Queens Series Release Notes¶
A new configuration option
http_retrieswas added. This option allows configuring the number of times the nova or ironic client should retry on a failed HTTP call.
Add new configuration option
igmp_snooping_enable. New option is in
OVSconfig section and is used by openvswitch agent. This option is used to enable support for Internet Group Management Protocol (IGMP) in integration bridge.
plug_newfrom the neutron.agent.linux.interface.LinuxInterfaceDriver class now accepts an optional parameter
link_up. Usage of this method, which takes from 5 to 9 positional arguments, without
link_upis now deprecated and will not be possible starting in the W release. Third-party drivers which inherit from this base class should update the implementation of their
Fix bug 1939733 by dropping from the dhcp extra option values everything what is after first newline (
\n) character before passing them to the dnsmasq.
A change was made to the metadata proxy to not allow a user to override header values, it will now always insert the correct information and remove unnecessary fields before sending requests to the metadata agent. For more information, see bug 1865036.
Bug https://bugs.launchpad.net/neutron/+bug/1732067 described a flooding issue on the neutron-ovs-agent integration bridge. And bug https://bugs.launchpad.net/neutron/+bug/1841622 proposed a solution for it. The accepted egress packets will be taken care in the final egress tables (61 when openflow firewall is not enabled, table 94 otherwise) with direct output flows for unicast traffic with a minimum influence on the existing cloud networking. A new config option
explicitly_egress_direct, with default value False, was added for the aim of distinguishing clouds which are running the network node mixed with compute services, upstream neutron CI should be an example. In such situation, this
explicitly_egress_directshould be set to False, because there are numerous cases from HA routers which can not be covered, particularly when you have centralized floating IPs running in such mixed hosts. Otherwise, set
explicitly_egress_directto True to avoid the flooding. One more note is if your network nodes are for networing services only, we recommand you disable all the security_group to get a higher performance.
Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce the usage of normal actions to reduce cpu utilization. This causing flood rule because there is no MAC learning on ingress traffic. While this ok for none offload case, when using ovs offload flood rule is not offloaded. This fix the MAC learning in the offload, so we avoid flood rule. #1897637.
Fixes an issue that the OVS firewall driver does not configure security group rules using remote group properly when a corresponding remote group has no port on a local hypervisor. For more information see bugs: 1862703 and 1854131.
[bug 1812168] Remove Floating IP DNS record upon associated port deletion.
Owners of security groups now see all security group rules which belong to the security group, even if the rule was created by the admin user. Fixes bug 1824248.
Add a new match rule based on physical VLAN tag for OpenFlow firewall traffic identifying mechanism to the TRANSIENT table. This fixes the distributed router east-west traffic between VLAN type networks. For more information, see bug 1831534.
A new config option,
host_dvr_for_dhcp, was added to neutron.conf for DVR to determine whether to host the DVR local router to the scheduled DHCP node(s).
To improve performance of the DHCP agent, it will no longer configure the DHCP server for every port type created in Neutron. For example, for floating IP or router HA interfaces there is no need since a client will not make a DHCP request for them
The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 ethertypes at present. This is a behavior change compared to the iptables_hybrid firewall, which only operates on IP packets and thus does not address other ethertypes. There is now a configuration option in the neutron openvswitch agent configuration file for permitted ethertypes and then ensures that the requested ethertypes are permitted on initialization.
When updating the fixed-ips of a port residing on a routed provider network the port update would always fail if host was not set. See bug: 1844124.
The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in “::” could be a valid default route.
In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver
of_request_timeoutare now set to 300s. The value does not have side effect for the regular pressure ovs agent.
A new option
[ovs] of_inactivity_probehas been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.
The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value,
agent_boot_time, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent’s first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population
agent_boot_timeconfig option will no longer be used.
Fixes bug 1501206. This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks.
Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905.)
The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.
A new config option
bridge_mac_table_sizehas been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent in
other_config:mac-table-sizecolumn in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.
The metering agent iptables driver can now load its interface driver by using a stevedore alias in the
metering_agent.inifile. For example,
interface_driver = openvswitchinstead of
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
For Infiniband support, Ironic needs to send the ‘client-id’ DHCP option as a number in order for IP address assignment to work. This is now supported in Neutron, and can be specified as option number 61 as defined in RFC 4776. For more information see bug 1770932
In the case when the number of ports to clean up in a single bridge is larger than about 10000, it might require an increase in the
ovsdb_timeoutconfig option to some value higher than 600 seconds.
Fixes bug 1763604. Override default value of
ovsdb_timeoutconfig option in
neutron-ovs-cleanupscript. The default value is 10 seconds, but that is not enough for the
neutron-ovs-cleanupscript when there are many ports to remove from a single bridge, for example, 5000. Because of that, we now override the default value for the config option to be 600 seconds (10 minutes).
In order to reduce the time spent processing security group updates in the L2 agent, conntrack deletion is now performed in a set of worker threads instead of the main agent thread, so it can return to processing other events quickly.
On an upgrade, conntrack entries will now be cleaned-up in a worker thread, instead of in the calling thread.
Fixes bug 1745468.
DNS server assignment can now be disabled in replies sent from the DHCP agent.
A new agent_mode(
dvr_no_external) for DVR routers has been added to allow the server to configure Floating IPs associated with DVR at the centralized node.
Ports have now a
dns_domainattribute. A port’s
dns_domainattribute has precedence over the network’s
dns_domainfrom the point of view of publishing it to the external DNS service.
The DSCP value for outer headers in openvswitch overlay tunnel ports can now be set through a configuration option
dscpfor both OVS and linuxbridge agents.
DSCP can also be inherited from the inner header through a new boolean configuration option
dscp_inheritfor both openvswitch and linuxbridge. If this option is set to true, then the value of
dscpwill be ignored.
Allow configuration of DHCP renewal (T1) and rebinding (T2) timers in
neutron-dhcp-agent. By allowing these timers to be set (options 58 and 59 as per RFC2132) in
dnsmasqit allows users to change other parameters, like MTU, on instances without having to wait for the lease time to expire. The advantage of changing T1 over the lease time is that if the DHCP server becomes unreachable within the lease time, instances will not drop their IP addresses and it will not cause a dataplane disruption.
Tenants who can access shared networks, can now create/update ports on a specified subnet instead of the default subnet. This is now the default behavior and can be changed by modifying policy.json file.
It is now possible to instruct the DHCP agent not to supply any DNS server address to their clients by setting the
dns_nameserversattribute for the corresponding subnet to
::, for IPv4 or IPv6 subnets (respectively).
L2 agents based on
_common_agenthave now the L2 extension API available. This API can be used by L2 extension drivers to request resources from the L2 agent. It is used, for example, to pass an instance of the
QoS extension driver.
A new DVR agent type
dvr_no_externalhas been introduced with this release. This agent type allows the Floating IPs (DNAT/North-South routing) to be centralized while the East/West routing is still distributed.
Implementation of floating IP QoS. A new parameter
qos_policy_idwas added to floating IP related API.
Neutron agents now support SSL connections to OVSDB server. To enable an SSL based connection, use an
sslprefixed URI for the
ovsdb_connectionsetting. When using SSL it is also required to set new
ovsgroup options which include
Support substring matching when filtering ports by IP address.
A new method
get_router_infohas been added to
A new method
ha_state_changehas been added to
There can be a mixture of
dvr_no_externalagents. But please avoid any VM with Floating IP migration between a
dvragent and a
dvr_no_externalagent. All VM ports with Floating IPs should be migrated to same agent_mode. This would be one of the restrictions.
The functionality when a subnet has its DNS server set to
::has been changed with this release. The old behaviour was that each DHCP agent would supply only its own IP address as the DNS server to its clients. The new behaviour is that the DHCP agent will not supply any DNS server IP address at all.
A new DVR agent mode of
dvr_no_externalwas added. Changing between this mode and
dvris a disruptive operation to the dataplane.
The web_framework option has been removed. This should have no impact on operators/users since it was just an option used for development of the new web framework.
tosconfiguration option in vxlan group for linuxbridge is deprecated and replaced with the more precise option
dscp. The TOS value is made of DSCP and ECN bits. It is not possible to set the ECN value through the TOS value, and ECN is always inherited from the inner in case of tunneling.
ivsinterface driver is deprecated in Queens and will be removed in Rocky.
ovsdb_interfaceconfiguration option is now deprecated. In future releases, the value of the option will be ignored. The
nativedriver will then be used.
The api-paste entrypoint
neutron.api.versions:Versions.factoryhas been deprecated and will be removed in the Rocky release. Please update your api-paste.ini file to use the one that ships with Queens or update any references to the Versions factory to point to
ovs_vsctl_timeoutoption is renamed into
ovsdb_timeoutto reflect that it’s not specific to
ovsdb_interface. It is also moved under
Fixes bug 1736674, security group rules are now properly applied by
Linuxbridge L2 agentwith
QoS extension driverenabled.
The Openvswitch agent has an extension called
fdbthat uses the Linux
bridgecommand has been added to the rootwrap openvswitch-plugin.filters file. For more information, see bug: 1730407
Adding security group rules by protocol number is documented, but somehow was broken without being noticed in one of the last couple of releases. This is now fixed. For more information see bug 1716045.
In security group rules API, API level validation for port_range values has been performed only against TCP and UDP. Now it is performed against DCCP, SCTP and UDP-Lite, too.