Rocky Series Release Notes

13.0.7-119

新機能

  • A new configuration option http_retries was added. This option allows configuring the number of times the nova or ironic client should retry on a failed HTTP call.

  • Add new configuration option igmp_snooping_enable. New option is in OVS config section and is used by openvswitch agent. This option is used to enable support for Internet Group Management Protocol (IGMP) in integration bridge.

  • New config option keepalived_use_no_track was added. If keepalived version used on the deployment does not support no_track flag in its config file (e.g. keepalived 1.x), this option should be set to False. Default value of this option is True.

廃止予定の機能

  • Abstract method plug_new from the neutron.agent.linux.interface.LinuxInterfaceDriver class now accepts an optional parameter link_up. Usage of this method, which takes from 5 to 9 positional arguments, without link_up is now deprecated and will not be possible starting in the W release. Third-party drivers which inherit from this base class should update the implementation of their plug_new method.

Security Issues

  • Fix bug 1939733 by dropping from the dhcp extra option values everything what is after first newline (\n) character before passing them to the dnsmasq.

  • A change was made to the metadata proxy to not allow a user to override header values, it will now always insert the correct information and remove unnecessary fields before sending requests to the metadata agent. For more information, see bug 1865036.

バグ修正

  • Bug https://bugs.launchpad.net/neutron/+bug/1732067 described a flooding issue on the neutron-ovs-agent integration bridge. And bug https://bugs.launchpad.net/neutron/+bug/1841622 proposed a solution for it. The accepted egress packets will be taken care in the final egress tables (61 when openflow firewall is not enabled, table 94 otherwise) with direct output flows for unicast traffic with a minimum influence on the existing cloud networking. A new config option explicitly_egress_direct, with default value False, was added for the aim of distinguishing clouds which are running the network node mixed with compute services, upstream neutron CI should be an example. In such situation, this explicitly_egress_direct should be set to False, because there are numerous cases from HA routers which can not be covered, particularly when you have centralized floating IPs running in such mixed hosts. Otherwise, set explicitly_egress_direct to True to avoid the flooding. One more note is if your network nodes are for networing services only, we recommand you disable all the security_group to get a higher performance.

  • Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce the usage of normal actions to reduce cpu utilization. This causing flood rule because there is no MAC learning on ingress traffic. While this ok for none offload case, when using ovs offload flood rule is not offloaded. This fix the MAC learning in the offload, so we avoid flood rule. #1897637.

  • Add a new match rule based on physical VLAN tag for OpenFlow firewall traffic identifying mechanism to the TRANSIENT table. This fixes the distributed router east-west traffic between VLAN type networks. For more information, see bug 1831534.

その他の注意点

  • To improve performance of the DHCP agent, it will no longer configure the DHCP server for every port type created in Neutron. For example, for floating IP or router HA interfaces there is no need since a client will not make a DHCP request for them

13.0.7

バグ修正

  • Fixes an issue that the OVS firewall driver does not configure security group rules using remote group properly when a corresponding remote group has no port on a local hypervisor. For more information see bugs: 1862703 and 1854131.

  • [bug 1812168] Remove Floating IP DNS record upon associated port deletion.

  • Owners of security groups now see all security group rules which belong to the security group, even if the rule was created by the admin user. Fixes bug 1824248.

その他の注意点

  • A new config option, host_dvr_for_dhcp, was added to neutron.conf for DVR to determine whether to host the DVR local router to the scheduled DHCP node(s).

13.0.6

その他の注意点

  • A new config option, radvd_user, was added to l3_agent.ini for the L3 agent. This option defines the username passed to radvd, used to drop "root" privileges and change user ID to username and group ID to the primary group of the user. If no user specified (by default), the user executing the L3 agent will be passed. If "root" specified, because radvd is spawned as root, no "username" parameter will be passed. (For more information see bug 1844688.)

13.0.5

Security Issues

  • The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 ethertypes at present. This is a behavior change compared to the iptables_hybrid firewall, which only operates on IP packets and thus does not address other ethertypes. There is now a configuration option in the neutron openvswitch agent configuration file for permitted ethertypes and then ensures that the requested ethertypes are permitted on initialization.

バグ修正

  • Fixes an issue where deletion of a provider network could result in ML2 mechanism drivers not being passed information about the network's provider fields. The consequences of this depend on the mechanism driver in use, but could result in the event being ignored, leading to an incorrectly configured network. See bug 1841967 for details.

  • When updating the fixed-ips of a port residing on a routed provider network the port update would always fail if host was not set. See bug: 1844124.

13.0.4

アップグレード時の注意

  • The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in "::" could be a valid default route.

  • During the dependency resolution procedure, the code that loads service plugins was refactored to not raise an exception if one plugin is configured multiple times, with the last one taking effect. This is a change from the previous behavior.

バグ修正

その他の注意点

  • In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver of_connect_timeout and of_request_timeout are now set to 300s. The value does not have side effect for the regular pressure ovs agent.

  • If an instance port is under a dvr router, and the port already has binding port forwarding(s). Neutron will no longer allow binding a floating IP to that port again, because dvr floating IP traffic rules will break the existing port forwarding functionality.

  • A new option [ovs] of_inactivity_probe has been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.

  • Neutron now supports having service plugins require other plugin(s) as dependencies. For example, the port_forwarding service plugin requires the router service plugin to achieve full functionality. A new list, required_service_plugins, was added to each service plugin so the required dependencies of each service plugin can be initialized. If one service plugin requires another, but the requirement is not set in the config file, neutron will now initialize it to the plugin directory.

13.0.3

Critical Issues

  • The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value, agent_boot_time, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent's first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population agent_boot_time config option will no longer be used.

バグ修正

  • Fixes bug 1501206. This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks.

  • Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905.)

  • The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.

13.0.1

バグ修正

  • Add resource_type into log object query to distinguish between security group and firewall group log objects. For more information see bug 1787119.

13.0.0

Prelude

In order to reduce the time spent processing security group updates in the L2 agent, conntrack deletion is now performed in a set of worker threads instead of the main agent thread, so it can return to processing other events quickly.

Support multiple bindings for compute owned ports.

Added support for floating IPs port forwarding.

Perform validation on filter parameters on listing resources.

新機能

  • In order to better support instance migration, multiple port bindings can be associated to compute owned ports.

    • Create, update, list, show and activate operations are supported for port bindings by the ReST API.

    • A compute owned port can have one active binding and many inactive bindings.

    • There can be only one binding (active or inactive) per compute host.

    • When the activate operation is executed, a previously inactive binding is made active. The previously active binding becomes inactive.

    • As a consequence of the multiple port bindings implementation, the port_binding relationship in the SQLAlchemy Port object has been renamed port_bindings. Similarly, the binding attribute of the Port OVO has been renamed bindings.

  • Added new unknown state for HA routers. Sometimes l3 agents may not be able to update health status to Neutron server due to communication issues. During that time the server may not know whether HA routers hosted by that agent are active or standby.

  • Add attribute port_details to floating IP. The value of this attribute contains information of the associated port.

  • Add support for setting the segment_id for an existing subnet. This enables users to convert a non-routed network with no subnet/segment association to a routed one. It is only possible to do this migration if both of the following conditions are met - the current segment_id is None and the network contains a single segment and subnet.

  • Introduces extension parent resources owner check in neutron.policy.OwnerCheck. It can be used by registering an extension parent resource and service plugin which introduced the corresponding parent resource into EXT_PARENT_RESOURCE_MAPPING located in neutron.common.constants. And introduces a new policy role admin_or_ext_parent_owner into policy.json for this function.

  • Support for floating IPs port forwarding has been added.

    • Users can now forward the traffic from a TCP/UDP/other protocol port of a floating IP address to a TCP/UDP/other protocol port associated to one of the fixed IP addresses of a Neutron port.

    • This is accomplished by associating port_forwarding sub-resources to floating IPs.

    • To create a port_forwarding, the user specifies: a floating IP ID, the floating IP's external_port number, the Neutron port ID internal_port_id, an internal_ip_address (one of the Neutron port's fixed IPs), the internal_port number and the protocol to be used (TCP or UDP for example).

    • CRUD operations for port_forwardings are implemented by a Neutron API extension and a service plugin. Please refer to the Neutron API reference documentation for details.

    • A user cannot create port_forwardings for a floating IP that is already associated with a Neutron port.

    • A floating IP can have many port_forwardings.

    • Port forwardings can only be created for floating IPs that are managed by centralized routers in the network node: legacy, HA, DVR+HA.

  • A new config option bridge_mac_table_size has been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent in other_config:mac-table-size column in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.

  • Adds api extenstion port-mac-address-regenerate. When passing 'null' (None) as the mac_address on port update a converter will generate a new mac address that will be assigned to the port. RFE: #1768690.

  • Adds host routes for subnets on the same network when using routed networks. Static routes will be configured for subnets associated with other segments on the same network. This ensures that traffic within an L3 routed network stays within the network even when the default route is on a different interface.

  • Support port filtering on security group IDs. The feature can be used if 'port-security-group-filtering' extension is available.

  • Add support for filtering attributes with value as empty string. A shim extension is added to indicate if this feature is supported.

  • Starting from this release, neutron server will perform validation on filter parameters on list requests. Neutron will return a 400 response if the request contains invalid filter parameters. The list of valid parameters is documented in the neutron API reference.

    Add an API extension filter-validation to indicate this new API behavior. This extension can be disabled by operators via a config option.

既知の問題

  • In the case when the number of ports to clean up in a single bridge is larger than about 10000, it might require an increase in the ovsdb_timeout config option to some value higher than 600 seconds.

アップグレード時の注意

  • On an upgrade, conntrack entries will now be cleaned-up in a worker thread, instead of in the calling thread.

  • Prior to the upgrade, if a request contains an unknown or unsupported parameter, the server will silently ignore the invalid input. After the upgrade, the server will return a 400 Bad Request response instead.

    API users might observe that requests that received a successful response now receive a failure response. If they encounter such experience, they are suggested to confirm if the API extension filter-validation is present and validate filter parameters in their requests.

    Operators can disable this feature if they want to maintain backward-compatibility. If they choose to do that, the API extension filter-validation will not be present and the API behavior is unchanged.

バグ修正

  • Fix an issue that standard attributes, such as created_at, updated_at and revision_number, are not rendered in the response of segment resource.

  • Previously a network's dns_domain attribute was ignored by the DHCP agent. With this release, OpenStack deployments using Neutron's DHCP agent will be able to specify a per network dns_domain and have instances configure that domain in their dns resolver configuration files (Linux's /etc/resolv.conf) to allow for local partial DNS lookups. The per-network dns_domain value will override the DHCP agent's default dns_domain configuration value. Note that it's also possible to update a network's dns_domain, and that new value will be propogated to new instances or when instances renew their DHCP lease. However, existing leases will live on with the old dns_domain value.

  • For Infiniband support, Ironic needs to send the 'client-id' DHCP option as a number in order for IP address assignment to work. This is now supported in Neutron, and can be specified as option number 61 as defined in RFC 4776. For more information see bug 1770932

  • Fixes bug 1763604. Override default value of ovsdb_timeout config option in neutron-ovs-cleanup script. The default value is 10 seconds, but that is not enough for the neutron-ovs-cleanup script when there are many ports to remove from a single bridge, for example, 5000. Because of that, we now override the default value for the config option to be 600 seconds (10 minutes).

その他の注意点

  • The deprecated IVSInterfaceDriver class has been removed from the code base. This means neither the ivs nor the neutron.agent.linux.interface.IVSInterfaceDriver can any longer be used as a value for the interface_driver config option in neutron.conf.

  • The metering agent iptables driver can now load its interface driver by using a stevedore alias in the metering_agent.ini file. For example, interface_driver = openvswitch instead of interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

  • Each plugin can decide if it wants to support filter validation by setting __filter_validation_support to True or False. If this field is not set, the default value is False. Right now, the ML2 plugin and all the in-tree service plugins support filter validation. Out-of-tree plugins will have filter validation disabled by default but they can turn it on if they choose to. For filter validation to be supported, the core plugin and all the services plugins in a deployment must support it.