Queens Series Release Notes¶
12.1.1-142¶
New Features¶
A new configuration option
http_retries
was added. This option allows configuring the number of times the nova or ironic client should retry on a failed HTTP call.
Add new configuration option
igmp_snooping_enable
. New option is inOVS
config section and is used by openvswitch agent. This option is used to enable support for Internet Group Management Protocol (IGMP) in integration bridge.
Deprecation Notes¶
Abstract method
plug_new
from the neutron.agent.linux.interface.LinuxInterfaceDriver class now accepts an optional parameterlink_up
. Usage of this method, which takes from 5 to 9 positional arguments, withoutlink_up
is now deprecated and will not be possible starting in the W release. Third-party drivers which inherit from this base class should update the implementation of theirplug_new
method.
Security Issues¶
Fix bug 1939733 by dropping from the dhcp extra option values everything what is after first newline (
\n
) character before passing them to the dnsmasq.
A change was made to the metadata proxy to not allow a user to override header values, it will now always insert the correct information and remove unnecessary fields before sending requests to the metadata agent. For more information, see bug 1865036.
Bug Fixes¶
Bug https://bugs.launchpad.net/neutron/+bug/1732067 described a flooding issue on the neutron-ovs-agent integration bridge. And bug https://bugs.launchpad.net/neutron/+bug/1841622 proposed a solution for it. The accepted egress packets will be taken care in the final egress tables (61 when openflow firewall is not enabled, table 94 otherwise) with direct output flows for unicast traffic with a minimum influence on the existing cloud networking. A new config option
explicitly_egress_direct
, with default value False, was added for the aim of distinguishing clouds which are running the network node mixed with compute services, upstream neutron CI should be an example. In such situation, thisexplicitly_egress_direct
should be set to False, because there are numerous cases from HA routers which can not be covered, particularly when you have centralized floating IPs running in such mixed hosts. Otherwise, setexplicitly_egress_direct
to True to avoid the flooding. One more note is if your network nodes are for networing services only, we recommand you disable all the security_group to get a higher performance.
Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce the usage of normal actions to reduce cpu utilization. This causing flood rule because there is no MAC learning on ingress traffic. While this ok for none offload case, when using ovs offload flood rule is not offloaded. This fix the MAC learning in the offload, so we avoid flood rule. #1897637.
Fixes an issue that the OVS firewall driver does not configure security group rules using remote group properly when a corresponding remote group has no port on a local hypervisor. For more information see bugs: 1862703 and 1854131.
[bug 1812168] Remove Floating IP DNS record upon associated port deletion.
Owners of security groups now see all security group rules which belong to the security group, even if the rule was created by the admin user. Fixes bug 1824248.
Add a new match rule based on physical VLAN tag for OpenFlow firewall traffic identifying mechanism to the TRANSIENT table. This fixes the distributed router east-west traffic between VLAN type networks. For more information, see bug 1831534.
Other Notes¶
A new config option,
host_dvr_for_dhcp
, was added to neutron.conf for DVR to determine whether to host the DVR local router to the scheduled DHCP node(s).
To improve performance of the DHCP agent, it will no longer configure the DHCP server for every port type created in Neutron. For example, for floating IP or router HA interfaces there is no need since a client will not make a DHCP request for them
12.1.1¶
Security Issues¶
The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 ethertypes at present. This is a behavior change compared to the iptables_hybrid firewall, which only operates on IP packets and thus does not address other ethertypes. There is now a configuration option in the neutron openvswitch agent configuration file for permitted ethertypes and then ensures that the requested ethertypes are permitted on initialization.
Bug Fixes¶
When updating the fixed-ips of a port residing on a routed provider network the port update would always fail if host was not set. See bug: 1844124.
12.1.0¶
Upgrade Notes¶
The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in “::” could be a valid default route.
Other Notes¶
In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver
of_connect_timeout
andof_request_timeout
are now set to 300s. The value does not have side effect for the regular pressure ovs agent.
A new option
[ovs] of_inactivity_probe
has been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.
12.0.6¶
Critical Issues¶
The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value,
agent_boot_time
, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent’s first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 populationagent_boot_time
config option will no longer be used.
Bug Fixes¶
Fixes bug 1501206. This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks.
Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905.)
The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.
12.0.4¶
New Features¶
A new config option
bridge_mac_table_size
has been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent inother_config:mac-table-size
column in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.
Other Notes¶
The metering agent iptables driver can now load its interface driver by using a stevedore alias in the
metering_agent.ini
file. For example,interface_driver = openvswitch
instead ofinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
12.0.3¶
Bug Fixes¶
For Infiniband support, Ironic needs to send the ‘client-id’ DHCP option as a number in order for IP address assignment to work. This is now supported in Neutron, and can be specified as option number 61 as defined in RFC 4776. For more information see bug 1770932
12.0.2¶
Known Issues¶
In the case when the number of ports to clean up in a single bridge is larger than about 10000, it might require an increase in the
ovsdb_timeout
config option to some value higher than 600 seconds.
Bug Fixes¶
Fixes bug 1763604. Override default value of
ovsdb_timeout
config option inneutron-ovs-cleanup
script. The default value is 10 seconds, but that is not enough for theneutron-ovs-cleanup
script when there are many ports to remove from a single bridge, for example, 5000. Because of that, we now override the default value for the config option to be 600 seconds (10 minutes).
12.0.1¶
Prelude¶
In order to reduce the time spent processing security group updates in the L2 agent, conntrack deletion is now performed in a set of worker threads instead of the main agent thread, so it can return to processing other events quickly.
Upgrade Notes¶
On an upgrade, conntrack entries will now be cleaned-up in a worker thread, instead of in the calling thread.
Bug Fixes¶
Fixes bug 1745468.
12.0.0¶
Prelude¶
DNS server assignment can now be disabled in replies sent from the DHCP agent.
A new agent_mode(dvr_no_external
) for DVR routers has been added to allow the server to configure Floating IPs associated with DVR at the centralized node.
New Features¶
Ports have now a
dns_domain
attribute. A port’sdns_domain
attribute has precedence over the network’sdns_domain
from the point of view of publishing it to the external DNS service.
The DSCP value for outer headers in openvswitch overlay tunnel ports can now be set through a configuration option
dscp
for both OVS and linuxbridge agents.
DSCP can also be inherited from the inner header through a new boolean configuration option
dscp_inherit
for both openvswitch and linuxbridge. If this option is set to true, then the value ofdscp
will be ignored.
Allow configuration of DHCP renewal (T1) and rebinding (T2) timers in
neutron-dhcp-agent
. By allowing these timers to be set (options 58 and 59 as per RFC2132) indnsmasq
it allows users to change other parameters, like MTU, on instances without having to wait for the lease time to expire. The advantage of changing T1 over the lease time is that if the DHCP server becomes unreachable within the lease time, instances will not drop their IP addresses and it will not cause a dataplane disruption.
Tenants who can access shared networks, can now create/update ports on a specified subnet instead of the default subnet. This is now the default behavior and can be changed by modifying policy.json file.
It is now possible to instruct the DHCP agent not to supply any DNS server address to their clients by setting the
dns_nameservers
attribute for the corresponding subnet to0.0.0.0
or::
, for IPv4 or IPv6 subnets (respectively).
L2 agents based on
ML2
_common_agent
have now the L2 extension API available. This API can be used by L2 extension drivers to request resources from the L2 agent. It is used, for example, to pass an instance of theIptablesManager
to theLinuxbridge
L2 agentQoS extension driver
.
A new DVR agent type
dvr_no_external
has been introduced with this release. This agent type allows the Floating IPs (DNAT/North-South routing) to be centralized while the East/West routing is still distributed.
Implementation of floating IP QoS. A new parameter
qos_policy_id
was added to floating IP related API.
Neutron agents now support SSL connections to OVSDB server. To enable an SSL based connection, use an
ssl
prefixed URI for theovsdb_connection
setting. When using SSL it is also required to set newovs
group options which includessl_key_file
,ssl_cert_file
, andssl_ca_cert_file
.
Support substring matching when filtering ports by IP address.
A new method
get_router_info
has been added toL3AgentExtensionAPI
.
A new method
ha_state_change
has been added toL3AgentExtensionsManager
.
Known Issues¶
There can be a mixture of
dvr
agents anddvr_no_external
agents. But please avoid any VM with Floating IP migration between advr
agent and advr_no_external
agent. All VM ports with Floating IPs should be migrated to same agent_mode. This would be one of the restrictions.
Upgrade Notes¶
The functionality when a subnet has its DNS server set to
0.0.0.0
or::
has been changed with this release. The old behaviour was that each DHCP agent would supply only its own IP address as the DNS server to its clients. The new behaviour is that the DHCP agent will not supply any DNS server IP address at all.
A new DVR agent mode of
dvr_no_external
was added. Changing between this mode anddvr
is a disruptive operation to the dataplane.
The web_framework option has been removed. This should have no impact on operators/users since it was just an option used for development of the new web framework.
Deprecation Notes¶
the
tos
configuration option in VXLAN group for linuxbridge is deprecated and replaced with the more precise optiondscp
. The TOS value is made of DSCP and ECN bits. It is not possible to set the ECN value through the TOS value, and ECN is always inherited from the inner in case of tunnelling.
The
ivs
interface driver is deprecated in Queens and will be removed in Rocky.
The
ovsdb_interface
configuration option is now deprecated. In future releases, the value of the option will be ignored. Thenative
driver will then be used.
The api-paste entrypoint
neutron.api.versions:Versions.factory
has been deprecated and will be removed in the Rocky release. Please update your api-paste.ini file to use the one that ships with Queens or update any references to the Versions factory to point toneutron.pecan_wsgi.app:versions_factory
instead.
The
ovs_vsctl_timeout
option is renamed intoovsdb_timeout
to reflect that it’s not specific tovsctl
implementation ofovsdb_interface
. It is also moved under[OVS]
section.
Bug Fixes¶
Fixes bug 1736674, security group rules are now properly applied by
Linuxbridge L2 agent
withQoS extension driver
enabled.
The Openvswitch agent has an extension called
fdb
that uses the Linuxbridge
command. Thebridge
command has been added to the rootwrap openvswitch-plugin.filters file. For more information, see bug: 1730407
Adding security group rules by protocol number is documented, but somehow was broken without being noticed in one of the last couple of releases. This is now fixed. For more information see bug 1716045.
In security group rules API, API level validation for port_range values has been performed only against TCP and UDP. Now it is performed against DCCP, SCTP and UDP-Lite, too.