Train Series Release Notes

18.0.0.0b1-125

New Features

  • Octavia requires SSL certificates for communication with the amphora. This adds the automatic creation of self signed certificates for this purpose. It uses different certificate authorities for amphora and control plane thus insuring maximum security.

  • Octavia is creating vms, securitygroups, and other things in its project. In most cases the default quotas are not big enough. This will adjust them to (configurable) reasonable values.

  • Now you can set up octavia_management_net_subnet_gateway variable to create the management subnet with default gateway set. By default the subnet created without gateway.

  • The service setup in keystone for octavia will now be executed through delegation to the octavia_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

    octavia_service_setup_host: "{{ groups['utility_all'][0] }}"
    
  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the octavia_install_method variable to distro.

  • Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in octavia.

  • Now you can use cinder-volume with Octavia. To enable the feature set octavia_cinder_enabled to True. Also you may need to override the default settings:

    octavia_octavia_conf_overrides:
      cinder:
        volume_type: 'my-volume-type'
        volume_size: 32
    

Deprecation Notes

  • The variable octavia_requires_pip_packages is no longer required and has therefore been removed.

  • The variable octavia_image_downloader has been removed. The image download now uses the same host designated by the octavia_service_setup_host for the image download.

  • The variable octavia_ansible_endpoint_type has been removed. The endpoint used for ansible tasks has been hard set to the ‘admin’ endpoint as is commonly used across all OSA roles.

  • The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - octavia_oslomsg_rpc_servers replaces octavia_rabbitmq_servers - octavia_oslomsg_rpc_port replaces octavia_rabbitmq_port - octavia_oslomsg_rpc_use_ssl replaces octavia_rabbitmq_use_ssl - octavia_oslomsg_rpc_userid replaces octavia_rabbitmq_userid - octavia_oslomsg_rpc_vhost replaces octavia_rabbitmq_vhost - octavia_oslomsg_notify_servers replaces octavia_rabbitmq_telemetry_servers - octavia_oslomsg_notify_port replaces octavia_rabbitmq_telemetry_port - octavia_oslomsg_notify_use_ssl replaces octavia_rabbitmq_telemetry_use_ssl - octavia_oslomsg_notify_userid replaces octavia_rabbitmq_telemetry_userid - octavia_oslomsg_notify_vhost replaces octavia_rabbitmq_telemetry_vhost - octavia_oslomsg_notify_password replaces octavia_rabbitmq_telemetry_password

Security Issues

  • It is recommended that the certificate generation is always reviewed by security professionals since algorithms and key-lengths considered secure change all the time.

  • Avoid setting the quotas too high for your cloud since this can impact the performance of other servcies and lead to a potential Denial-of-Service attack if Loadbalancer quotas are not set properly or RBAC is not properly set up.

Bug Fixes

  • The quota for security group rules was erroneously set to 100 with the aim to have 100 security group rules per security group instead of to 100*#security group rules. This patch fixes this discrepancy.

18.0.0.0b1

New Features

  • This consolidates the amphora image tasks in a common file and adds a way to download an amphora image from an artefact storage over http(s). With the Octavia team providing test images the tests were modified to not build images any longer but download them.

Security Issues

  • It is commonly considered bad practice to downlaod random images from the Internet expecially the test images the Octavia team provides which could potentially include unpatched operating system packages - so for any production deploy adjust the download url to an artifact storage your organization controls. The system also does not authenticate the image (e.g. with an md5) so should only be used on networks your organization controls.

17.0.0.0b2

New Features

  • A typical OSA install will put the neutron and octavia queues on different vhosts thus preventing the event streamer from working While octavia is streaming to its own queue the consumer on the neutron side listens to the neutron queue. With a recent octavia enhancement a separate queue for the event streamer can be configured. This patch will set up the event streamer to post into the neutron queue using neutron’s credentials. Thus reaching the consumer on the neutron-lbaas side and allowing for streaming.

Security Issues

  • Since we use neutron’s credentials to access the queue, security conscious people might want to set up an extra user for octavia on the neutron queue restricted to the topics octavia posts to.

17.0.0.0b1

New Features

  • Adds a new flag to enable Octavia V2 API (disabled by default) to facilitate to run Octavia stand alone (without Neutron)

  • Adds a new flag to toggle Octavia V1 API (the API needed to run in conjunction with Neutron) and enables it by default.

16.0.0.0rc1

New Features

  • The octavia-api service has moved to run as a uWSGI application. You can set the max number of WSGI processes, the number of processes, threads, and buffer size utilizing the octavia_wsgi_processes_max, octavia_wsgi_processes, octavia_wsgi_threads, and octavia_wsgi_buffer_size. Additionally, you can override any settings in the uWSGI ini configuration file using the octavia_api_uwsgi_ini_overrides setting. The uWSGI application will listen on the address specified by octavia_uwsgi_bind_address which defaults to 0.0.0.0.

16.0.0.0b3

New Features

  • Adds a way for the system to automatically create the Octavia management network if octavia_service_net_setup is enabled (DEFAULT). Additional parameters can control the setup.

  • Adds support for glance-image-id and automatic uploading of the image if octavia_amp_image_upload_enabled is True (Default is False). This is mostly tp work around the limitations of Ansible’s OpenStack support and should not be used in prodcution settings. Instead refer to the documentation to upload images yourself.

Deprecation Notes

  • Remove octavia_rpc_backend option due to deprecation of rpc_backend option in oslo.messaging.

16.0.0.0b2

New Features

  • Simplifies configuration of lbaas-mgmt network.

  • Adds iptables rules to block taffic from the octavia managment network to the octavia container for both ipv4 and ipv6.

  • New variables have been added to allow a deployer to customize a octavia systemd unit file to their liking.

  • The task dropping the octavia systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_octavia role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the octavia_*_init_overrides variables which use the config_template task to change template defaults.

  • Deployers may provide a list of custom haproxy template files to copy from the deployment host through the octavia_user_haproxy_templates variable and configure Octavia to make use of a custom haproxy template file with with octavia_haproxy_amphora_template variable.

Upgrade Notes

  • For the os_octavia role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the octavia_*_init_overrides variables which use the config_template task to change template defaults.

16.0.0.0b1

Deprecation Notes

  • The octavia_keystone_auth_plugin variable has been deprecated. octavia_keystone_auth_type should be used instead to configure authentication type.