When reloading haproxy, check if a "<service> is not active, cannot
reload." error is triggered by systemd, it means that haproxy crashed
during the reload. When this error is detected, verify if haproxy has
reloaded correctly (check the socket and its uptime).
Related-Bug: #2054666
Change-Id: Ibadf6e529d53fb5a45b73af57243cee5a3f70d9b
Octavia replace "limit" with None when it is less 1. (for example 0, -1)
However the further code failed to compare None and int values.
This patch fixes it by validation, that limit is None.
Co-Authored-By: Roman Goncharov <gadzhet007@gmail.com>
Closes-Bug: #2060917
Change-Id: I9bb45a1aca6b7b18644752a3dccc3ebfb7c106ef
Result of running
$ pyupgrade --py38-plus $(git ls-files | grep ".py$")
This was inspired by Nova [1]
Fixed PEP8 errors introduced by pyupgrade by running:
$ autopep8 --select=E127,E128,E501 --max-line-length 79 -r \
--in-place octavia
and manual updates.
[1]: https://review.opendev.org/c/openstack/nova/+/896986
Change-Id: I9399730fed16b85686caa586788a1bc03ebd123a
Add file to the reno documentation build to show release notes for
stable/2024.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.1.
Sem-Ver: feature
Change-Id: I744c29c1a03aba952b98a9fa3b6772073fa3805c
When creating a LB + a listener with an allowed_cidr with the
fully-populated API, an issue happened when Octavia validated that the
allowed_cidrs and the VIP ip address have the same IP version. The
vip.ip_address value was not updated in the load balancer object,
forcing the expiration of the DB object before entering _graph_create
fixes this issue.
Note: there's no change in the tests, the test function for this feature
exists, looks correct, and passes successfully, the bug is only
reproducible in octavia-api.
Closes-Bug: 2057751
Change-Id: Ia106d81c1b2588e5d938d2238c8a2f6660bf5ef1
Ubuntu Focal is no longer part of the tested environments, because of
newer LTS available now (Jammy).
Change-Id: I7a6df974762abdd94784416609304618ce702b6e
This adds a release note to explain updates made recently in redis
jobboard driver[1][2].
[1] 16f6b2e8f6
[2] bd3ef61a0c
Change-Id: I6c43a0a810f01632696f254a31e9a17c2f2cd73d
This patch adds the initial nftables support in the amphora for SR-IOV
VIPs. Followup patches will add rules to the nftables chain. As this
point in the patch chain, SR-IOV VIPs will not pass any traffic.
Change-Id: Ib2a1c3f49a26690d2e0e9c7330e047748c0b5105
Since 2023.2, we deprecated some settings in the [neutron] section
('endpoint', 'endpoint_type' and 'ca_certificates_file'), they are
respectively replaced by 'endpoint_override', 'valid_interfaces' and
'cafile'. There's some code in Octavia that automatically sets the new
settings if the user still has the old settings (it is required because
keystoneauth uses the CONF objects to establish the sessions).
But some corner cases were not correctly addressed in that patch.
Now Octavia ensures that the override of the parameters is correctly
handled.
Change-Id: Ic37e9f699e32431ae1735ddc9642689967ddc696
Closes-Bug: 2051604
This patch fixes an issue where if the user attempts to use a
certificate that does not have a subject or CN, we would fail to create
a listener using the certificate.
Per the x.509 specification, a blank subject is allowed as long as the
subjectAltName extension is present in the certificate.
Octavia will now check for the a valid subAltName if the subject CN can
not be retrieved. If both are missing an appropriate error is raised for
the user.
Closes-Bug: #2043582
Change-Id: I06911f42b9bf29cf9a5f2e76d8333d8a2f1bc60b
TLS-HELLO HMs were based on the ssl-hello-chk option of haproxy, which
uses SSLv3 messages. SSLv3 is deprecated and most distributions have
disabled it, remove this option and rely only on the default checker
when ssl is enabled [0]
[0] https://docs.haproxy.org/2.8/configuration.html#5.2-check
Related-Bug: #2043812
Change-Id: Ia681679e24437832e1e23e7399e1a34da8ab54c5
Using HTTP or HTTPS health-monitor on a ALPN pool failed with SSL
errors.
haproxy doc mentions that when using "check" with ALPN servers, the
check-alpn option must be enabled.
[0] https://docs.haproxy.org/2.8/configuration.html#5.2-check
Closes-Bug: #2043812
Change-Id: I5698558857cbaa585f8a3d7ac37aaa31c0189d46
The taskflow library allows us to customize idle_timeout. This change
makes the option set according to the equivalent option in oslo.db
similarly to the other options such as max_overflow.
Change-Id: I1c50f232c4f0c5c10a3dd5a928466f7ef67a9763
So far, when Octavia was running with noop drivers, there were no
amphora statistics data provided and 404 was returned as the
AmphoraStatistics object was not created, and therefore not found.
This patch adds fake statistics to amphora noop driver.
Closes-Bug: #2030774
Change-Id: Ib65e459bcd10a5ab877c0cf6f234d634d25d1e55
So far, Octavia noop drivers were using real certificate managers, which
have validated the cerifitates for every certificate required operation,
sometimes without any need.
Octavia should have a Noop Certificate Manager for faster testing
purposes.
This patch adds it.
Closes-Bug: #2034711
Change-Id: I700c65fb17bad28b2b922e03d9c94c4716de9cbe
The Amphora Configure API call failed because a new sqlalchemy
transaction was created but a transaction was already begun.
Remove the nested begin() calls to fix the issue.
Closes-Bug: #2039281
Change-Id: Ie20cce4e8355737711a9def7470550e4e43c0c35
Closes bug: #2038367
Behavior: In the response body of the LB API when creating
a new load balancer, the information about the health
monitor is always null, even though it has been configured.
Reproduce: Using the Octavia API to create a new LB with
all components. You cannot see any information about the
health monitor that will be returned.
Proposed Fix: Modify the assignment to use
`data_model.health_monitor` instead of `pool.healthmonitor`.
Change-Id: Ia914ad89b6fdf3606c3d4bff0a4c425348c15e0c
When 2 amps were down, the failover flow created the first one and
needed to update both amp to configure VRRP, but as the 2nd was missing,
it was set to ERROR. Then the health-manager could not trigger a
failover becasue amphorae in ERROR are excluded from the automated
failover process.
This commit changes the tasks that must be run on both amphorae during a
failover of one amphora, it doesn't mark the secondary amphora in ERROR
if it is not reachable.
Closes-Bug: #2033734
Change-Id: I4bd027346c61b93b537ab53810c2ecb6160b6be2
In the failover flow, there are multiple tasks for the configuration of
VRRP for the other amphorae of the load balancer, but during outage the
other amps may not be available. To prevent the tasks from attempting
connections to unreachable amphorae, we can detect in the first task
that an amp is unreachable and pass this information to the other tasks.
Those connection attempts could have taken a lot of time, between 15 min
and 40 min depending on the configuration of Octavia and the provider
driver (amphorav1 or amphorav2)
Closes-Bug: #2033894
Change-Id: Ib33a0b8d2875e4ff97c65933fe9360bb06994d32
In case of DB outages when a flow is running, an exception is caught and
the flow is reverted. In most of the flows, the revert function of the
first task's (the last to be reverted) unlocks the load balancer by
setting its provisioning status (to ERROR or ACTIVE, depending on the
flow), but it fails if the DB is not reachable, leaving the LB in
a PENDING_* state.
This commit adds tenacity.retry to those functions, Octavia retries to
set the status during ~2h45 (2000 attempts, 1 sec initial delay, 5 sec
max delay).
Closes-Bug: #2036952
Change-Id: I458dd6d6f5383edc24116ea0fa27e3a593044146
The up scripts of the interface files were called only when the
interface moved from down to up, it means that they were not called
during the update of the configuration of an interface. So if during an
update, if an ipv6 subnet was plugged while the ipv4 subnet was already
there, the up script that sets the masquerade rules was not called.
It broke connectivity for either ipv4 or ipv6 between the client and the
members in UDP listeners in multivip load balancers.
Closes-Bug: #2037943
Change-Id: Iad78de1764bc3a3f699b5feef9e58999d2efe613