Train Series Release Notes


New Features

  • The dns-assignment will reflect the dns-domain defined in the network or sent by user when creating the port using –dns-domain rather than just take the dns-domain defined in the neutron configuration

  • Add use_random_fully setting to allow an operator to disable the iptables random-fully property on an iptable rules.

Known Issues

  • If the use_random_fully setting is disabled, it will prevent random fully from being used and if there’re 2 guests in different networks using the same source_ip and source_port and they try to reach the same dest_ip and dest_port, packets might be dropped in the kernel do to the racy tuple generation . Disabling this setting should only be done if source_port is really important such as in network firewall ACLs and that the source_ip are never repeating within the platform.

Security Issues

  • Fix bug 1939733 by dropping from the dhcp extra option values everything what is after first newline (\n) character before passing them to the dnsmasq.

Bug Fixes

  • 1671448 Access for Neutron quotas now governed using standard configurable RBAC policies: ‘get_quota’, ‘update_quota’, ‘delete_quota’

  • 1926693 The logic to detect the hypervisor hostname, which was introduced by change 69660, has been fixed and now returns the result consistent with libvirt.

  • The new resource_provider_defualt_hypervisor option has been added, to replace the default hypervisor name to locates the root resource provider without giving a complete list of interfaces or bridges in the resource_provider_hypervisors option. This option is located in the [ovs] ini-section for ovs-agent and [sriov_nic] ini-section for sriov-agent.


Other Notes

  • To improve performance of the DHCP agent, it will no longer configure the DHCP server for every port type created in Neutron. For example, for floating IP or router HA interfaces there is no need since a client will not make a DHCP request for them


New Features

  • DVR routers now support flat networks.

Bug Fixes

  • Fixed bug 1876092 which caused DUP ICMP replies on the flat networks used with DVR routers.

  • Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce the usage of normal actions to reduce cpu utilization. This causing flood rule because there is no MAC learning on ingress traffic. While this ok for none offload case, when using ovs offload flood rule is not offloaded. This fix the MAC learning in the offload, so we avoid flood rule. #1897637.


New Features

  • New config option keepalived_use_no_track was added. If keepalived version used on the deployment does not support no_track flag in its config file (e.g. keepalived 1.x), this option should be set to False. Default value of this option is True.


New Features

  • A new configuration option http_retries was added. This option allows configuring the number of times the nova or ironic client should retry on a failed HTTP call.

  • Add new configuration option igmp_snooping_enable. New option is in OVS config section and is used by openvswitch agent. This option is used to enable support for Internet Group Management Protocol (IGMP) in integration bridge.

Bug Fixes

  • 1875981 Neutron now correctly removes associated DNS records when an admin deletes ports, servers or floation IPs.


New Features

  • Adds support for configuring a list of IPv6 addresses for a dhcp-host entry in the dnsmasq DHCP agent driver. For a port with multiple IPv6 fixed-ips in the same subnet a single dhcp-host entry including all the addresses are written to the dnsmasq dhcp-hostsfile.

    Reserving multiple addresses for a host eases problems related to network and chain-booting where each step in the boot process requests an address using different DUID/IAID combinations. With a single address, only one gets the “static” address and the boot process will fail on the following steps. By reserving enough addresses for all the stages of the boot process this problem is resolved. (See bug: #1861032)


    This requires dnsmasq version 2.81 or later. Some distributions may backport this feauture to earlier dnsmasq version as part of the packaging, check the distributions releasenotes.

    Since the new configuration format is invalid in previous versions of dnsmasq this feauture is disabled by default. To enable the feature set the option dnsmasq_enable_addr6_list in DHCP agent configuration to True.

Upgrade Notes

  • SR-IOV agent code no longer supports old kernels (<3.13) for MacVtap ports. This change is not expected to affect existing deployments since most OS distributions already have the relevant kernel patches. In addition, latest major release of all Supported distributions already have a newer kernel.

Deprecation Notes

  • Abstract method plug_new from the neutron.agent.linux.interface.LinuxInterfaceDriver class now accepts an optional parameter link_up. Usage of this method, which takes from 5 to 9 positional arguments, without link_up is now deprecated and will not be possible starting in the W release. Third-party drivers which inherit from this base class should update the implementation of their plug_new method.

Security Issues

  • A change was made to the metadata proxy to not allow a user to override header values, it will now always insert the correct information and remove unnecessary fields before sending requests to the metadata agent. For more information, see bug 1865036.

Bug Fixes

  • Fixed an issue where the client on a dual-stack (IPv4 + IPv6) network failed to get configuration from the dnsmasq DHCP server. See bug: 1876094.

  • Fixed an issue where IP allocation for IPv6 stateless subnets would allocate on invalid subnets when segments are used. Auto-addressing now filters on segment ids when allocating IP addresses. See bugs: #1864225, #1864333, #1865138.

  • Fixes an issue that the OVS firewall driver does not configure security group rules using remote group properly when a corresponding remote group has no port on a local hypervisor. For more information see bugs: 1862703 and 1854131.


Upgrade Notes

  • For users affected by bug 1853840 the hypervisor name now can be set per physical network device in config option resource_provider_hypervisors which is located in the [ovs] ini-section for ovs-agent and [sriov_nic] ini-section for sriov-agent. Hypervisor names default to socket.gethostname() which works out of the box with libvirt even when the config option is set to a non-default value.

Bug Fixes

  • Bug described a flooding issue on the neutron-ovs-agent integration bridge. And bug proposed a solution for it. The accepted egress packets will be taken care in the final egress tables (61 when openflow firewall is not enabled, table 94 otherwise) with direct output flows for unicast traffic with a minimum influence on the existing cloud networking. A new config option explicitly_egress_direct, with default value False, was added for the aim of distinguishing clouds which are running the network node mixed with compute services, upstream neutron CI should be an example. In such situation, this explicitly_egress_direct should be set to False, because there are numerous cases from HA routers which can not be covered, particularly when you have centralized floating IPs running in such mixed hosts. Otherwise, set explicitly_egress_direct to True to avoid the flooding. One more note is if your network nodes are for networing services only, we recommand you disable all the security_group to get a higher performance.

  • Neutron now locates the root resource provider of the resource provider tree it creates by using the hypervisor name instead of the hostname. These are different in rare cases only. The hypervisor name can be set per physical network device in config option resource_provider_hypervisors which is located in the [ovs] ini-section for ovs-agent and [sriov_nic] ini-section for sriov-agent. Hypervisor names default to socket.gethostname() which works out of the box with libvirt even when the config option is set to a non-default value. We believe this change fixes bug 1853840.

  • Owners of security groups now see all security group rules which belong to the security group, even if the rule was created by the admin user. Fixes bug 1824248.

Other Notes

  • When the enable_distributed_routing (DVR) configuration option is set to True and tunneling is enabled, the arp_responder option will be forced to True since it is now required in order for ARP to work properly. For more information, see bug 1774459.


Bug Fixes

  • [bug 1812168] Remove Floating IP DNS record upon associated port deletion.

Other Notes

  • A new config option, radvd_user, was added to l3_agent.ini for the L3 agent. This option defines the username passed to radvd, used to drop “root” privileges and change user ID to username and group ID to the primary group of the user. If no user specified (by default), the user executing the L3 agent will be passed. If “root” specified, because radvd is spawned as root, no “username” parameter will be passed. (For more information see bug 1844688.)


New Features

  • Added support for custom scripts used to kill external processes managed by neutron agents, such as dnsmasq or keepalived. Such custom scripts, if defined, will be used instead default kill command to kill such external processes.

  • Add Support for Smart NIC in ML2/OVS mechanism driver, by extending the Neutron OVS mechanism driver and Neutron OVS Agent to bind the Neutron port for the baremetal host with Smart NIC.

  • The segmentation ID of a provider network can be now modified, even with OVS ports bound. Note that, during this process, the traffic of the bound ports tagged with the former segmentation ID (external VLAN) will be mapped to the new one. This can provoke a traffic disruption while the external network VLAN is migrated to the new tag.

  • The new API extension extraroute-atomic introduces two new member actions on routers to add/remove routes atomically on the server side. The use of these new member actions (PUT /v2.0/routers/ROUTER-ID/add_extraroutes and PUT /v2.0/routers/ROUTER-ID/remove_extraroutes) is always preferred to the old way (PUT /v2.0/routers/ROUTER-ID) when multiple clients edit the extra routes of a router since the old way is prone to race conditions between concurrent clients and therefore to possible lost updates.

  • A new parameter router_factory has been added to neutron.agent.l3.L3AgentExtensionAPI. Developers can register neutron.agent.l3.agent.RouterInfo class and delegate it for RouterInfo creation.

    Extensions can extend RouterInfo itself which correspond to each features (ha, distribtued, ha + distributed).

  • Support for L3 conntrack helpers has been added.

    Users can now configure conntrack helper target rules to be set for a Router. This is accomplished by associating a conntrack_helper sub-resource to a router. To create a conntrack_helper, the user specifies: a router ID, the protocol (TCP or UDP, for example), the port number and the conntrack helper module alias (tftp or ftp, for example). CRUD operations for conntrack_helpers are implemented by a Neutron API extension and a service plugin. Please refer to the Neutron API reference documentation for details. A router can have multiple conntack_helpers.

    The new configuration option [l3-conntrack-helpers]/allowed_conntrack_helpers allow the operator to configure allowed helpers, and the helper protocol constraints.

  • A notifier for the Openstack Baremetal service (ironic) is introduced. When enabled notifications are sent to the Baremetal service on relevant resource events/changes. By default notifications to the Baremetal service is disabled. To enable notifications to the Baremetal service set [ironic]/enable_notifications to True in the Networking service configuration (neutron.conf).

  • Adds support for OVS DPDK port representors, a direct port on a netdev datapath is considered a DPDK representor port.

  • When different subnet pools participate in the same address scope, the constraints disallowing subnets to be allocated from different pools on the same network have been relaxed. As long as subnet pools participate in the same address scope, subnets can now be created from different subnet pools when multiple subnets are created on a network. When address scopes are not used, subnets with the same ip_version on the same network must still be allocated from the same subnet pool. For more information, see bug 1830240.

Upgrade Notes

  • The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in “::” could be a valid default route.

  • The gateway_external_network_id config option has been removed. Systems where this option was set will now be able to support multiple external networks for routers.

  • The deprecated L2 population agent_boot_time config option was removed and is no longer needed as of the Stein release.

  • The deprecated of_interface option is removed. Neutron will always use the native driver, which has been the default since Pike (11.0). If old driver ovs-ofctl was used before upgrade, automatically done change to native driver will cause short break of data plane connectivity during neutron-ovs-agent upgrade.

  • Existing IPv6 ICMP security group rules created by using legacy protocol names icmpv6 and icmp will now be returned as ipv6-icmp in an API GET call.

Deprecation Notes

Security Issues

  • The OVS Firewall blocks traffic that does not have either the IPv4 or IPv6 ethertypes at present. This is a behavior change compared to the iptables_hybrid firewall, which only operates on IP packets and thus does not address other ethertypes. There is now a configuration option in the neutron openvswitch agent configuration file for permitted ethertypes and then ensures that the requested ethertypes are permitted on initialization.

Bug Fixes

  • Leverage the coordination lock to the resource processing and notification thread functions to minimize the lock granularity.

  • [bug 1811166] Changes the API behavior to enforce that a router’s administrative state must be down (router.admin_state_up==False ) before modifying its distributed attribute. If the router admin_state_up==True when trying to change the distributed attribute, a BadRequest exception will be thrown.

  • A previous bug fix changed the behaviour of the DHCP agent to use a network’s dns_domain as the search path provided to instances overriding the dns_domain configuration option used by both the DHCP agent and the main server process when generate port DNS assignments. This broke the original design intent of the dns_domain attribute of a network which was for integration with external DNS systems such as Designate rather than for use in Neutron’s internal DNS support. This incorrect change in behaviour has now been reverted - the DHCP agent will only ever use the dns_domain configuration option.

  • Fixes an issue where deletion of a provider network could result in ML2 mechanism drivers not being passed information about the network’s provider fields. The consequences of this depend on the mechanism driver in use, but could result in the event being ignored, leading to an incorrectly configured network. See bug 1841967 for details.

  • When updating the fixed-ips of a port residing on a routed provider network the port update would always fail if host was not set. See bug: 1844124.

  • Security group rule code has been changed to better detect duplicate rules by standardizing on ipv6-icmp as the protocol field value for IPv6 ICMP rules. The legacy names icmpv6 and icmp can still be used in API POST calls, but API GET calls will return ipv6-icmp. Partial fix for bug 1582500.

  • Add a new match rule based on physical VLAN tag for OpenFlow firewall traffic identifying mechanism to the TRANSIENT table. This fixes the distributed router east-west traffic between VLAN type networks. For more information, see bug 1831534.

Other Notes

  • Add log file for neutron-keepalived-state-change daemon.

  • In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver of_connect_timeout and of_request_timeout are now set to 300s. The value does not have side effect for the regular pressure ovs agent.

  • A new config option, host_dvr_for_dhcp, was added to neutron.conf for DVR to determine whether to host the DVR local router to the scheduled DHCP node(s).

  • Add a generic coordination lock mechanism for various scenarios. This decorator allows flexible lock name with parameters and names of underlying functions. And in order to achive backward compatibility with python2.7 several functions was copied from the old version of python inspect. Once python2.7 is retired, we can drop such duplication.

  • A new option [ovs] of_inactivity_probe has been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.