Pike Series Release Notes¶
11.0.8-45¶
Upgrade Notes¶
The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in “::” could be a valid default route.
Other Notes¶
In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver
of_connect_timeout
andof_request_timeout
are now set to 300s. The value does not have side effect for the regular pressure ovs agent.
A new option
[ovs] of_inactivity_probe
has been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.
11.0.7¶
Critical Issues¶
The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value,
agent_boot_time
, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent’s first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 populationagent_boot_time
config option will no longer be used.
Bug Fixes¶
Fixes bug 1501206. This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks.
Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905.)
The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.
Other Notes¶
The metering agent iptables driver can now load its interface driver by using a stevedore alias in the
metering_agent.ini
file. For example,interface_driver = openvswitch
instead ofinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
11.0.6¶
New Features¶
A new config option
bridge_mac_table_size
has been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent inother_config:mac-table-size
column in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.
11.0.5¶
Bug Fixes¶
For Infiniband support, Ironic needs to send the ‘client-id’ DHCP option as a number in order for IP address assignment to work. This is now supported in Neutron, and can be specified as option number 61 as defined in RFC 4776. For more information see bug 1770932
11.0.3¶
New Features¶
L2 agents based on
ML2
_common_agent
have now the L2 extension API available. This API can be used by L2 extension drivers to request resources from the L2 agent. It is used, for example, to pass an instance of theIptablesManager
to theLinuxbridge
L2 agentQoS extension driver
.
Bug Fixes¶
Fixes bug 1736674, security group rules are now properly applied by
Linuxbridge L2 agent
withQoS extension driver
enabled.
Adding security group rules by protocol number is documented, but somehow was broken without being noticed in one of the last couple of releases. This is now fixed. For more information see bug 1716045.
11.0.2¶
Bug Fixes¶
The Openvswitch agent has an extension called
fdb
that uses the Linuxbridge
command. Thebridge
command has been added to the rootwrap openvswitch-plugin.filters file. For more information, see bug: 1730407
11.0.0¶
Prelude¶
A new agent_mode(dvr_no_external
) for DVR routers has been added to allow the server to configure Floating IPs associated with DVR at the centralized node.
New Features¶
The openvswitch L2 agent now supports bi-directional bandwidth limiting.
The QoS service plugin now supports new attribute in
qos_bandwidth_limit_rule
. This new parameter is calleddirection
and allows to specify direction of traffic for which the limit should be applied.
Ports have now a
dns_domain
attribute. A port’sdns_domain
attribute has precedence over the network’sdns_domain
from the point of view of publishing it to the external DNS service.
Allow to configure
router
service plugin withoutdvr
API extension loaded and exposed. To achieve that, set the newenable_dvr
option toFalse
inneutron.conf
file.
The new
net-mtu-writable
extension API definition has been added. The new extension indicates that the networkmtu
attribute is writeable. Plugins supporting the new extension are expected to also supportnet-mtu
. The first plugin that gets support for the new extension isml2
.
Add
data_plane_status
attribute to port resources to represent the status of the underlying data plane. This attribute is to be managed by entities outside of the Networking service, while thestatus
attribute is managed by the Networking service. Both status attributes are independent from one another. Third parties can report via Neutron API issues in the underlying data plane affecting connectivity from/to Neutron ports. Attribute can take valuesNone
(default),ACTIVE
orDOWN
, and is readable by users and writable by admins and users granted thedata-plane-integrator
role. Appenddata_plane_status
to[ml2] extension_drivers
config option to load the extension driver.
The resource tag mechanism is refactored so that the tag support for new resources can be supported easily. The resources with tag support are network, subnet, port, subnetpool, trunk, floatingip, policy, security_group, and router.
Neutron API can now be managed by a
mod_wsgi
compatible web server (e.g.apache2
(httpd
),nginx
, etc.)
Add ‘default’ behaviour to QoS policies Neutron now supports having a default QoS policy in a project, assigned automatically to all new networks created.
Some scenario tests require advanced
Glance
images (for example,Ubuntu
orCentOS
) in order to pass. They are now skipped by default. If you need to execute those tests, please configuretempest.conf
to use an advanced image, and setimage_is_advanced
inneutron_plugin_options
section oftempest.conf
file toTrue
. The first scenario test case that requires the new option set to execute istest_trunk
.
The Neutron API now supports conditional updates to resources with the ‘revision_number’ attribute by setting the desired revision number in an HTTP If-Match header. This allows clients to ensure that a resource hasn’t been modified since it was retrieved by the client. Support for conditional updates on the server can be checked for by looking for the ‘revision-if-match’ extension in the supported extensions.
A new DVR agent type
dvr_no_external
has been introduced with this release. This agent type allows the Floating IPs (DNAT/North-South routing) to be centralized while the East/West routing is still distributed.
Proactively create DVR floating IP namespace on all compute nodes when a gateway is configured.
Floating IPs associated with an unbound port with DVR routers will not be distributed, but will be centralized and implemented in the SNAT namespace of the Network node or
dvr_snat
node. Floating IPs associated with allowed_address_pair port IP and are bound to multiple active VMs with DVR routers will be implemented in the SNAT namespace in the Network node ordvr_snat
node. This will address VRRP use cases. More information about this is captured in bug 1583694.
Resource tag mechanism now supports subnet, port, subnetpool and router resources.
Implements a new extension,
quota_details
which extends existing quota API to show detailed information for a specified tenant. The new API shows details such aslimits
,used
,reserved
.
Linuxbridge L2 agent supports ingress bandwidth limit. The linuxbridge L2 agent now supports bi-directional bandwidth limiting.
UDP ports used by VXLAN in the LinuxBridge agent can be configured now with the VXLAN.udp_srcport_min, VXLAN.udp_srcport_max and VXLAN.udp_dstport config options. To use the IANA assigned port number, set VXLAN.udp_dstport to 4789. The default is not changed from the Linux kernel default 8472.
The metering agent driver can now be specified with a stevedore alias in the
metering_agent.ini
file. For example,driver = iptables
instead ofdriver = neutron.services.metering.iptables.iptables_driver:IptablesMeteringDriver
.
A new
network_link_prefix
configuration option is introduced that allows to alter the domain returned in the URLs included in the API responses. It behaves the same way as thecompute_link_prefix
andglance_link_prefix
options do for Nova and Glance.
The
openvswitch
mechanism driver now supports hardware offload via SR-IOV. It allows binding direct (SR-IOV) ports. Usingopenvswitch
2.8.0 and ‘Linux Kernel’ 4.8 allows to control the SR-IOV VF via OpenFlow control plane and gain accelerated ‘Open vSwitch’.
Network QoS policies are now supported for network:router_gateway ports. Neutron QoS policies set on an external network now apply to external router ports (DVR or not).
New API to get details of supported rule types. The QoS service plugin can now expose details about supported QoS rule types in Neutron deployment. The new API call is allowed only for users with admin priviliges.
In order to reduce metadata proxy memory footprint,
haproxy
is now used as a replacement forneutron-ns-metadata-proxy
Python implementation.
Subport segmentation details can now accept
inherit
as segmentation type during a trunk creation/update request. The trunk plugin will determine the segmentation type and ID and replace them with those of the network to which the port is connected. Only single-segment VLAN networks are set to have expected and correct results at this point.
Enable creation of VXLANs with different multicast addresses in linuxbridge agent allocated by VNI-address mappings. A new config option
multicast_ranges
was introduced.
Known Issues¶
There can be a mixture of
dvr
agents anddvr_no_external
agents. But please avoid any VM with Floating IP migration between advr
agent and advr_no_external
agent. All VM ports with Floating IPs should be migrated to same agent_mode. This would be one of the restrictions.
Creating DVR floating IP namespace on all nodes proactively might consume public IP Address, but by using subnet service-types as explained in the networking guide consumers can use the private IPs for floating IP agent gateway ports and need not consume any public IP addresses.
While the bound port Floating IPs are distributed, the unbound port Floating IPs are centralized.
Upgrade Notes¶
Consider setting
enable_dvr
toFalse
inneutron.conf
file if your setup doesn’t support DVR. This will make Neutron stop advertising support for thedvr
API extension via its/v2.0/extensions
API endpoint.
Default quotas were bumped for the following resources: networks (from 10 to 100), subnets (from 10 to 100), ports (from 50 to 500). If you want to stick to old values, consider explicitly setting them in the
neutron.conf
file.
Previously,
neutron-server
was using configuration values foroslo.db
that were different from library defaults. Specifically, it used the following values when they were not overridden in configuration files:max_pool_size
= 10,max_overflow
= 20,pool_timeout
= 10. In this release,neutron-server
instead relies on default values defined by the library itself. If you rely on old default values, you may need to adjust your configuration files to explicitly set the new values.
A new DVR agent mode of
dvr_no_external
was added. Changing between this mode anddvr
is a disruptive operation to the dataplane.
The
send_arp_for_ha
configuration option is removed. Neutron now always sends three gratuitous ARP requests on address assigned to a port.
The
max_fixed_ips_per_port
configuration option was deprecated in the Newton cycle and removed in Pike.
The deprecated
prevent_arp_spoofing
option has been removed and the default behavior is to always prevent ARP spoofing unless port security is disabled on the port (or network).
Since
haproxy
was not used before byneutron-l3-agent
andneutron-dhcp-agent
, rootwrap filters for both agents have to be copied over when upgrading.
To upgrade to the
haproxy
based metadata proxy,neutron-l3-agent
andneutron-dhcp-agent
have to be restarted. On startup, old proxy processes will be detected and replaced withhaproxy
.
After upgrade, a macvtap agent without physical_interface_mappings configured can not be started. Specify a valid mapping to be able to start and use the macvtap agent.
Deprecation Notes¶
Users can use ‘tagging’ extension instead of the ‘tag’ extension and ‘tag-ext’ extension. Those extensions are now deprecated and will be removed in the Queens release.
The
gateway_external_network_id
L3 agent option is deprecated and will be removed in next releases, withexternal_network_bridge
that it depends on.
Now that rootwrap daemon mode is supported for XenServer, the
neutron-rootwrap-xen-dom0
script is deprecated and will be removed in a next release.
The of_interface Open vSwitch agent configuration option is deprecated and will be removed in the future. After option removal, the current default driver (native) will be the only supported of_interface driver.
The
nova_metadata_ip
option is deprecated and will be removed in Queens. It is deprecated in favor of the newnova_metadata_host
option because it reflects better that the option accepts an IP address and also a DNS name.
The web_framework option has been deprecated and will be removed during Queens. This option was just added to make the transition to pecan easier so there is no reason operators should be using the non-default option anyway.
Bug Fixes¶
Allows the unbound port Floating IPs to be configured properly with DVR routers irrespective of its device_owner.
Other Notes¶
Changing MTU configuration options (
global_physnet_mtu
,physical_network_mtus
, andpath_mtu
) and restartingneutron-serer
no longer affects existing networks’ MTUs. Nevertheless, new networks will use new option values for MTU calculation. To reflect configuration changes for existing networks, one may use the newnet-mtu-writable
API extension to updatemtu
attribute for those networks.
Example configuration of
multicast_ranges
in ml2_conf.ini under the[vxlan]
config. sectionmulticast_ranges = 224.0.0.10:10:90,225.0.0.15:100:900
. For VNI between 10 and 90, the multicast address 224.0.0.0.10 will be used, and for 100 through 900 225.0.0.15 will be used. Other VNI values will get standardvxlan_group
address. For more info see RFE https://bugs.launchpad.net/neutron/+bug/1579068