Current Series Release Notes¶
The OVN changed support for NAT rules including a new column and auto-discovery logic to know about logical router gateway ports for NAT on a Logical Router.
Support for new
servicerole is added to the Neutron API policies as part of the Secure-RBAC initiative. This new role is designed to be used for the service-to-service communication.
A new OVN driver Northbound DB column has been added to allow configuring gateway port for NAT rule. If the OVN backend supports the gateway_port column in the Northbound DB NAT table, the gateway port uuid will be configured to any floating IP to prevent North/South traffic issues. Previously created FIP rules will be updated only once during the maintenance task to include the gateway_port reference (if OVN backend supports it). In case all FIP entries are already configured no maintenance action will be performed.
A new policy rule check
rule_default_sghas been added. This rule allows to check if a security group rule belongs or not to the project default security group. The administrator can override the rule creation and rule deletion, disallowing a non-privileged user from these actions.
A new ovn-cms-options option called
enable-chassis-as-extport-hostis now recognized by ML2/OVN and is used to identify nodes that are eligible for scheduling OVN’s external ports. This feature is backward compatible and if no nodes contain this new option the external ports will continue to be scheduled using the
enable-chassis-as-gwoption as before. This change also introduces a limit to the number of members for each HA Chassis Group to 5, matching the limit of gateway router port replicas. This is because OVN uses BFD to monitor the connectivity of each member and having an unlimited number of members could potentially put a lot of stress in OVN.
OVN routers now expose the “distributed” flag depending on the configuration option
enable_distributed_floating_ip. Because this is a common configuration option, all routers will expose the same value. This value can flap if the Neutron API is restarted and the configuration option changes. NOTE: Once the RFE that allows us to define the distributed flag per floating IP address is implemented in ML2/OVN, this flag will be useless (no Launchpad bug has been created yet for this RFE, that is only a proposed idea during several PTGs).
port.statusfield (“ACTIVE”, “DOWN”) is now set based on the ML2/OVN Logical Switch Port
enabledflags. The user can now set the
port.admin_state_up, that is replicated in the
lsp.enabledflag, to enable or disable the port. If the port is disabled, the traffic is stopped and the
port.statusis set to “DOWN”.
Added the tags policies for the following resources: network, subnet, port, router, floating IP, network segment, network segment range, security group and security group rule. The policies control the creation, the update and the deletion of the resource tags.
In OVN 22.09 the option
localnet_learn_fdbwas added, enabling localnet ports to learn MAC addresses and store them at the FDB table. There was no aging mechanism for those MACs until OVN 23.06, where the configuration option
fdb_age_thresholdwas added. This enables to set the maximum time the learned MACs will stay in the FDB table (in seconds). When the
localnet_learn_fdbconfiguration option is enabled, the proper value for
fdb_age_thresholdshould also be set, to avoid performance/scalability issues due to the table growing too much – especially when provider networks are large. In addition the configuration option
fdb_removal_limitwas also added to avoid removing a large number of entries at once.
Starting with OVN version v21.12.0, OVN replies to ARP requests for ports that are in a DOWN status. It does not reply in versions older than v21.12.0. In order to keep the same behavior in Neutron, the default OVN behavior is overridden by Neutron and Neutron ports will no longer reply to ARP packets if the ports are in a DOWN state. If it is required to reply to ARP for such ports, the config option
[ovn_nb_global]section can be set to True in the Neutron config. It is set to False by default.
[agent] veth_mtuparameter of ML2 OVS mechanism driver configuration has been removed. This parameter has had no effect since the Wallaby release.
The following parameters in the
designatesection have been removed.
[DEFAULT] ovs_integration_bridgeconfiguration option, which was deprecated in the ‘Ussuri’ release, as it was a duplicate of
[DEFAULT] segment_mtuconfiguration option has been removed. It was replaced by the
[DEFAULT] global_physnet_mtuoption in the Mitaka release.
advsvcused in the Neutron API policies is now deprecated. New
servicerole should be used for service-to-service communication.
Fixed the scenario where the DHCP agent is deployed in conjunction with the OVN metadata agent in order to serve metadata for baremetal nodes. In this scenario, the DHCP agent would not set the route needed for the OVN metadata agent service resulting in baremetal nodes not being able to query the metadata service. For more information see bug 1982569.
The Neutron API has been changed to validate network MTU minimums. A network’s MTU is now only valid if it is the minimum value allowed based on the IP version of the associated subnets, 68 for IPv4 and 1280 for IPv6.
This minimum is now enforced in the following ways:
When a subnet is associated with a network, validate the MTU is large enough for the IP version. Not only would the subnet be unusable if it was allowed, but the Linux kernel can fail adding addresses and configuring network settings like the MTU.
When a network MTU is changed, validate the MTU is large enough for any currently associated subnets. Allowing a smaller MTU would render any existing subnets unusable.
See bug 1988069 for more information.
When synchronizing the OVN databases, either when running the migration command or during startup, the code responsible for synchronization will only clean up segment-to-host mappings for hosts with agent_type
OVN Controller agent. Before, the synchronization would clean up (delete) segment-to-host mappings for non-OVN hosts. Fixes bug: 2040172.
During the port bulk creation, if an IPAM allocation fails (for example, if the IP address is outside of the subnet CIDR), the other IPAM allocations already created are deleted before raising the exception. Fixes bug 2039550.
In previous versions, an administrator was allowed to update a port
binding:vnic_typeattribute even if it was bound. This is now blocked and the update operation of the attribute returns the
Conflict (409)response code.
The new value for ‘device_owner’ for OVN loadbalancer health monitor ports (ovn-lb-hm:distributed) is now supported by Neutron, providing a LOCALPORT behavior to these ports. The responsibility to define these ports with the new value instead of the old one (network:distributed) is under the OVN-Octavia Provider driver, which will take care of database conversion for these ports.