Pike Series Release Notes¶
The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in “::” could be a valid default route.
In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver
of_request_timeoutare now set to 300s. The value does not have side effect for the regular pressure ovs agent.
A new option
[ovs] of_inactivity_probehas been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.
The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value,
agent_boot_time, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent’s first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population
agent_boot_timeconfig option will no longer be used.
Fixes bug 1501206. This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks.
Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905.)
The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.
The metering agent iptables driver can now load its interface driver by using a stevedore alias in the
metering_agent.inifile. For example,
interface_driver = openvswitchinstead of
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
A new config option
bridge_mac_table_sizehas been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent in
other_config:mac-table-sizecolumn in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.
For Infiniband support, Ironic needs to send the ‘client-id’ DHCP option as a number in order for IP address assignment to work. This is now supported in Neutron, and can be specified as option number 61 as defined in RFC 4776. For more information see bug 1770932
L2 agents based on
_common_agenthave now the L2 extension API available. This API can be used by L2 extension drivers to request resources from the L2 agent. It is used, for example, to pass an instance of the
QoS extension driver.
Fixes bug 1736674, security group rules are now properly applied by
Linuxbridge L2 agentwith
QoS extension driverenabled.
Adding security group rules by protocol number is documented, but somehow was broken without being noticed in one of the last couple of releases. This is now fixed. For more information see bug 1716045.
The Openvswitch agent has an extension called
fdbthat uses the Linux
bridgecommand has been added to the rootwrap openvswitch-plugin.filters file. For more information, see bug: 1730407
A new agent_mode(
dvr_no_external) for DVR routers has been added to allow the server to configure Floating IPs associated with DVR at the centralized node.
The openvswitch L2 agent now supports bi-directional bandwidth limiting.
The QoS service plugin now supports new attribute in
qos_bandwidth_limit_rule. This new parameter is called
directionand allows to specify direction of traffic for which the limit should be applied.
Ports have now a
dns_domainattribute. A port’s
dns_domainattribute has precedence over the network’s
dns_domainfrom the point of view of publishing it to the external DNS service.
Allow to configure
routerservice plugin without
dvrAPI extension loaded and exposed. To achieve that, set the new
net-mtu-writableextension API definition has been added. The new extension indicates that the network
mtuattribute is writeable. Plugins supporting the new extension are expected to also support
net-mtu. The first plugin that gets support for the new extension is
data_plane_statusattribute to port resources to represent the status of the underlying data plane. This attribute is to be managed by entities outside of the Networking service, while the
statusattribute is managed by the Networking service. Both status attributes are independent from one another. Third parties can report via Neutron API issues in the underlying data plane affecting connectivity from/to Neutron ports. Attribute can take values
DOWN, and is readable by users and writable by admins and users granted the
[ml2] extension_driversconfig option to load the extension driver.
The resource tag mechanism is refactored so that the tag support for new resources can be supported easily. The resources with tag support are network, subnet, port, subnetpool, trunk, floatingip, policy, security_group, and router.
Neutron API can now be managed by a
mod_wsgicompatible web server (e.g.
Add ‘default’ behaviour to QoS policies Neutron now supports having a default QoS policy in a project, assigned automatically to all new networks created.
Some scenario tests require advanced
Glanceimages (for example,
CentOS) in order to pass. They are now skipped by default. If you need to execute those tests, please configure
tempest.confto use an advanced image, and set
True. The first scenario test case that requires the new option set to execute is
The Neutron API now supports conditional updates to resources with the ‘revision_number’ attribute by setting the desired revision number in an HTTP If-Match header. This allows clients to ensure that a resource hasn’t been modified since it was retrieved by the client. Support for conditional updates on the server can be checked for by looking for the ‘revision-if-match’ extension in the supported extensions.
A new DVR agent type
dvr_no_externalhas been introduced with this release. This agent type allows the Floating IPs (DNAT/North-South routing) to be centralized while the East/West routing is still distributed.
Proactively create DVR floating IP namespace on all compute nodes when a gateway is configured.
Floating IPs associated with an unbound port with DVR routers will not be distributed, but will be centralized and implemented in the SNAT namespace of the Network node or
dvr_snatnode. Floating IPs associated with allowed_address_pair port IP and are bound to multiple active VMs with DVR routers will be implemented in the SNAT namespace in the Network node or
dvr_snatnode. This will address VRRP use cases. More information about this is captured in bug 1583694.
Resource tag mechanism now supports subnet, port, subnetpool and router resources.
Implements a new extension,
quota_detailswhich extends existing quota API to show detailed information for a specified tenant. The new API shows details such as
Linuxbridge L2 agent supports ingress bandwidth limit. The linuxbridge L2 agent now supports bi-directional bandwidth limiting.
UDP ports used by VXLAN in the LinuxBridge agent can be configured now with the VXLAN.udp_srcport_min, VXLAN.udp_srcport_max and VXLAN.udp_dstport config options. To use the IANA assigned port number, set VXLAN.udp_dstport to 4789. The default is not changed from the Linux kernel default 8472.
The metering agent driver can now be specified with a stevedore alias in the
metering_agent.inifile. For example,
driver = iptablesinstead of
driver = neutron.services.metering.iptables.iptables_driver:IptablesMeteringDriver.
network_link_prefixconfiguration option is introduced that allows to alter the domain returned in the URLs included in the API responses. It behaves the same way as the
glance_link_prefixoptions do for Nova and Glance.
openvswitchmechanism driver now supports hardware offload via SR-IOV. It allows binding direct (SR-IOV) ports. Using
openvswitch2.8.0 and ‘Linux Kernel’ 4.8 allows to control the SR-IOV VF via OpenFlow control plane and gain accelerated ‘Open vSwitch’.
Network QoS policies are now supported for network:router_gateway ports. Neutron QoS policies set on an external network now apply to external router ports (DVR or not).
New API to get details of supported rule types. The QoS service plugin can now expose details about supported QoS rule types in Neutron deployment. The new API call is allowed only for users with admin priviliges.
In order to reduce metadata proxy memory footprint,
haproxyis now used as a replacement for
Subport segmentation details can now accept
inheritas segmentation type during a trunk creation/update request. The trunk plugin will determine the segmentation type and ID and replace them with those of the network to which the port is connected. Only single-segment VLAN networks are set to have expected and correct results at this point.
Enable creation of VXLANs with different multicast addresses in linuxbridge agent allocated by VNI-address mappings. A new config option
There can be a mixture of
dvr_no_externalagents. But please avoid any VM with Floating IP migration between a
dvragent and a
dvr_no_externalagent. All VM ports with Floating IPs should be migrated to same agent_mode. This would be one of the restrictions.
Creating DVR floating IP namespace on all nodes proactively might consume public IP Address, but by using subnet service-types as explained in the networking guide consumers can use the private IPs for floating IP agent gateway ports and need not consume any public IP addresses.
While the bound port Floating IPs are distributed, the unbound port Floating IPs are centralized.
neutron.conffile if your setup doesn’t support DVR. This will make Neutron stop advertising support for the
dvrAPI extension via its
Default quotas were bumped for the following resources: networks (from 10 to 100), subnets (from 10 to 100), ports (from 50 to 500). If you want to stick to old values, consider explicitly setting them in the
neutron-serverwas using configuration values for
oslo.dbthat were different from library defaults. Specifically, it used the following values when they were not overridden in configuration files:
pool_timeout= 10. In this release,
neutron-serverinstead relies on default values defined by the library itself. If you rely on old default values, you may need to adjust your configuration files to explicitly set the new values.
A new DVR agent mode of
dvr_no_externalwas added. Changing between this mode and
dvris a disruptive operation to the dataplane.
send_arp_for_haconfiguration option is removed. Neutron now always sends three gratuitous ARP requests on address assigned to a port.
max_fixed_ips_per_portconfiguration option was deprecated in the Newton cycle and removed in Pike.
prevent_arp_spoofingoption has been removed and the default behavior is to always prevent ARP spoofing unless port security is disabled on the port (or network).
haproxywas not used before by
neutron-dhcp-agent, rootwrap filters for both agents have to be copied over when upgrading.
To upgrade to the
haproxybased metadata proxy,
neutron-dhcp-agenthave to be restarted. On startup, old proxy processes will be detected and replaced with
After upgrade, a macvtap agent without physical_interface_mappings configured can not be started. Specify a valid mapping to be able to start and use the macvtap agent.
Users can use ‘tagging’ extension instead of the ‘tag’ extension and ‘tag-ext’ extension. Those extensions are now deprecated and will be removed in the Queens release.
gateway_external_network_idL3 agent option is deprecated and will be removed in next releases, with
external_network_bridgethat it depends on.
Now that rootwrap daemon mode is supported for XenServer, the
neutron-rootwrap-xen-dom0script is deprecated and will be removed in a next release.
The of_interface Open vSwitch agent configuration option is deprecated and will be removed in the future. After option removal, the current default driver (native) will be the only supported of_interface driver.
nova_metadata_ipoption is deprecated and will be removed in Queens. It is deprecated in favor of the new
nova_metadata_hostoption because it reflects better that the option accepts an IP address and also a DNS name.
The web_framework option has been deprecated and will be removed during Queens. This option was just added to make the transition to pecan easier so there is no reason operators should be using the non-default option anyway.
Allows the unbound port Floating IPs to be configured properly with DVR routers irrespective of its device_owner.
Changing MTU configuration options (
path_mtu) and restarting
neutron-sererno longer affects existing networks’ MTUs. Nevertheless, new networks will use new option values for MTU calculation. To reflect configuration changes for existing networks, one may use the new
net-mtu-writableAPI extension to update
mtuattribute for those networks.
Example configuration of
multicast_rangesin ml2_conf.ini under the
multicast_ranges = 188.8.131.52:10:90,184.108.40.206:100:900. For VNI between 10 and 90, the multicast address 220.127.116.11.10 will be used, and for 100 through 900 18.104.22.168 will be used. Other VNI values will get standard
vxlan_groupaddress. For more info see RFE https://bugs.launchpad.net/neutron/+bug/1579068