Queens Series Release Notes

12.1.0-18

Security Issues

  • The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 ethertypes at present. This is a behavior change compared to the iptables_hybrid firewall, which only operates on IP packets and thus does not address other ethertypes. There is now a configuration option in the neutron openvswitch agent configuration file for permitted ethertypes and then ensures that the requested ethertypes are permitted on initialization.

12.1.0

Upgrade Notes

  • The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in “::” could be a valid default route.

Other Notes

  • In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver of_connect_timeout and of_request_timeout are now set to 300s. The value does not have side effect for the regular pressure ovs agent.

  • A new option [ovs] of_inactivity_probe has been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.

12.0.6

Critical Issues

  • The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value, agent_boot_time, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent’s first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population agent_boot_time config option will no longer be used.

Bug Fixes

  • Fixes bug 1501206. This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks.

  • Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905.)

  • The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.

12.0.4

New Features

  • A new config option bridge_mac_table_size has been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent in other_config:mac-table-size column in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.

Other Notes

  • The metering agent iptables driver can now load its interface driver by using a stevedore alias in the metering_agent.ini file. For example, interface_driver = openvswitch instead of interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

12.0.3

Bug Fixes

  • For Infiniband support, Ironic needs to send the ‘client-id’ DHCP option as a number in order for IP address assignment to work. This is now supported in Neutron, and can be specified as option number 61 as defined in RFC 4776. For more information see bug 1770932

12.0.2

Known Issues

  • In the case when the number of ports to clean up in a single bridge is larger than about 10000, it might require an increase in the ovsdb_timeout config option to some value higher than 600 seconds.

Bug Fixes

  • Fixes bug 1763604. Override default value of ovsdb_timeout config option in neutron-ovs-cleanup script. The default value is 10 seconds, but that is not enough for the neutron-ovs-cleanup script when there are many ports to remove from a single bridge, for example, 5000. Because of that, we now override the default value for the config option to be 600 seconds (10 minutes).

12.0.1

Prelude

In order to reduce the time spent processing security group updates in the L2 agent, conntrack deletion is now performed in a set of worker threads instead of the main agent thread, so it can return to processing other events quickly.

Upgrade Notes

  • On an upgrade, conntrack entries will now be cleaned-up in a worker thread, instead of in the calling thread.

Bug Fixes

12.0.0

Prelude

DNS server assignment can now be disabled in replies sent from the DHCP agent.

A new agent_mode(dvr_no_external) for DVR routers has been added to allow the server to configure Floating IPs associated with DVR at the centralized node.

New Features

  • Ports have now a dns_domain attribute. A port’s dns_domain attribute has precedence over the network’s dns_domain from the point of view of publishing it to the external DNS service.

  • The DSCP value for outer headers in openvswitch overlay tunnel ports can now be set through a configuration option dscp for both OVS and linuxbridge agents.

  • DSCP can also be inherited from the inner header through a new boolean configuration option dscp_inherit for both openvswitch and linuxbridge. If this option is set to true, then the value of dscp will be ignored.

  • Allow configuration of DHCP renewal (T1) and rebinding (T2) timers in neutron-dhcp-agent. By allowing these timers to be set (options 58 and 59 as per RFC2132) in dnsmasq it allows users to change other parameters, like MTU, on instances without having to wait for the lease time to expire. The advantage of changing T1 over the lease time is that if the DHCP server becomes unreachable within the lease time, instances will not drop their IP addresses and it will not cause a dataplane disruption.

  • Tenants who can access shared networks, can now create/update ports on a specified subnet instead of the default subnet. This is now the default behavior and can be changed by modifying policy.json file.

  • It is now possible to instruct the DHCP agent not to supply any DNS server address to their clients by setting the dns_nameservers attribute for the corresponding subnet to 0.0.0.0 or ::, for IPv4 or IPv6 subnets (respectively).

  • L2 agents based on ML2 _common_agent have now the L2 extension API available. This API can be used by L2 extension drivers to request resources from the L2 agent. It is used, for example, to pass an instance of the IptablesManager to the Linuxbridge L2 agent QoS extension driver.

  • A new DVR agent type dvr_no_external has been introduced with this release. This agent type allows the Floating IPs (DNAT/North-South routing) to be centralized while the East/West routing is still distributed.

  • Implementation of floating IP QoS. A new parameter qos_policy_id was added to floating IP related API.

  • Neutron agents now support SSL connections to OVSDB server. To enable an SSL based connection, use an ssl prefixed URI for the ovsdb_connection setting. When using SSL it is also required to set new ovs group options which include ssl_key_file, ssl_cert_file, and ssl_ca_cert_file.

  • Support substring matching when filtering ports by IP address.

  • A new method get_router_info has been added to L3AgentExtensionAPI.

  • A new method ha_state_change has been added to L3AgentExtensionsManager.

Known Issues

  • There can be a mixture of dvr agents and dvr_no_external agents. But please avoid any VM with Floating IP migration between a dvr agent and a dvr_no_external agent. All VM ports with Floating IPs should be migrated to same agent_mode. This would be one of the restrictions.

Upgrade Notes

  • The functionality when a subnet has its DNS server set to 0.0.0.0 or :: has been changed with this release. The old behaviour was that each DHCP agent would supply only its own IP address as the DNS server to its clients. The new behaviour is that the DHCP agent will not supply any DNS server IP address at all.

  • A new DVR agent mode of dvr_no_external was added. Changing between this mode and dvr is a disruptive operation to the dataplane.

  • The web_framework option has been removed. This should have no impact on operators/users since it was just an option used for development of the new web framework.

Deprecation Notes

  • the tos configuration option in vxlan group for linuxbridge is deprecated and replaced with the more precise option dscp. The TOS value is made of DSCP and ECN bits. It is not possible to set the ECN value through the TOS value, and ECN is always inherited from the inner in case of tunneling.

  • The ivs interface driver is deprecated in Queens and will be removed in Rocky.

  • The ovsdb_interface configuration option is now deprecated. In future releases, the value of the option will be ignored. The native driver will then be used.

  • The api-paste entrypoint neutron.api.versions:Versions.factory has been deprecated and will be removed in the Rocky release. Please update your api-paste.ini file to use the one that ships with Queens or update any references to the Versions factory to point to neutron.pecan_wsgi.app:versions_factory instead.

  • The ovs_vsctl_timeout option is renamed into ovsdb_timeout to reflect that it’s not specific to vsctl implementation of ovsdb_interface. It is also moved under [OVS] section.

Bug Fixes

  • Fixes bug 1736674, security group rules are now properly applied by Linuxbridge L2 agent with QoS extension driver enabled.

  • The Openvswitch agent has an extension called fdb that uses the Linux bridge command. The bridge command has been added to the rootwrap openvswitch-plugin.filters file. For more information, see bug: 1730407

  • Adding security group rules by protocol number is documented, but somehow was broken without being noticed in one of the last couple of releases. This is now fixed. For more information see bug 1716045.

  • In security group rules API, API level validation for port_range values has been performed only against TCP and UDP. Now it is performed against DCCP, SCTP and UDP-Lite, too.