octavia 12.0.0.0rc2__py3-none-any.whl → 13.0.0.0rc1__py3-none-any.whl

octavia/common/jinja/haproxy/combined_listeners/jinja_cfg.py

@@ -23,6 +23,7 @@ from oslo_utils import versionutils
 from octavia.common.config import cfg
 from octavia.common import constants
 from octavia.common import utils as octavia_utils
+from octavia.db import models
 
 PROTOCOL_MAP = {
     constants.PROTOCOL_TCP: 'tcp',
@@ -265,6 +266,8 @@ class JinjaTemplater(object):
         # listeners' connection limits.
         connection_limit_sum = 0
         for listener in listeners:
+            if not listener.enabled:
+                continue
             if listener.protocol in constants.LVS_PROTOCOLS:
                 continue
             if listener.connection_limit and listener.connection_limit > -1:
@@ -298,7 +301,8 @@ class JinjaTemplater(object):
             'vrrp_priority': amphora.vrrp_priority
         }
 
-    def _transform_listener(self, listener, tls_certs, feature_compatibility,
+    def _transform_listener(self, listener: models.Listener, tls_certs,
+                            feature_compatibility,
                             loadbalancer):
         """Transforms a listener into an object that will
 
@@ -363,6 +367,13 @@ class JinjaTemplater(object):
                 ret_value['tls_versions'] = listener.tls_versions
             if listener.alpn_protocols is not None:
                 ret_value['alpn_protocols'] = ",".join(listener.alpn_protocols)
+            if listener.hsts_max_age is not None:
+                hsts_directives = f"max-age={listener.hsts_max_age};"
+                if listener.hsts_include_subdomains:
+                    hsts_directives += " includeSubDomains;"
+                if listener.hsts_preload:
+                    hsts_directives += " preload;"
+                ret_value['hsts_directives'] = hsts_directives
 
         pools = []
         pool_gen = (pool for pool in listener.pools if

octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2

@@ -166,6 +166,9 @@ frontend {{ listener.id }}
     {% if (listener.protocol.lower() ==
        constants.PROTOCOL_TERMINATED_HTTPS.lower()) %}
     redirect scheme https if !{ ssl_fc }
+        {% if listener.hsts_directives is defined %}
+    http-response set-header Strict-Transport-Security "{{ listener.hsts_directives }}"
+        {% endif %}
     {% endif %}
     {{ bind_macro(constants, lib_consts, listener, lb_vip_address)|trim() }}
     {% for add_vip in additional_vips %}
@@ -324,10 +327,10 @@ backend {{ pool.id }}:{{ listener.id }}
         {% if (pool.session_persistence.type ==
                constants.SESSION_PERSISTENCE_SOURCE_IP) %}
             {% if loadbalancer.topology == constants.TOPOLOGY_ACTIVE_STANDBY %}
-    stick-table type ip size {{ pool.stick_size }} peers {{
+    stick-table type ipv6 size {{ pool.stick_size }} peers {{
     "%s_peers"|format(loadbalancer.id.replace("-", ""))|trim() }}
             {% else %}
-    stick-table type ip size {{ pool.stick_size }}
+    stick-table type ipv6 size {{ pool.stick_size }}
             {% endif %}
     stick on src
         {% elif (pool.session_persistence.type ==

octavia/common/jinja/lvs/jinja_cfg.py

@@ -20,6 +20,7 @@ from octavia_lib.common import constants as lib_consts
 from octavia.common.config import cfg
 from octavia.common import constants
 from octavia.common import utils as octavia_utils
+from octavia.db import models
 
 
 CONF = cfg.CONF
@@ -59,7 +60,7 @@ class LvsJinjaTemplater(object):
         self.keepalivedlvs_template = (keepalivedlvs_template or
                                        KEEPALIVED_LVS_TEMPLATE)
 
-    def build_config(self, listener, **kwargs):
+    def build_config(self, listener: models.Listener, **kwargs):
         """Convert a logical configuration to the Keepalived LVS version
 
         :param listener: The listener configuration
@@ -97,7 +98,8 @@ class LvsJinjaTemplater(object):
             constants=constants,
             lib_consts=lib_consts)
 
-    def _transform_loadbalancer(self, loadbalancer, listener):
+    def _transform_loadbalancer(self, loadbalancer: models.LoadBalancer,
+                                listener: models.Listener):
         """Transforms a load balancer into an object that will
 
            be processed by the templating system

octavia/common/keystone.py

@@ -12,6 +12,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from keystoneauth1 import exceptions as ks_exceptions
 from keystoneauth1 import loading as ks_loading
 from keystonemiddleware import auth_token
 from oslo_config import cfg
@@ -32,14 +33,17 @@ class KeystoneSession(object):
         self._auth = None
 
         self.section = section
-        ks_loading.register_auth_conf_options(cfg.CONF, self.section)
-        ks_loading.register_session_conf_options(cfg.CONF, self.section)
 
-    def get_session(self):
+    def get_session(self, auth=None):
         """Initializes a Keystone session.
 
         :return: a Keystone Session object
         """
+        if auth:
+            # Do not use the singleton with custom auth params
+            return ks_loading.load_session_from_conf_options(
+                cfg.CONF, self.section, auth=auth)
+
         if not self._session:
             self._session = ks_loading.load_session_from_conf_options(
                 cfg.CONF, self.section, auth=self.get_auth())
@@ -48,8 +52,57 @@ class KeystoneSession(object):
 
     def get_auth(self):
         if not self._auth:
-            self._auth = ks_loading.load_auth_from_conf_options(
-                cfg.CONF, self.section)
+            try:
+                self._auth = ks_loading.load_auth_from_conf_options(
+                    cfg.CONF, self.section)
+            except ks_exceptions.auth_plugins.MissingRequiredOptions as e:
+                if self.section == constants.SERVICE_AUTH:
+                    raise e
+                # NOTE(gthiemonge): MissingRequiredOptions is raised: there is
+                # one or more missing auth options in the config file. It may
+                # be due to the migration from python-neutronclient to
+                # openstacksdk.
+                # With neutronclient, most of the auth settings were in
+                # [service_auth] with a few overrides in [neutron],
+                # but with openstacksdk, we have all the auth settings in the
+                # [neutron] section. In order to support smooth upgrades, in
+                # case those options are missing, we override the undefined
+                # options with the existing settings from [service_auth].
+
+                # This code should be removed when all the deployment tools set
+                # the correct options in [neutron]
+
+                # The config options are lazily registered/loaded by keystone,
+                # it means that we cannot get/set them before invoking
+                # 'load_auth_from_conf_options' on 'service_auth'.
+                ks_loading.load_auth_from_conf_options(
+                    cfg.CONF, constants.SERVICE_AUTH)
+
+                config = getattr(cfg.CONF, self.section)
+                for opt in config:
+                    # For each option in the [neutron] section, get its setting
+                    # location, if the location is 'opt_default' or
+                    # 'set_default', it means that the option is not configured
+                    # in the config file, it should be replaced with the one
+                    # from [service_auth]
+                    loc = cfg.CONF.get_location(opt, self.section)
+                    if not loc or loc.location in (cfg.Locations.opt_default,
+                                                   cfg.Locations.set_default):
+                        if hasattr(cfg.CONF.service_auth, opt):
+                            cur_value = getattr(config, opt)
+                            value = getattr(cfg.CONF.service_auth, opt)
+                            if value != cur_value:
+                                log_value = (value if opt != "password"
+                                             else "<hidden>")
+                                LOG.debug("Overriding [%s].%s with '%s'",
+                                          self.section, opt, log_value)
+                                cfg.CONF.set_override(opt, value, self.section)
+
+                # Now we can call load_auth_from_conf_options for this specific
+                # service with the newly defined options.
+                self._auth = ks_loading.load_auth_from_conf_options(
+                    cfg.CONF, self.section)
+
         return self._auth
 
     def get_service_user_id(self):

octavia/common/validate.py

@@ -28,11 +28,13 @@ from rfc3986 import validators
 from wsme import types as wtypes
 
 from octavia.common import constants
+from octavia.common import data_models
 from octavia.common import exceptions
 from octavia.common import utils
 from octavia.i18n import _
 
 CONF = cfg.CONF
+_ListenerPUT = 'octavia.api.v2.types.listener.ListenerPUT'
 
 
 def url(url, require_scheme=True):
@@ -531,3 +533,36 @@ def check_alpn_protocols(protocols):
     if invalid_protocols:
         raise exceptions.ValidationException(
             detail=_('Invalid ALPN protocol: ' + ', '.join(invalid_protocols)))
+
+
+def check_hsts_options(listener: dict):
+    if ((listener.get('hsts_include_subdomains') or
+         listener.get('hsts_preload')) and
+            not isinstance(listener.get('hsts_max_age'), int)):
+        raise exceptions.ValidationException(
+            detail=_('HSTS configuration options hsts_include_subdomains and '
+                     'hsts_preload only make sense if hsts_max_age is '
+                     'set as well.'))
+
+    if (isinstance(listener.get('hsts_max_age'), int) and
+            listener['protocol'] != constants.PROTOCOL_TERMINATED_HTTPS):
+        raise exceptions.ValidationException(
+            detail=_('The HSTS feature can only be used for listeners using '
+                     'the TERMINATED_HTTPS protocol.'))
+
+
+def check_hsts_options_put(listener: _ListenerPUT,
+                           db_listener: data_models.Listener):
+    hsts_disabled = all(obj.hsts_max_age in [None, wtypes.Unset] for obj
+                        in (db_listener, listener))
+    if ((listener.hsts_include_subdomains or listener.hsts_preload) and
+            hsts_disabled):
+        raise exceptions.ValidationException(
+            detail=_('Cannot enable hsts_include_subdomains or hsts_preload '
+                     'if hsts_max_age was not set as well.'))
+
+    if (isinstance(listener.hsts_max_age, int) and
+            db_listener.protocol != constants.PROTOCOL_TERMINATED_HTTPS):
+        raise exceptions.ValidationException(
+            detail=_('The HSTS feature can only be used for listeners using '
+                     'the TERMINATED_HTTPS protocol.'))

octavia/compute/drivers/noop_driver/driver.py

@@ -12,6 +12,8 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+from collections import namedtuple
+
 from oslo_log import log as logging
 from oslo_utils import uuidutils
 
@@ -23,6 +25,9 @@ from octavia.network import data_models as network_models
 LOG = logging.getLogger(__name__)
 
 
+NoopServerGroup = namedtuple('ServerGroup', ['id'])
+
+
 class NoopManager(object):
     def __init__(self):
         super().__init__()
@@ -76,6 +81,7 @@ class NoopManager(object):
         LOG.debug("Create Server Group %s no-op, name %s, policy %s ",
                   self.__class__.__name__, name, policy)
         self.computeconfig[(name, policy)] = (name, policy, 'create')
+        return NoopServerGroup(id=uuidutils.generate_uuid())
 
     def delete_server_group(self, server_group_id):
         LOG.debug("Delete Server Group %s no-op, id %s ",

octavia/controller/healthmanager/health_manager.py

@@ -23,7 +23,6 @@ from oslo_log import log as logging
 from oslo_utils import excutils
 
 from octavia.common import constants
-from octavia.controller.worker.v1 import controller_worker as cw1
 from octavia.controller.worker.v2 import controller_worker as cw2
 from octavia.db import api as db_api
 from octavia.db import repositories as repo
@@ -58,10 +57,7 @@ def update_stats_on_done(stats, fut):
 
 class HealthManager(object):
     def __init__(self, exit_event):
-        if CONF.api_settings.default_provider_driver == constants.AMPHORAV1:
-            self.cw = cw1.ControllerWorker()
-        else:
-            self.cw = cw2.ControllerWorker()
+        self.cw = cw2.ControllerWorker()
         self.threads = CONF.health_manager.failover_threads
         self.executor = futures.ThreadPoolExecutor(max_workers=self.threads)
         self.amp_repo = repo.AmphoraRepository()
@@ -91,7 +87,8 @@ class HealthManager(object):
             amp_health = None
             lock_session = None
             try:
-                lock_session = db_api.get_session(autocommit=False)
+                lock_session = db_api.get_session()
+                lock_session.begin()
                 amp_health = self.amp_health_repo.get_stale_amphora(
                     lock_session)
                 if amp_health:

octavia/controller/housekeeping/house_keeping.py

@@ -19,8 +19,6 @@ from oslo_config import cfg
 from oslo_log import log as logging
 from sqlalchemy.orm import exc as sqlalchemy_exceptions
 
-from octavia.common import constants
-from octavia.controller.worker.v1 import controller_worker as cw1
 from octavia.controller.worker.v2 import controller_worker as cw2
 from octavia.db import api as db_api
 from octavia.db import repositories as repo
@@ -41,24 +39,26 @@ class DatabaseCleanup(object):
             seconds=CONF.house_keeping.amphora_expiry_age)
 
         session = db_api.get_session()
-        amp_ids = self.amp_repo.get_all_deleted_expiring(session,
-                                                         exp_age=exp_age)
-
-        for amp_id in amp_ids:
-            # If we're here, we already think the amp is expiring according to
-            # the amphora table. Now check it is expired in the health table.
-            # In this way, we ensure that amps aren't deleted unless they are
-            # both expired AND no longer receiving zombie heartbeats.
-            if self.amp_health_repo.check_amphora_health_expired(
-                    session, amp_id, exp_age):
-                LOG.debug('Attempting to purge db record for Amphora ID: %s',
-                          amp_id)
-                self.amp_repo.delete(session, id=amp_id)
-                try:
-                    self.amp_health_repo.delete(session, amphora_id=amp_id)
-                except sqlalchemy_exceptions.NoResultFound:
-                    pass  # Best effort delete, this record might not exist
-                LOG.info('Purged db record for Amphora ID: %s', amp_id)
+        with session.begin():
+            amp_ids = self.amp_repo.get_all_deleted_expiring(session,
+                                                             exp_age=exp_age)
+
+            for amp_id in amp_ids:
+                # If we're here, we already think the amp is expiring according
+                # to the amphora table. Now check it is expired in the health
+                # table.
+                # In this way, we ensure that amps aren't deleted unless they
+                # are both expired AND no longer receiving zombie heartbeats.
+                if self.amp_health_repo.check_amphora_health_expired(
+                        session, amp_id, exp_age):
+                    LOG.debug('Attempting to purge db record for Amphora ID: '
+                              '%s', amp_id)
+                    self.amp_repo.delete(session, id=amp_id)
+                    try:
+                        self.amp_health_repo.delete(session, amphora_id=amp_id)
+                    except sqlalchemy_exceptions.NoResultFound:
+                        pass  # Best effort delete, this record might not exist
+                    LOG.info('Purged db record for Amphora ID: %s', amp_id)
 
     def cleanup_load_balancers(self):
         """Checks the DB for old load balancers and triggers their removal."""
@@ -66,36 +66,35 @@ class DatabaseCleanup(object):
             seconds=CONF.house_keeping.load_balancer_expiry_age)
 
         session = db_api.get_session()
-        lb_ids = self.lb_repo.get_all_deleted_expiring(session,
-                                                       exp_age=exp_age)
+        with session.begin():
+            lb_ids = self.lb_repo.get_all_deleted_expiring(session,
+                                                           exp_age=exp_age)
 
-        for lb_id in lb_ids:
-            LOG.info('Attempting to delete load balancer id : %s', lb_id)
-            self.lb_repo.delete(session, id=lb_id)
-            LOG.info('Deleted load balancer id : %s', lb_id)
+            for lb_id in lb_ids:
+                LOG.info('Attempting to delete load balancer id : %s', lb_id)
+                self.lb_repo.delete(session, id=lb_id)
+                LOG.info('Deleted load balancer id : %s', lb_id)
 
 
 class CertRotation(object):
     def __init__(self):
         self.threads = CONF.house_keeping.cert_rotate_threads
-        if CONF.api_settings.default_provider_driver == constants.AMPHORAV1:
-            self.cw = cw1.ControllerWorker()
-        else:
-            self.cw = cw2.ControllerWorker()
+        self.cw = cw2.ControllerWorker()
 
     def rotate(self):
         """Check the amphora db table for expiring auth certs."""
         amp_repo = repo.AmphoraRepository()
 
         with futures.ThreadPoolExecutor(max_workers=self.threads) as executor:
-            session = db_api.get_session()
             rotation_count = 0
             while True:
-                amp = amp_repo.get_cert_expiring_amphora(session)
-                if not amp:
-                    break
-                rotation_count += 1
-                LOG.debug("Cert expired amphora's id is: %s", amp.id)
-                executor.submit(self.cw.amphora_cert_rotation, amp.id)
+                session = db_api.get_session()
+                with session.begin():
+                    amp = amp_repo.get_cert_expiring_amphora(session)
+                    if not amp:
+                        break
+                    rotation_count += 1
+                    LOG.debug("Cert expired amphora's id is: %s", amp.id)
+                    executor.submit(self.cw.amphora_cert_rotation, amp.id)
             if rotation_count > 0:
                 LOG.info("Rotated certificates for %s amphora", rotation_count)

octavia/controller/worker/amphora_rate_limit.py

@@ -35,10 +35,11 @@ class AmphoraBuildRateLimit(object):
         self.amp_build_req_repo = repo.AmphoraBuildReqRepository()
 
     def add_to_build_request_queue(self, amphora_id, build_priority):
-        self.amp_build_req_repo.add_to_build_queue(
-            db_apis.get_session(),
-            amphora_id=amphora_id,
-            priority=build_priority)
+        with db_apis.session().begin() as session:
+            self.amp_build_req_repo.add_to_build_queue(
+                session,
+                amphora_id=amphora_id,
+                priority=build_priority)
         LOG.debug("Added build request for amphora %s to the queue",
                   amphora_id)
         self.wait_for_build_slot(amphora_id)

octavia/controller/worker/task_utils.py

@@ -48,9 +48,10 @@ class TaskUtils(object):
         LOG.debug('Unmarking health monitoring busy on amphora: %s',
                   amphora_id)
         try:
-            self.amp_health_repo.update(db_apis.get_session(),
-                                        amphora_id=amphora_id,
-                                        busy=False)
+            with db_apis.session().begin() as session:
+                self.amp_health_repo.update(session,
+                                            amphora_id=amphora_id,
+                                            busy=False)
         except Exception as e:
             LOG.debug('Failed to update amphora health record %(amp)s '
                       'due to: %(except)s',
@@ -64,9 +65,10 @@ class TaskUtils(object):
         :param amphora_id: Amphora ID to set the status to ERROR
         """
         try:
-            self.amphora_repo.update(db_apis.get_session(),
-                                     id=amphora_id,
-                                     status=constants.ERROR)
+            with db_apis.session().begin() as session:
+                self.amphora_repo.update(session,
+                                         id=amphora_id,
+                                         status=constants.ERROR)
         except Exception as e:
             LOG.error("Failed to update amphora %(amp)s "
                       "status to ERROR due to: "
@@ -80,9 +82,10 @@ class TaskUtils(object):
         :param health_mon_id: Health Monitor ID to set prov status to ERROR
         """
         try:
-            self.health_mon_repo.update(db_apis.get_session(),
-                                        id=health_mon_id,
-                                        provisioning_status=constants.ERROR)
+            with db_apis.session().begin() as session:
+                self.health_mon_repo.update(
+                    session, id=health_mon_id,
+                    provisioning_status=constants.ERROR)
         except Exception as e:
             LOG.error("Failed to update health monitor %(health)s "
                       "provisioning status to ERROR due to: "
@@ -97,9 +100,10 @@ class TaskUtils(object):
         :param l7policy_id: L7 Policy ID to set provisioning status to ACTIVE
         """
         try:
-            self.l7policy_repo.update(db_apis.get_session(),
-                                      id=l7policy_id,
-                                      provisioning_status=constants.ACTIVE)
+            with db_apis.session().begin() as session:
+                self.l7policy_repo.update(session,
+                                          id=l7policy_id,
+                                          provisioning_status=constants.ACTIVE)
         except Exception as e:
             LOG.error("Failed to update l7policy %(l7p)s "
                       "provisioning status to ACTIVE due to: "
@@ -113,9 +117,10 @@ class TaskUtils(object):
         :param l7policy_id: L7 Policy ID to set provisioning status to ERROR
         """
         try:
-            self.l7policy_repo.update(db_apis.get_session(),
-                                      id=l7policy_id,
-                                      provisioning_status=constants.ERROR)
+            with db_apis.session().begin() as session:
+                self.l7policy_repo.update(session,
+                                          id=l7policy_id,
+                                          provisioning_status=constants.ERROR)
         except Exception as e:
             LOG.error("Failed to update l7policy %(l7p)s "
                       "provisioning status to ERROR due to: "
@@ -129,9 +134,10 @@ class TaskUtils(object):
         :param l7rule_id: L7 Rule ID to set provisioning status to ERROR
         """
         try:
-            self.l7rule_repo.update(db_apis.get_session(),
-                                    id=l7rule_id,
-                                    provisioning_status=constants.ERROR)
+            with db_apis.session().begin() as session:
+                self.l7rule_repo.update(session,
+                                        id=l7rule_id,
+                                        provisioning_status=constants.ERROR)
         except Exception as e:
             LOG.error("Failed to update l7rule %(l7r)s "
                       "provisioning status to ERROR due to: "
@@ -145,9 +151,10 @@ class TaskUtils(object):
         :param listener_id: Listener ID to set provisioning status to ERROR
         """
         try:
-            self.listener_repo.update(db_apis.get_session(),
-                                      id=listener_id,
-                                      provisioning_status=constants.ERROR)
+            with db_apis.session().begin() as session:
+                self.listener_repo.update(session,
+                                          id=listener_id,
+                                          provisioning_status=constants.ERROR)
         except Exception as e:
             LOG.error("Failed to update listener %(list)s "
                       "provisioning status to ERROR due to: "
@@ -162,9 +169,11 @@ class TaskUtils(object):
                                 status to ERROR
         """
         try:
-            self.loadbalancer_repo.update(db_apis.get_session(),
-                                          id=loadbalancer_id,
-                                          provisioning_status=constants.ERROR)
+            with db_apis.session().begin() as session:
+                self.loadbalancer_repo.update(
+                    session,
+                    id=loadbalancer_id,
+                    provisioning_status=constants.ERROR)
         except Exception as e:
             LOG.error("Failed to update load balancer %(lb)s "
                       "provisioning status to ERROR due to: "
@@ -179,9 +188,10 @@ class TaskUtils(object):
                             status to ACTIVE
         """
         try:
-            self.listener_repo.update(db_apis.get_session(),
-                                      id=listener_id,
-                                      provisioning_status=constants.ACTIVE)
+            with db_apis.session().begin() as session:
+                self.listener_repo.update(session,
+                                          id=listener_id,
+                                          provisioning_status=constants.ACTIVE)
         except Exception as e:
             LOG.error("Failed to update listener %(list)s "
                       "provisioning status to ACTIVE due to: "
@@ -195,9 +205,10 @@ class TaskUtils(object):
         :param pool_id: Pool ID to set provisioning status to ACTIVE
         """
         try:
-            self.pool_repo.update(db_apis.get_session(),
-                                  id=pool_id,
-                                  provisioning_status=constants.ACTIVE)
+            with db_apis.session().begin() as session:
+                self.pool_repo.update(session,
+                                      id=pool_id,
+                                      provisioning_status=constants.ACTIVE)
         except Exception as e:
             LOG.error("Failed to update pool %(pool)s provisioning status "
                       "to ACTIVE due to: %(except)s", {'pool': pool_id,
@@ -212,9 +223,11 @@ class TaskUtils(object):
                                 status to ACTIVE
         """
         try:
-            self.loadbalancer_repo.update(db_apis.get_session(),
-                                          id=loadbalancer_id,
-                                          provisioning_status=constants.ACTIVE)
+            with db_apis.session().begin() as session:
+                self.loadbalancer_repo.update(
+                    session,
+                    id=loadbalancer_id,
+                    provisioning_status=constants.ACTIVE)
         except Exception as e:
             LOG.error("Failed to update load balancer %(lb)s "
                       "provisioning status to ACTIVE due to: "
@@ -228,9 +241,10 @@ class TaskUtils(object):
         :param member_id: Member ID to set provisioning status to ERROR
         """
         try:
-            self.member_repo.update(db_apis.get_session(),
-                                    id=member_id,
-                                    provisioning_status=constants.ERROR)
+            with db_apis.session().begin() as session:
+                self.member_repo.update(session,
+                                        id=member_id,
+                                        provisioning_status=constants.ERROR)
         except Exception as e:
             LOG.error("Failed to update member %(member)s "
                       "provisioning status to ERROR due to: "
@@ -244,9 +258,10 @@ class TaskUtils(object):
         :param pool_id: Pool ID to set provisioning status to ERROR
         """
         try:
-            self.pool_repo.update(db_apis.get_session(),
-                                  id=pool_id,
-                                  provisioning_status=constants.ERROR)
+            with db_apis.session().begin() as session:
+                self.pool_repo.update(session,
+                                      id=pool_id,
+                                      provisioning_status=constants.ERROR)
         except Exception as e:
             LOG.error("Failed to update pool %(pool)s "
                       "provisioning status to ERROR due to: "
@@ -258,8 +273,9 @@ class TaskUtils(object):
         :param: loadbalancer_id: Load balancer ID which to get from db
         """
         try:
-            return self.loadbalancer_repo.get(db_apis.get_session(),
-                                              id=loadbalancer_id)
+            with db_apis.session().begin() as session:
+                return self.loadbalancer_repo.get(session,
+                                                  id=loadbalancer_id)
         except Exception as e:
             LOG.error("Failed to get loadbalancer %(loadbalancer)s "
                       "due to: %(except)s",