From 7e8ece9474d0fec92c216ab26e5b143c68479f29 Mon Sep 17 00:00:00 2001 From: Nir Magnezi Date: Thu, 13 Dec 2018 11:34:40 +0200 Subject: [PATCH] Stop Logging Amphora Cert Stop logging amphora cert for tasks: octavia-failover-amphora-flow- \ octavia-create-amp-for-lb-subflow-octavia-generate-serverpem And: octavia-create-amp-for-lb-subflow-octavia-update-cert-expiration This patch adds more exclusions to taskflow DynamicLoggingListener, which logs task results when running in debug mode. Failing Over a loadbalancer (SINGLE): Before: http://paste.openstack.org/show/C0ghBQCXBv6YXqR4YRUY/ After: http://paste.openstack.org/show/S4bezDTre4KU4oeQDrsF/ Failing Over a loadbalancer (ACTIVE_STANDBY): Before: http://paste.openstack.org/show/u9aQGvE64evYuYbcWvF4/ After: http://paste.openstack.org/show/BlJEqGYpHaZYu3LBww3g/ While writing this patch, I also tested for: 1. loadbalancer create with SINGLE topology. 2. loadbalancer create with ACTIVE_STANDBY topology. 3. loadbalancer amphora failover with SINGLE topology. 4. loadbalancer amphora failover with ACTIVE_STANDBY topology. I didn't notice any cert prints for those cases. I was not able to trigger the above-mentioned octavia-update-cert-expiration, but we have a clear indication for it in a log screenshot that I attached to the StoryBoard. Story: 2004606 Task: 28503 Change-Id: I136081045787c1bbe3ee846d5845a34201c57864 --- octavia/controller/worker/controller_worker.py | 7 ++++++- .../notes/stop-logging-amphora-cert-2e188675699d60d5.yaml | 7 +++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/stop-logging-amphora-cert-2e188675699d60d5.yaml diff --git a/octavia/controller/worker/controller_worker.py b/octavia/controller/worker/controller_worker.py index 56b82b2f4c..962e0af393 100644 --- a/octavia/controller/worker/controller_worker.py +++ b/octavia/controller/worker/controller_worker.py @@ -80,7 +80,12 @@ class ControllerWorker(base_taskflow.BaseTaskFlowEngine): constants.ROLE_MASTER + '-' + constants.CREATE_AMP_FOR_LB_SUBFLOW + '-' + constants.GENERATE_SERVER_PEM, - constants.GENERATE_SERVER_PEM_TASK) + constants.GENERATE_SERVER_PEM_TASK, + constants.FAILOVER_AMPHORA_FLOW + '-' + + constants.CREATE_AMP_FOR_LB_SUBFLOW + '-' + + constants.GENERATE_SERVER_PEM, + constants.CREATE_AMP_FOR_LB_SUBFLOW + '-' + + constants.UPDATE_CERT_EXPIRATION) super(ControllerWorker, self).__init__() diff --git a/releasenotes/notes/stop-logging-amphora-cert-2e188675699d60d5.yaml b/releasenotes/notes/stop-logging-amphora-cert-2e188675699d60d5.yaml new file mode 100644 index 0000000000..f1c42f010e --- /dev/null +++ b/releasenotes/notes/stop-logging-amphora-cert-2e188675699d60d5.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Fixed a debug level logging of Amphora certificates for flows + such as 'octavia-create-amp-for-lb-subflow-octavia-generate-serverpem' + (triggered with loadbalancer failover) and + 'octavia-create-amp-for-lb-subflow-octavia-update-cert-expiration'.