Rocky Series Release Notes¶
13.0.7-119¶
新機能¶
A new configuration option
http_retries
was added. This option allows configuring the number of times the nova or ironic client should retry on a failed HTTP call.
Add new configuration option
igmp_snooping_enable
. New option is inOVS
config section and is used by openvswitch agent. This option is used to enable support for Internet Group Management Protocol (IGMP) in integration bridge.
New config option
keepalived_use_no_track
was added. If keepalived version used on the deployment does not supportno_track
flag in its config file (e.g. keepalived 1.x), this option should be set toFalse
. Default value of this option isTrue
.
廃止予定の機能¶
Abstract method
plug_new
from the neutron.agent.linux.interface.LinuxInterfaceDriver class now accepts an optional parameterlink_up
. Usage of this method, which takes from 5 to 9 positional arguments, withoutlink_up
is now deprecated and will not be possible starting in the W release. Third-party drivers which inherit from this base class should update the implementation of theirplug_new
method.
Security Issues¶
Fix bug 1939733 by dropping from the dhcp extra option values everything what is after first newline (
\n
) character before passing them to the dnsmasq.
A change was made to the metadata proxy to not allow a user to override header values, it will now always insert the correct information and remove unnecessary fields before sending requests to the metadata agent. For more information, see bug 1865036.
バグ修正¶
Bug https://bugs.launchpad.net/neutron/+bug/1732067 described a flooding issue on the neutron-ovs-agent integration bridge. And bug https://bugs.launchpad.net/neutron/+bug/1841622 proposed a solution for it. The accepted egress packets will be taken care in the final egress tables (61 when openflow firewall is not enabled, table 94 otherwise) with direct output flows for unicast traffic with a minimum influence on the existing cloud networking. A new config option
explicitly_egress_direct
, with default value False, was added for the aim of distinguishing clouds which are running the network node mixed with compute services, upstream neutron CI should be an example. In such situation, thisexplicitly_egress_direct
should be set to False, because there are numerous cases from HA routers which can not be covered, particularly when you have centralized floating IPs running in such mixed hosts. Otherwise, setexplicitly_egress_direct
to True to avoid the flooding. One more note is if your network nodes are for networing services only, we recommand you disable all the security_group to get a higher performance.
Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce the usage of normal actions to reduce cpu utilization. This causing flood rule because there is no MAC learning on ingress traffic. While this ok for none offload case, when using ovs offload flood rule is not offloaded. This fix the MAC learning in the offload, so we avoid flood rule. #1897637.
Add a new match rule based on physical VLAN tag for OpenFlow firewall traffic identifying mechanism to the TRANSIENT table. This fixes the distributed router east-west traffic between VLAN type networks. For more information, see bug 1831534.
その他の注意点¶
To improve performance of the DHCP agent, it will no longer configure the DHCP server for every port type created in Neutron. For example, for floating IP or router HA interfaces there is no need since a client will not make a DHCP request for them
13.0.7¶
バグ修正¶
Add sort-keys validation logic to method
get_sorts
inneutron.api.api_common
. See the link below for more: https://bugs.launchpad.net/neutron/+bug/1659175
Fixes an issue that the OVS firewall driver does not configure security group rules using remote group properly when a corresponding remote group has no port on a local hypervisor. For more information see bugs: 1862703 and 1854131.
[bug 1812168] Remove Floating IP DNS record upon associated port deletion.
Owners of security groups now see all security group rules which belong to the security group, even if the rule was created by the admin user. Fixes bug 1824248.
その他の注意点¶
A new config option,
host_dvr_for_dhcp
, was added to neutron.conf for DVR to determine whether to host the DVR local router to the scheduled DHCP node(s).
13.0.6¶
その他の注意点¶
A new config option,
radvd_user
, was added to l3_agent.ini for the L3 agent. This option defines the username passed to radvd, used to drop "root" privileges and change user ID to username and group ID to the primary group of the user. If no user specified (by default), the user executing the L3 agent will be passed. If "root" specified, because radvd is spawned as root, no "username" parameter will be passed. (For more information see bug 1844688.)
13.0.5¶
Security Issues¶
The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 ethertypes at present. This is a behavior change compared to the iptables_hybrid firewall, which only operates on IP packets and thus does not address other ethertypes. There is now a configuration option in the neutron openvswitch agent configuration file for permitted ethertypes and then ensures that the requested ethertypes are permitted on initialization.
バグ修正¶
Fixes an issue where deletion of a provider network could result in ML2 mechanism drivers not being passed information about the network's provider fields. The consequences of this depend on the mechanism driver in use, but could result in the event being ignored, leading to an incorrectly configured network. See bug 1841967 for details.
When updating the fixed-ips of a port residing on a routed provider network the port update would always fail if host was not set. See bug: 1844124.
13.0.4¶
アップグレード時の注意¶
The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in "::" could be a valid default route.
During the dependency resolution procedure, the code that loads service plugins was refactored to not raise an exception if one plugin is configured multiple times, with the last one taking effect. This is a change from the previous behavior.
バグ修正¶
Adds the
router
service plugin to theport_forwarding
service plugin required list. For more info see https://bugs.launchpad.net/neutron/+bug/1809238
その他の注意点¶
In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver
of_connect_timeout
andof_request_timeout
are now set to 300s. The value does not have side effect for the regular pressure ovs agent.
If an instance port is under a dvr router, and the port already has binding port forwarding(s). Neutron will no longer allow binding a floating IP to that port again, because dvr floating IP traffic rules will break the existing port forwarding functionality.
A new option
[ovs] of_inactivity_probe
has been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.
Neutron now supports having service plugins require other plugin(s) as dependencies. For example, the
port_forwarding
service plugin requires therouter
service plugin to achieve full functionality. A new list,required_service_plugins
, was added to each service plugin so the required dependencies of each service plugin can be initialized. If one service plugin requires another, but the requirement is not set in the config file, neutron will now initialize it to the plugin directory.
13.0.3¶
Critical Issues¶
The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value,
agent_boot_time
, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent's first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 populationagent_boot_time
config option will no longer be used.
バグ修正¶
Fixes bug 1501206. This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks.
Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905.)
The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.
13.0.1¶
バグ修正¶
Add
resource_type
into log object query to distinguish between security group and firewall group log objects. For more information see bug 1787119.
13.0.0¶
Prelude¶
In order to reduce the time spent processing security group updates in the L2 agent, conntrack deletion is now performed in a set of worker threads instead of the main agent thread, so it can return to processing other events quickly.
Support multiple bindings for compute owned ports.
Added support for floating IPs port forwarding.
Perform validation on filter parameters on listing resources.
新機能¶
In order to better support instance migration, multiple port bindings can be associated to compute owned ports.
Create, update, list, show and activate operations are supported for port bindings by the ReST API.
A compute owned port can have one active binding and many inactive bindings.
There can be only one binding (active or inactive) per compute host.
When the
activate
operation is executed, a previously inactive binding is made active. The previously active binding becomes inactive.As a consequence of the multiple port bindings implementation, the
port_binding
relationship in the SQLAlchemyPort
object has been renamedport_bindings
. Similarly, thebinding
attribute of thePort
OVO has been renamedbindings
.
Added new
unknown
state for HA routers. Sometimes l3 agents may not be able to update health status to Neutron server due to communication issues. During that time the server may not know whether HA routers hosted by that agent are active or standby.
Add attribute
port_details
to floating IP. The value of this attribute contains information of the associated port.
Add support for setting the
segment_id
for an existing subnet. This enables users to convert a non-routed network with no subnet/segment association to a routed one. It is only possible to do this migration if both of the following conditions are met - the currentsegment_id
isNone
and the network contains a single segment and subnet.
Introduces extension parent resources owner check in
neutron.policy.OwnerCheck
. It can be used by registering an extension parent resource and service plugin which introduced the corresponding parent resource intoEXT_PARENT_RESOURCE_MAPPING
located inneutron.common.constants
. And introduces a new policy roleadmin_or_ext_parent_owner
intopolicy.json
for this function.
Support for floating IPs port forwarding has been added.
Users can now forward the traffic from a TCP/UDP/other protocol port of a floating IP address to a TCP/UDP/other protocol port associated to one of the fixed IP addresses of a Neutron port.
This is accomplished by associating
port_forwarding
sub-resources to floating IPs.To create a
port_forwarding
, the user specifies: a floating IP ID, the floating IP'sexternal_port
number, the Neutron port IDinternal_port_id
, aninternal_ip_address
(one of the Neutron port's fixed IPs), theinternal_port
number and theprotocol
to be used (TCP or UDP for example).CRUD operations for
port_forwardings
are implemented by a Neutron API extension and a service plugin. Please refer to the Neutron API reference documentation for details.A user cannot create
port_forwardings
for a floating IP that is already associated with a Neutron port.A floating IP can have many
port_forwardings
.Port forwardings can only be created for floating IPs that are managed by centralized routers in the network node: legacy, HA, DVR+HA.
A new config option
bridge_mac_table_size
has been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent inother_config:mac-table-size
column in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.
Adds api extenstion
port-mac-address-regenerate
. When passing'null'
(None
) as themac_address
on port update a converter will generate a new mac address that will be assigned to the port. RFE: #1768690.
Adds host routes for subnets on the same network when using routed networks. Static routes will be configured for subnets associated with other segments on the same network. This ensures that traffic within an L3 routed network stays within the network even when the default route is on a different interface.
Support port filtering on security group IDs. The feature can be used if 'port-security-group-filtering' extension is available.
Add support for filtering attributes with value as empty string. A shim extension is added to indicate if this feature is supported.
Starting from this release, neutron server will perform validation on filter parameters on list requests. Neutron will return a 400 response if the request contains invalid filter parameters. The list of valid parameters is documented in the neutron API reference.
Add an API extension
filter-validation
to indicate this new API behavior. This extension can be disabled by operators via a config option.
既知の問題¶
In the case when the number of ports to clean up in a single bridge is larger than about 10000, it might require an increase in the
ovsdb_timeout
config option to some value higher than 600 seconds.
アップグレード時の注意¶
On an upgrade, conntrack entries will now be cleaned-up in a worker thread, instead of in the calling thread.
Prior to the upgrade, if a request contains an unknown or unsupported parameter, the server will silently ignore the invalid input. After the upgrade, the server will return a 400 Bad Request response instead.
API users might observe that requests that received a successful response now receive a failure response. If they encounter such experience, they are suggested to confirm if the API extension
filter-validation
is present and validate filter parameters in their requests.Operators can disable this feature if they want to maintain backward-compatibility. If they choose to do that, the API extension
filter-validation
will not be present and the API behavior is unchanged.
バグ修正¶
Fixes bug 1745468.
Fixes bug 1682145.
Fix an issue that standard attributes, such as
created_at
,updated_at
andrevision_number
, are not rendered in the response of segment resource.
Previously a network's
dns_domain
attribute was ignored by the DHCP agent. With this release, OpenStack deployments using Neutron's DHCP agent will be able to specify a per networkdns_domain
and have instances configure that domain in their dns resolver configuration files (Linux's /etc/resolv.conf) to allow for local partial DNS lookups. The per-networkdns_domain
value will override the DHCP agent's defaultdns_domain
configuration value. Note that it's also possible to update a network'sdns_domain
, and that new value will be propogated to new instances or when instances renew their DHCP lease. However, existing leases will live on with the olddns_domain
value.
For Infiniband support, Ironic needs to send the 'client-id' DHCP option as a number in order for IP address assignment to work. This is now supported in Neutron, and can be specified as option number 61 as defined in RFC 4776. For more information see bug 1770932
Fixes bug 1763604. Override default value of
ovsdb_timeout
config option inneutron-ovs-cleanup
script. The default value is 10 seconds, but that is not enough for theneutron-ovs-cleanup
script when there are many ports to remove from a single bridge, for example, 5000. Because of that, we now override the default value for the config option to be 600 seconds (10 minutes).
その他の注意点¶
The deprecated
IVSInterfaceDriver
class has been removed from the code base. This means neither theivs
nor theneutron.agent.linux.interface.IVSInterfaceDriver
can any longer be used as a value for theinterface_driver
config option inneutron.conf
.
The metering agent iptables driver can now load its interface driver by using a stevedore alias in the
metering_agent.ini
file. For example,interface_driver = openvswitch
instead ofinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
Each plugin can decide if it wants to support filter validation by setting
__filter_validation_support
to True or False. If this field is not set, the default value is False. Right now, the ML2 plugin and all the in-tree service plugins support filter validation. Out-of-tree plugins will have filter validation disabled by default but they can turn it on if they choose to. For filter validation to be supported, the core plugin and all the services plugins in a deployment must support it.