have issues.

Change-Id: I16513b0066c05cd6fc606da341df636094010a34
2020-04-15 10:10:34 -04:00
Adam Harwell 96a4482dff Fix py3 amphora-agent cert-rotation type bug
Flask's stream always returns bytes, file write always takes string.
This causes py3 amps to return 500 on cert rotation AND wipe out the
certificate, so the amphora are no longer controllable and go to ERROR
state. Anyone running py3 amps prior to this patch will experience
amphorae breaking on a timer due to housekeeping cert rotation!

Change-Id: I831b0b48d719397c14d80f8ebcbad997c50c7795
2020-04-14 06:48:43 -07:00
OpenStack Proposal Bot c9e1551550 Imported Translations from Zanata
For more information about this automatic import see:

Change-Id: Ifbaac9d41080210124e15476df392622b94b5b2e
2020-04-11 08:32:07 +00:00
Zuul 771a5d87f4 Merge "Fix amphora image build jobs" 2020-04-10 13:28:50 +00:00
Zuul 4f16f0aeb6 Merge "Add listener allowed_cidrs to the feature matrix" 2020-04-10 11:19:24 +00:00
Adam Harwell 4b2a38d93c Correct delay between UDP healthchecks
Template was using timeout value instead of delay value.
Also clean up redundant values in the templates (things like retry and
delay_before_retry only need to be specified once at the top level).

Change-Id: I376917e40eb7a92f7f03e691ed9a0c23fd2ce8f8
2020-04-09 18:47:11 -07:00
Zuul ee30c1f7c9 Merge "Add availability-zone to loadbalancer object docs" 2020-04-09 13:04:27 +00:00
Zuul 73fbc05386 Merge "Jobboard based controller" 2020-04-09 00:10:44 +00:00
Adam Harwell 4f4804259f Add availability-zone to loadbalancer object docs
Change-Id: I8626c0338d4ad7d11bf5d56b022136cb4513d37e
2020-04-08 16:24:11 -07:00