Queens Series Release Notes


New Features

  • A new configuration option http_retries was added. This option allows configuring the number of times the nova or ironic client should retry on a failed HTTP call.

  • Add new configuration option igmp_snooping_enable. New option is in OVS config section and is used by openvswitch agent. This option is used to enable support for Internet Group Management Protocol (IGMP) in integration bridge.

Deprecation Notes

  • Abstract method plug_new from the neutron.agent.linux.interface.LinuxInterfaceDriver class now accepts an optional parameter link_up. Usage of this method, which takes from 5 to 9 positional arguments, without link_up is now deprecated and will not be possible starting in the W release. Third-party drivers which inherit from this base class should update the implementation of their plug_new method.

Security Issues

  • Fix bug 1939733 by dropping from the dhcp extra option values everything what is after first newline (\n) character before passing them to the dnsmasq.

  • A change was made to the metadata proxy to not allow a user to override header values, it will now always insert the correct information and remove unnecessary fields before sending requests to the metadata agent. For more information, see bug 1865036.

Bug Fixes

  • Bug https://bugs.launchpad.net/neutron/+bug/1732067 described a flooding issue on the neutron-ovs-agent integration bridge. And bug https://bugs.launchpad.net/neutron/+bug/1841622 proposed a solution for it. The accepted egress packets will be taken care in the final egress tables (61 when openflow firewall is not enabled, table 94 otherwise) with direct output flows for unicast traffic with a minimum influence on the existing cloud networking. A new config option explicitly_egress_direct, with default value False, was added for the aim of distinguishing clouds which are running the network node mixed with compute services, upstream neutron CI should be an example. In such situation, this explicitly_egress_direct should be set to False, because there are numerous cases from HA routers which can not be covered, particularly when you have centralized floating IPs running in such mixed hosts. Otherwise, set explicitly_egress_direct to True to avoid the flooding. One more note is if your network nodes are for networing services only, we recommand you disable all the security_group to get a higher performance.

  • Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce the usage of normal actions to reduce cpu utilization. This causing flood rule because there is no MAC learning on ingress traffic. While this ok for none offload case, when using ovs offload flood rule is not offloaded. This fix the MAC learning in the offload, so we avoid flood rule. #1897637.

  • Fixes an issue that the OVS firewall driver does not configure security group rules using remote group properly when a corresponding remote group has no port on a local hypervisor. For more information see bugs: 1862703 and 1854131.

  • [bug 1812168] Remove Floating IP DNS record upon associated port deletion.

  • Owners of security groups now see all security group rules which belong to the security group, even if the rule was created by the admin user. Fixes bug 1824248.

  • Add a new match rule based on physical VLAN tag for OpenFlow firewall traffic identifying mechanism to the TRANSIENT table. This fixes the distributed router east-west traffic between VLAN type networks. For more information, see bug 1831534.

Other Notes

  • A new config option, host_dvr_for_dhcp, was added to neutron.conf for DVR to determine whether to host the DVR local router to the scheduled DHCP node(s).

  • To improve performance of the DHCP agent, it will no longer configure the DHCP server for every port type created in Neutron. For example, for floating IP or router HA interfaces there is no need since a client will not make a DHCP request for them


Security Issues

  • The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 ethertypes at present. This is a behavior change compared to the iptables_hybrid firewall, which only operates on IP packets and thus does not address other ethertypes. There is now a configuration option in the neutron openvswitch agent configuration file for permitted ethertypes and then ensures that the requested ethertypes are permitted on initialization.

Bug Fixes

  • When updating the fixed-ips of a port residing on a routed provider network the port update would always fail if host was not set. See bug: 1844124.


Upgrade Notes

  • The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in “::” could be a valid default route.

Other Notes

  • In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver of_connect_timeout and of_request_timeout are now set to 300s. The value does not have side effect for the regular pressure ovs agent.

  • A new option [ovs] of_inactivity_probe has been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.


Critical Issues

  • The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value, agent_boot_time, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent’s first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population agent_boot_time config option will no longer be used.

Bug Fixes

  • Fixes bug 1501206. This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks.

  • Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905.)

  • The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.


New Features

  • A new config option bridge_mac_table_size has been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent in other_config:mac-table-size column in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.

Other Notes

  • The metering agent iptables driver can now load its interface driver by using a stevedore alias in the metering_agent.ini file. For example, interface_driver = openvswitch instead of interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver


Bug Fixes

  • For Infiniband support, Ironic needs to send the ‘client-id’ DHCP option as a number in order for IP address assignment to work. This is now supported in Neutron, and can be specified as option number 61 as defined in RFC 4776. For more information see bug 1770932


Known Issues

  • In the case when the number of ports to clean up in a single bridge is larger than about 10000, it might require an increase in the ovsdb_timeout config option to some value higher than 600 seconds.

Bug Fixes

  • Fixes bug 1763604. Override default value of ovsdb_timeout config option in neutron-ovs-cleanup script. The default value is 10 seconds, but that is not enough for the neutron-ovs-cleanup script when there are many ports to remove from a single bridge, for example, 5000. Because of that, we now override the default value for the config option to be 600 seconds (10 minutes).



In order to reduce the time spent processing security group updates in the L2 agent, conntrack deletion is now performed in a set of worker threads instead of the main agent thread, so it can return to processing other events quickly.

Upgrade Notes

  • On an upgrade, conntrack entries will now be cleaned-up in a worker thread, instead of in the calling thread.

Bug Fixes



DNS server assignment can now be disabled in replies sent from the DHCP agent.

A new agent_mode(dvr_no_external) for DVR routers has been added to allow the server to configure Floating IPs associated with DVR at the centralized node.

New Features

  • Ports have now a dns_domain attribute. A port’s dns_domain attribute has precedence over the network’s dns_domain from the point of view of publishing it to the external DNS service.

  • The DSCP value for outer headers in openvswitch overlay tunnel ports can now be set through a configuration option dscp for both OVS and linuxbridge agents.

  • DSCP can also be inherited from the inner header through a new boolean configuration option dscp_inherit for both openvswitch and linuxbridge. If this option is set to true, then the value of dscp will be ignored.

  • Allow configuration of DHCP renewal (T1) and rebinding (T2) timers in neutron-dhcp-agent. By allowing these timers to be set (options 58 and 59 as per RFC2132) in dnsmasq it allows users to change other parameters, like MTU, on instances without having to wait for the lease time to expire. The advantage of changing T1 over the lease time is that if the DHCP server becomes unreachable within the lease time, instances will not drop their IP addresses and it will not cause a dataplane disruption.

  • Tenants who can access shared networks, can now create/update ports on a specified subnet instead of the default subnet. This is now the default behavior and can be changed by modifying policy.json file.

  • It is now possible to instruct the DHCP agent not to supply any DNS server address to their clients by setting the dns_nameservers attribute for the corresponding subnet to or ::, for IPv4 or IPv6 subnets (respectively).

  • L2 agents based on ML2 _common_agent have now the L2 extension API available. This API can be used by L2 extension drivers to request resources from the L2 agent. It is used, for example, to pass an instance of the IptablesManager to the Linuxbridge L2 agent QoS extension driver.

  • A new DVR agent type dvr_no_external has been introduced with this release. This agent type allows the Floating IPs (DNAT/North-South routing) to be centralized while the East/West routing is still distributed.

  • Implementation of floating IP QoS. A new parameter qos_policy_id was added to floating IP related API.

  • Neutron agents now support SSL connections to OVSDB server. To enable an SSL based connection, use an ssl prefixed URI for the ovsdb_connection setting. When using SSL it is also required to set new ovs group options which include ssl_key_file, ssl_cert_file, and ssl_ca_cert_file.

  • Support substring matching when filtering ports by IP address.

  • A new method get_router_info has been added to L3AgentExtensionAPI.

  • A new method ha_state_change has been added to L3AgentExtensionsManager.

Known Issues

  • There can be a mixture of dvr agents and dvr_no_external agents. But please avoid any VM with Floating IP migration between a dvr agent and a dvr_no_external agent. All VM ports with Floating IPs should be migrated to same agent_mode. This would be one of the restrictions.

Upgrade Notes

  • The functionality when a subnet has its DNS server set to or :: has been changed with this release. The old behaviour was that each DHCP agent would supply only its own IP address as the DNS server to its clients. The new behaviour is that the DHCP agent will not supply any DNS server IP address at all.

  • A new DVR agent mode of dvr_no_external was added. Changing between this mode and dvr is a disruptive operation to the dataplane.

  • The web_framework option has been removed. This should have no impact on operators/users since it was just an option used for development of the new web framework.

Deprecation Notes

  • the tos configuration option in vxlan group for linuxbridge is deprecated and replaced with the more precise option dscp. The TOS value is made of DSCP and ECN bits. It is not possible to set the ECN value through the TOS value, and ECN is always inherited from the inner in case of tunneling.

  • The ivs interface driver is deprecated in Queens and will be removed in Rocky.

  • The ovsdb_interface configuration option is now deprecated. In future releases, the value of the option will be ignored. The native driver will then be used.

  • The api-paste entrypoint neutron.api.versions:Versions.factory has been deprecated and will be removed in the Rocky release. Please update your api-paste.ini file to use the one that ships with Queens or update any references to the Versions factory to point to neutron.pecan_wsgi.app:versions_factory instead.

  • The ovs_vsctl_timeout option is renamed into ovsdb_timeout to reflect that it’s not specific to vsctl implementation of ovsdb_interface. It is also moved under [OVS] section.

Bug Fixes

  • Fixes bug 1736674, security group rules are now properly applied by Linuxbridge L2 agent with QoS extension driver enabled.

  • The Openvswitch agent has an extension called fdb that uses the Linux bridge command. The bridge command has been added to the rootwrap openvswitch-plugin.filters file. For more information, see bug: 1730407

  • Adding security group rules by protocol number is documented, but somehow was broken without being noticed in one of the last couple of releases. This is now fixed. For more information see bug 1716045.

  • In security group rules API, API level validation for port_range values has been performed only against TCP and UDP. Now it is performed against DCCP, SCTP and UDP-Lite, too.