Current Series Release Notes¶
23.0.0.0rc1-98¶
Prelude¶
The OVN changed support for NAT rules including a new column and auto-discovery logic to know about logical router gateway ports for NAT on a Logical Router.
New Features¶
Support for new
service
role is added to the Neutron API policies as part of the Secure-RBAC initiative. This new role is designed to be used for the service-to-service communication.
A new OVN driver Northbound DB column has been added to allow configuring gateway port for NAT rule. If the OVN backend supports the gateway_port column in the Northbound DB NAT table, the gateway port uuid will be configured to any floating IP to prevent North/South traffic issues. Previously created FIP rules will be updated only once during the maintenance task to include the gateway_port reference (if OVN backend supports it). In case all FIP entries are already configured no maintenance action will be performed.
A new policy rule check
rule_default_sg
has been added. This rule allows to check if a security group rule belongs or not to the project default security group. The administrator can override the rule creation and rule deletion, disallowing a non-privileged user from these actions.
A new ovn-cms-options option called
enable-chassis-as-extport-host
is now recognized by ML2/OVN and is used to identify nodes that are eligible for scheduling OVN’s external ports. This feature is backward compatible and if no nodes contain this new option the external ports will continue to be scheduled using theenable-chassis-as-gw
option as before. This change also introduces a limit to the number of members for each HA Chassis Group to 5, matching the limit of gateway router port replicas. This is because OVN uses BFD to monitor the connectivity of each member and having an unlimited number of members could potentially put a lot of stress in OVN.
OVN routers now expose the “distributed” flag depending on the configuration option
enable_distributed_floating_ip
. Because this is a common configuration option, all routers will expose the same value. This value can flap if the Neutron API is restarted and the configuration option changes. NOTE: Once the RFE that allows us to define the distributed flag per floating IP address is implemented in ML2/OVN, this flag will be useless (no Launchpad bug has been created yet for this RFE, that is only a proposed idea during several PTGs).
The Neutron
port.status
field (“ACTIVE”, “DOWN”) is now set based on the ML2/OVN Logical Switch Portup
andenabled
flags. The user can now set theport.admin_state_up
, that is replicated in thelsp.enabled
flag, to enable or disable the port. If the port is disabled, the traffic is stopped and theport.status
is set to “DOWN”.
Added the tags policies for the following resources: network, subnet, port, router, floating IP, network segment, network segment range, security group and security group rule. The policies control the creation, the update and the deletion of the resource tags.
In OVN 22.09 the option
localnet_learn_fdb
was added, enabling localnet ports to learn MAC addresses and store them at the FDB table. There was no aging mechanism for those MACs until OVN 23.06, where the configuration optionfdb_age_threshold
was added. This enables to set the maximum time the learned MACs will stay in the FDB table (in seconds). When thelocalnet_learn_fdb
configuration option is enabled, the proper value forfdb_age_threshold
should also be set, to avoid performance/scalability issues due to the table growing too much – especially when provider networks are large. In addition the configuration optionfdb_removal_limit
was also added to avoid removing a large number of entries at once.
Upgrade Notes¶
Starting with OVN version v21.12.0, OVN replies to ARP requests for ports that are in a DOWN status. It does not reply in versions older than v21.12.0. In order to keep the same behavior in Neutron, the default OVN behavior is overridden by Neutron and Neutron ports will no longer reply to ARP packets if the ports are in a DOWN state. If it is required to reply to ARP for such ports, the config option
ignore_lsp_down
from[ovn_nb_global]
section can be set to True in the Neutron config. It is set to False by default.
The
[agent] veth_mtu
parameter of ML2 OVS mechanism driver configuration has been removed. This parameter has had no effect since the Wallaby release.
The following parameters in the
designate
section have been removed.admin_username
admin_password
admin_tenant_id
admin_tenant_name
admin_auth_url
Remove
[DEFAULT] ovs_integration_bridge
configuration option, which was deprecated in the ‘Ussuri’ release, as it was a duplicate of[OVS] integration_bridge
.
The
[DEFAULT] segment_mtu
configuration option has been removed. It was replaced by the[DEFAULT] global_physnet_mtu
option in the Mitaka release.
Deprecation Notes¶
Old role
advsvc
used in the Neutron API policies is now deprecated. Newservice
role should be used for service-to-service communication.
Bug Fixes¶
Fixed the scenario where the DHCP agent is deployed in conjunction with the OVN metadata agent in order to serve metadata for baremetal nodes. In this scenario, the DHCP agent would not set the route needed for the OVN metadata agent service resulting in baremetal nodes not being able to query the metadata service. For more information see bug 1982569.
The Neutron API has been changed to validate network MTU minimums. A network’s MTU is now only valid if it is the minimum value allowed based on the IP version of the associated subnets, 68 for IPv4 and 1280 for IPv6.
This minimum is now enforced in the following ways:
When a subnet is associated with a network, validate the MTU is large enough for the IP version. Not only would the subnet be unusable if it was allowed, but the Linux kernel can fail adding addresses and configuring network settings like the MTU.
When a network MTU is changed, validate the MTU is large enough for any currently associated subnets. Allowing a smaller MTU would render any existing subnets unusable.
See bug 1988069 for more information.
When synchronizing the OVN databases, either when running the migration command or during startup, the code responsible for synchronization will only clean up segment-to-host mappings for hosts with agent_type
OVN Controller agent
. Before, the synchronization would clean up (delete) segment-to-host mappings for non-OVN hosts. Fixes bug: 2040172.
During the port bulk creation, if an IPAM allocation fails (for example, if the IP address is outside of the subnet CIDR), the other IPAM allocations already created are deleted before raising the exception. Fixes bug 2039550.
In previous versions, an administrator was allowed to update a port
binding:vnic_type
attribute even if it was bound. This is now blocked and the update operation of the attribute returns theConflict (409)
response code.
Other Notes¶
The new value for ‘device_owner’ for OVN loadbalancer health monitor ports (ovn-lb-hm:distributed) is now supported by Neutron, providing a LOCALPORT behavior to these ports. The responsibility to define these ports with the new value instead of the old one (network:distributed) is under the OVN-Octavia Provider driver, which will take care of database conversion for these ports.