Ocata Series Release Notes¶
- Call dhcp_release6 command line utility when releasing unused IPv6 leases for DHCPv6 stateful subnets. dhcp_release6 first appeared in dnsmasq 2.76
Hyper-V Neutron Agent has been fully decomposed from Neutron. Therefore, the neutron.plugins.hyperv.agent.security_groups_driver.HyperVSecurityGroupsDriver firewall driver has been deleted. Update the neutron_hyperv_agent.conf / neutron_ovs_agent.conf files on the Hyper-V nodes to use hyperv.neutron.security_groups_driver.HyperVSecurityGroupsDriver, which is the networking_hyperv security groups driver.
- Middleware was added to parse the
X-Forwarded-ProtoHTTP header or the Proxy protocol in order to help Neutron respond with the correct URL references when it’s put behind a TLS proxy such as
haproxy. This adds
http_proxy_to_wsgimiddleware to the pipeline. This middleware is disabled by default, but can be enabled via a configuration option in the
- The Linux Bridge agent now supports QoS DSCP marking rules.
- Keepalived VRRP health check functionality to enable verification of connectivity from the “master” router to all gateways. Activation of this feature enables gateway connectivity validation and rescheduling of the “master” router to another node when connectivity is lost. If all routers lose connectivity to the gateways, the election process will be repeated round-robin until one of the routers restores its gateway connection. In the mean time, all of the routers will be reported as “master”.
- Add a new configuration section,
[placement], with two new options that allow to make
segmentsplugin to use the
Computeplacement ReST API. This API allows to influence node placement of instances based on availability of IPv4 addresses in routed networks. The first option, region_name, indicates the placement region to use. This option is useful if keystone manages more than one region. The second option, endpoint_type, determines the type of a placement endpoint to use. This endpoint will be looked up in the keystone catalog and should be one of
- Designate driver can now use Keystone v3 authentication options. “The
[designate]section now accepts the
auth_typeoption, as well as other
- Resource tag mechanism now supports subnet, port, subnetpool and router resources.
- A new mechanism has been added to the
neutron-netns-cleanuptool that allows to kill processes listening on any
Unixor network socket within a namespace. The new mechanism will try to kill those processes gracefully using the
SIGTERMsignal and, if they refuse to die, then the
SIGKILLsignal will be sent to each remaining process to ensure a proper cleanup.
- The QoS driver architecture has been refactored to overcome several previous limitations, the main one was the coupling of QoS details into the mechanism drivers, and the next one was the need of configuration knobs to enable each specific notification driver, that will be handled automatically from now on.
updated_atresource fields now include a timezone indicator at the end. Because this is a change in field format, the old
timestamp_coreextension has been removed and replaced with a
- Initial support for
oslo.privsephas been added. Most external commands are still executed using
- vhost-user reconnect is a mechanism which allows a vhost-user frontend to reconnect to a vhost-user backend in the event the backend terminates either as a result of a graceful shutdown or a crash. This allows a VM utilising a vhost-user interface to reconnect automatically to the backend e.g. Open vSwitch without requiring the VM to reboot. In this release, support was added to the neutron Open vSwitch agent and
ml2driver for vhost-user reconnect.
- Absence of dhcp_release6 when DHCPv6 stateful addressing is in use may lead to bug 1521666. Neutron supports dhcp_release6 now, but if the tool is not available this leads to increased log warnings. Read bug report 1622002 for more details.
- In kernels < 3.19
net.ipv4.ip_nonlocal_bindsysctl option was not isolated to network namespace scope. L3 HA sets this option to zero to avoid sending gratuitous ARPs for IP addresses that were removed while processing. If this happens, then gratuitous ARPs will be sent. It may populate ARP cache tables of peer machines with wrong MAC addresses.
api-paste.iniconfiguration file for the paste pipeline was updated to add the
- A version of dnsmasq that includes dhcp_release6 should be installed on systems running the DHCP agent. Failure to do this could cause DHCPv6 stateful addressing to not function properly.
- The rootwrap filters file dhcp.filters must be updated to include dhcp_release6, otherwise trying to run the utility will result in a NoFilterMatched exception.
- The router_id option is deprecated and will be removed in the Newton release.
dhcp_domainDHCP agent configuration option was deprecated in Liberty cycle, and now is no longer used. The
dns_domainoption should be used instead.
- On upgrade, IPv6 addresses in DHCP namespaces that have been created dynamically via SLAAC will be removed, and static IPv6 addresses will be added instead.
- The Hyper-V Neutron Agent has been fully decomposed from Neutron. The neutron.plugins.hyperv.agent.security_groups_driver.HyperVSecurityGroupsDriver firewall driver has been deprecated and will be removed in the Ocata release. Update the neutron_hyperv_agent.conf files on the Hyper-V nodes to use hyperv.neutron.security_groups_driver.HyperVSecurityGroupsDriver, which is the networking_hyperv security groups driver.
- Update the neutron_hyperv_agent.conf / neutron_ovs_agent.conf files on the Hyper-V nodes to use hyperv.neutron.security_groups_driver.HyperVSecurityGroupsDriver, which is the networking_hyperv security groups driver.
- A new option
ha_keepalived_state_change_server_threadshas been added to configure the number of concurrent threads spawned for keepalived server connection requests. Higher values increase the CPU load on the agent nodes. The default value is half of the number of CPUs present on the node. This allows operators to tune the number of threads to suit their environment. With more threads, simultaneous requests for multiple HA routers state change can be handled faster.
oslo.messaging.notify.driversentrypoints that were left in tree for backwards compatibility with pre-Icehouse releases have been removed. Those are
neutron.openstack.common.notifier.rpc_notifier. Use values provided by
oslo.messaginglibrary to configure notification drivers.
advertise_mtuoption is removed. Now Neutron always uses all available means to advertise MTUs to instances (including DHCPv4 and IPv6 RA).
min_l3_agents_per_routerconfiguration option was deprecated in Newton cycle and removed in Ocata. HA routers no longer require a minimal number of L3 agents to be created, although obviously they require at least two L3 agents to provide HA guarantees. The rationale for the removal of the option is the case a router was created just when an agent was not operational. The creation of the router will now succeed, and when a second agent resumes operation the router will be scheduled to it providing HA.
- After upgrade, a macvtap agent without physical_interface_mappings configured can not be started. Specify a valid mapping to be able to start and use the macvtap agent.
timestamp_coreextension has been removed and replaced with the
standard-attr-timestampextension. Resources will still have timestamps in the
updated_atfields, but timestamps will have time zone info appended to the end to be consistent with other OpenStack projects.
physical_device_mappingsoption is deprecated and will be removed in Pike. PCI device validation is done in Nova, controlled via the
pci_whitelistconfiguration option. Therefore it is redundant to validate it in Neutron with
- Neutron controller service currently allows to load
service_providersoptions from some files that are not passed to it via –config-dir or –config-file CLI options. This behaviour is now deprecated and will be disabled in Ocata. Current users are advised to switch to aforementioned CLI options.
- The L3 agent
send_arp_for_ha configurationoption is deprecated and will be removed in Pike. The functionality will remain, and the agent will send three gratuitious ARPs whenever a new floating IP is configured.
iptablesfirewall driver will no longer enable bridge firewalling in next versions of Neutron. If your distribution overrides the default value for any of relevant sysctl settings (
net.bridge.bridge-nf-call-iptables) then make sure you set them back to upstream kernel default (
1) using /etc/sysctl.conf or /etc/sysctl.d/* configuration files.
- notification_drivers from [qos] section has been deprecated. It will be removed in a future release.
- There is a race condition when adding ports in DHCP namespaces where an IPv6 address could be dynamically created via SLAAC from a Router Advertisement sent from the L3 agent, leading to a failure to start the DHCP agent. This bug has been fixed, but care must be taken on an upgrade dealing with any potentially stale dynamic addresses. For more information, see bug 1627902.
- Versions of
keepalived< 1.2.20 don’t send gratuitous ARPs when keepalived process receives a
SIGHUPsignal. These versions are not packaged in some Linux distributions like Red Hat Enterprise Linux 7, CentOS 7, or Ubuntu Xenial. Not sending gratuitous ARPs may lead to peer ARP cache tables containing wrong entries about floating IP addresses until those entries are invalidated. To fix that scenario, Neutron now sends gratuitous ARPs for all new IP addresses that appear on non-HA interfaces in router namespaces. This behavior simulates behavior of new versions of
- Due to changes in internal L3 logic, a server crash/backend failure during FIP creation may leave dangling ports attached on external networks. These ports can be identified by a
device_idparameter. While those ports can also be removed by admins, the
neutron-serverservice will now also trigger periodic (approximately once in 10 minutes) cleanup to address the issue.
allow_sortingconfiguration options are now removed. Now, sorting and pagination are always enabled for plugins that support the features.
- vhost-user reconnect requires dpdk 16.07 and qemu 2.7 and openvswitch 2.6 to function. if an older qemu is used, reconnect will not be available but vhost-user will still function.