Ocata Series Release Notes¶
A new config option
bridge_mac_table_sizehas been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent in
other_config:mac-table-sizecolumn in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.
The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value,
agent_boot_time, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent’s first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population
agent_boot_timeconfig option will no longer be used.
The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.
In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver
of_request_timeoutare now set to 300s. The value does not have side effect for the regular pressure ovs agent.
L2 agents based on
_common_agenthave now the L2 extension API available. This API can be used by L2 extension drivers to request resources from the L2 agent. It is used, for example, to pass an instance of the
QoS extension driver.
Fixes bug 1736674, security group rules are now properly applied by
Linuxbridge L2 agentwith
QoS extension driverenabled.
Adding security group rules by protocol number is documented, but somehow was broken without being noticed in one of the last couple of releases. This is now fixed. For more information see bug 1716045.
Some scenario tests require advanced
Glanceimages (for example,
CentOS) in order to pass. They are now skipped by default. If you need to execute those tests, please configure
tempest.confto use an advanced image, and set
True. The first scenario test case that requires the new option set to execute is
Hyper-V Neutron Agent has been fully decomposed from Neutron. Therefore, the neutron.plugins.hyperv.agent.security_groups_driver.HyperVSecurityGroupsDriver firewall driver has been deleted. Update the neutron_hyperv_agent.conf / neutron_ovs_agent.conf files on the Hyper-V nodes to use hyperv.neutron.security_groups_driver.HyperVSecurityGroupsDriver, which is the networking_hyperv security groups driver.
Middleware was added to parse the
X-Forwarded-ProtoHTTP header or the Proxy protocol in order to help Neutron respond with the correct URL references when it’s put behind a TLS proxy such as
haproxy. This adds
http_proxy_to_wsgimiddleware to the pipeline. This middleware is disabled by default, but can be enabled via a configuration option in the
The Linux Bridge agent now supports QoS DSCP marking rules.
Keepalived VRRP health check functionality to enable verification of connectivity from the “master” router to all gateways. Activation of this feature enables gateway connectivity validation and rescheduling of the “master” router to another node when connectivity is lost. If all routers lose connectivity to the gateways, the election process will be repeated round-robin until one of the routers restores its gateway connection. In the mean time, all of the routers will be reported as “master”.
Add a new configuration section,
[placement], with two new options that allow to make
segmentsplugin to use the
Computeplacement ReST API. This API allows to influence node placement of instances based on availability of IPv4 addresses in routed networks. The first option, region_name, indicates the placement region to use. This option is useful if keystone manages more than one region. The second option, endpoint_type, determines the type of a placement endpoint to use. This endpoint will be looked up in the keystone catalog and should be one of
Designate driver can now use Keystone v3 authentication options. “The
[designate]section now accepts the
auth_typeoption, as well as other
Resource tag mechanism now supports subnet, port, subnetpool and router resources.
A new mechanism has been added to the
neutron-netns-cleanuptool that allows to kill processes listening on any
Unixor network socket within a namespace. The new mechanism will try to kill those processes gracefully using the
SIGTERMsignal and, if they refuse to die, then the
SIGKILLsignal will be sent to each remaining process to ensure a proper cleanup.
The QoS driver architecture has been refactored to overcome several previous limitations, the main one was the coupling of QoS details into the mechanism drivers, and the next one was the need of configuration knobs to enable each specific notification driver, that will be handled automatically from now on.
updated_atresource fields now include a timezone indicator at the end. Because this is a change in field format, the old
timestamp_coreextension has been removed and replaced with a
Initial support for
oslo.privsephas been added. Most external commands are still executed using
vhost-user reconnect is a mechanism which allows a vhost-user frontend to reconnect to a vhost-user backend in the event the backend terminates either as a result of a graceful shutdown or a crash. This allows a VM utilising a vhost-user interface to reconnect automatically to the backend e.g. Open vSwitch without requiring the VM to reboot. In this release, support was added to the neutron Open vSwitch agent and
ml2driver for vhost-user reconnect.
In kernels < 3.19
net.ipv4.ip_nonlocal_bindsysctl option was not isolated to network namespace scope. L3 HA sets this option to zero to avoid sending gratuitous ARPs for IP addresses that were removed while processing. If this happens, then gratuitous ARPs will be sent. It may populate ARP cache tables of peer machines with wrong MAC addresses.
api-paste.iniconfiguration file for the paste pipeline was updated to add the
dhcp_domainDHCP agent configuration option was deprecated in Liberty cycle, and now is no longer used. The
dns_domainoption should be used instead.
On upgrade, IPv6 addresses in DHCP namespaces that have been created dynamically via SLAAC will be removed, and static IPv6 addresses will be added instead.
Update the neutron_hyperv_agent.conf / neutron_ovs_agent.conf files on the Hyper-V nodes to use hyperv.neutron.security_groups_driver.HyperVSecurityGroupsDriver, which is the networking_hyperv security groups driver.
A new option
ha_keepalived_state_change_server_threadshas been added to configure the number of concurrent threads spawned for keepalived server connection requests. Higher values increase the CPU load on the agent nodes. The default value is half of the number of CPUs present on the node. This allows operators to tune the number of threads to suit their environment. With more threads, simultaneous requests for multiple HA routers state change can be handled faster.
oslo.messaging.notify.driversentrypoints that were left in tree for backwards compatibility with pre-Icehouse releases have been removed. Those are
neutron.openstack.common.notifier.rpc_notifier. Use values provided by
oslo.messaginglibrary to configure notification drivers.
advertise_mtuoption is removed. Now Neutron always uses all available means to advertise MTUs to instances (including DHCPv4 and IPv6 RA).
min_l3_agents_per_routerconfiguration option was deprecated in Newton cycle and removed in Ocata. HA routers no longer require a minimal number of L3 agents to be created, although obviously they require at least two L3 agents to provide HA guarantees. The rationale for the removal of the option is the case a router was created just when an agent was not operational. The creation of the router will now succeed, and when a second agent resumes operation the router will be scheduled to it providing HA.
After upgrade, a macvtap agent without physical_interface_mappings configured can not be started. Specify a valid mapping to be able to start and use the macvtap agent.
timestamp_coreextension has been removed and replaced with the
standard-attr-timestampextension. Resources will still have timestamps in the
updated_atfields, but timestamps will have time zone info appended to the end to be consistent with other OpenStack projects.
The L3 agent
send_arp_for_ha configurationoption is deprecated and will be removed in Pike. The functionality will remain, and the agent will send three gratuitious ARPs whenever a new floating IP is configured.
iptablesfirewall driver will no longer enable bridge firewalling in next versions of Neutron. If your distribution overrides the default value for any of relevant sysctl settings (
net.bridge.bridge-nf-call-iptables) then make sure you set them back to upstream kernel default (
1) using /etc/sysctl.conf or /etc/sysctl.d/* configuration files.
notification_drivers from [qos] section has been deprecated. It will be removed in a future release.
There is a race condition when adding ports in DHCP namespaces where an IPv6 address could be dynamically created via SLAAC from a Router Advertisement sent from the L3 agent, leading to a failure to start the DHCP agent. This bug has been fixed, but care must be taken on an upgrade dealing with any potentially stale dynamic addresses. For more information, see bug 1627902.
keepalived< 1.2.20 don’t send gratuitous ARPs when keepalived process receives a
SIGHUPsignal. These versions are not packaged in some Linux distributions like Red Hat Enterprise Linux 7, CentOS 7, or Ubuntu Xenial. Not sending gratuitous ARPs may lead to peer ARP cache tables containing wrong entries about floating IP addresses until those entries are invalidated. To fix that scenario, Neutron now sends gratuitous ARPs for all new IP addresses that appear on non-HA interfaces in router namespaces. This behavior simulates behavior of new versions of
Due to changes in internal L3 logic, a server crash/backend failure during FIP creation may leave dangling ports attached on external networks. These ports can be identified by a
device_idparameter. While those ports can also be removed by admins, the
neutron-serverservice will now also trigger periodic (approximately once in 10 minutes) cleanup to address the issue.
allow_sortingconfiguration options are now removed. Now, sorting and pagination are always enabled for plugins that support the features.
vhost-user reconnect requires dpdk 16.07 and qemu 2.7 and openvswitch 2.6 to function. if an older qemu is used, reconnect will not be available but vhost-user will still function.