Ussuri Series Release Notes


New Features

  • The dns-assignment will reflect the dns-domain defined in the network or sent by user when creating the port using –dns-domain rather than just take the dns-domain defined in the neutron configuration

  • Add support for deleting ML2/OVN agents. Previously, deleting an agent would return a Bad Request error. In addition to deleting the agent, this change also drastically improves the scalability of the ML2/OVN agent handling code.

  • Add use_random_fully setting to allow an operator to disable the iptables random-fully property on an iptable rules.

Known Issues

  • If the use_random_fully setting is disabled, it will prevent random fully from being used and if there’re 2 guests in different networks using the same source_ip and source_port and they try to reach the same dest_ip and dest_port, packets might be dropped in the kernel do to the racy tuple generation . Disabling this setting should only be done if source_port is really important such as in network firewall ACLs and that the source_ip are never repeating within the platform.

Bug Fixes

  • 1671448 Access for Neutron quotas now governed using standard configurable RBAC policies: ‘get_quota’, ‘update_quota’, ‘delete_quota’

  • Enforce policy for ‘qos_policy_id’ attribute of Floating IP so only authorized users can set/unset it. For more info see bug LP#1957175.

  • Changes the API behaviour while using OVN driver to enforce that it’s not possible to delete all the IPs from a router port. For more info see bug LP#1948457

  • For IPv4 subnets when dns_nameservers is not set in the subnet, servers defined in ‘ovn/dns_servers’ config option or system’s resolv.conf are used, but for IPv6 subnets these are not used. The same will now be used for IPv6 subnets too. Additionally dns servers added in ‘ovn/dns_servers’ config option or system’s resolv.conf will be filtered as per the subnet’s IP version. For more info see the bug report 1951816.

  • Fix an issue in the OVN driver where network metadata could become unavailable if the metadata port was ever deleted, even if accidental. To re-create the port, a user can now disable, then enable, DHCP for one of the subnets associated with the network using the Neutron API. This will try and create the port, similar to what happens in the DHCP agent for ML2/OVS. For more information, see bug 2015377.

Other Notes

  • Added the missing extension uplink-status-propagation to the ML2/OVN mechanism driver. This extension is used by the ML2/SR-IOV mechanism driver, that could be loaded with ML2/OVN. Now it is possible to create ports with the “uplink-status-propagation” flag defined.

  • OVN mechanism driver allows only to have one physical network per bridge.


Security Issues

  • Fix bug 1939733 by dropping from the dhcp extra option values everything what is after first newline (\n) character before passing them to the dnsmasq.


Bug Fixes

  • 1926693 The logic to detect the hypervisor hostname, which was introduced by change 69660, has been fixed and now returns the result consistent with libvirt.

  • The new resource_provider_defualt_hypervisor option has been added, to replace the default hypervisor name to locates the root resource provider without giving a complete list of interfaces or bridges in the resource_provider_hypervisors option. This option is located in the [ovs] ini-section for ovs-agent and [sriov_nic] ini-section for sriov-agent.


Other Notes

  • To improve performance of the DHCP agent, it will no longer configure the DHCP server for every port type created in Neutron. For example, for floating IP or router HA interfaces there is no need since a client will not make a DHCP request for them

  • The OVN Metadata Agent now creates the network namespaces including the Neutron network UUID in its name. Previously, the OVN datapath UUID was used and it was not obvious for operators and during debugging to figure out which namespace corresponded to what Neutron network.


Bug Fixes

  • Fixes a configuration problem in the OVN driver that prevented external IGMP queries from reaching the Virtual Machines. See bug 1918108 for details.


Known Issues

  • Even with the “igmp_snooping_enable” configuration option stating that traffic would not be flooded to unregistered VMs when this option was enabled, the ML2/OVN driver didn’t follow that behavior. This has now been fixed and ML2/OVN will no longer flood traffic to unregistered VMs when this configuration option is set to True.

Bug Fixes

  • Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce the usage of normal actions to reduce cpu utilization. This causing flood rule because there is no MAC learning on ingress traffic. While this ok for none offload case, when using ovs offload flood rule is not offloaded. This fix the MAC learning in the offload, so we avoid flood rule. #1897637.


New Features

  • New config option keepalived_use_no_track was added. If keepalived version used on the deployment does not support no_track flag in its config file (e.g. keepalived 1.x), this option should be set to False. Default value of this option is True.


New Features

  • A new configuration option http_retries was added. This option allows configuring the number of times the nova or ironic client should retry on a failed HTTP call.

  • DVR routers now support flat networks.

  • Added support for router availability zones in OVN. The OVN driver can now read from the router’s availability_zone_hints field and schedule router ports accordingly with the given availability zones.

Deprecation Notes

  • Abstract method plug_new from the neutron.agent.linux.interface.LinuxInterfaceDriver class now accepts an optional parameter link_up. Usage of this method, which takes from 5 to 9 positional arguments, without link_up is now deprecated and will not be possible starting in the W release. Third-party drivers which inherit from this base class should update the implementation of their plug_new method.

Bug Fixes

  • 1875981 Neutron now correctly removes associated DNS records when an admin deletes ports, servers or floation IPs.

  • Fixed bug 1876092 which caused DUP ICMP replies on the flat networks used with DVR routers.

  • Fixed an issue where the client on a dual-stack (IPv4 + IPv6) network failed to get configuration from the dnsmasq DHCP server. See bug: 1876094.



The 16.0.0 release includes many bug fixes and new features.

The most important improvements worth mentioning are:

  • Python 2 is no longer supported by Neutron, Python 3.6 and 3.7 are.

  • Address scopes and subnetpools can now be shared with other tenants using the Role Based Access Control (RBAC) mechanism.

  • Security groups can now be set as stateful. Conntrack will not be used for any rules from such a group. This is currently supported only by the iptables and iptables_hybrid drivers.

  • Neutron API now allows tagging resources directly in the POST request.

  • IGMP snooping (multicast) can now be enabled in the OVS and OVN drivers.

  • A list of IPv6 addresses for a dhcp-host entry in the dnsmasq DHCP agent driver can be configured. This solves problems with failing boot process when only one IP address is available. See #1861032) for details about the issue.

  • The networking-ovn mechanism driver has been merged into the neutron repository and is now an in-tree driver for ML2.

Added support to create stateless security groups.

New Features

  • Address scope is now supported via the network RBAC mechanism. Please refer to the admin guide for further details.

  • Add a new field description to the PortForwarding resource.

  • Add new configuration option igmp_snooping_enable. New option is in OVS config section and is used by openvswitch agent. This option is used to enable support for Internet Group Management Protocol (IGMP) in integration bridge.

  • Subnetpool is now supported via the network RBAC mechanism. Please refer to the admin guide for further details.

  • By default the dnsmasq agent is restarted for every port created, deleted or updated. When there are many port changes on the same network it can and will take a very long time for all of the port changes to be realised. This enhancement adds in a new configuration variable that will enable bulk updates. This means that the dnsmasq will only be restarted once in a period and not N times. The new option ‘bulk_reload_interval’ indicates how often the agent should be reloaded. The default value is 0 which means that the original functionality is the default.

  • Adds support for configuring a list of IPv6 addresses for a dhcp-host entry in the dnsmasq DHCP agent driver. For a port with multiple IPv6 fixed-ips in the same subnet a single dhcp-host entry including all the addresses are written to the dnsmasq dhcp-hostsfile.

    Reserving multiple addresses for a host eases problems related to network and chain-booting where each step in the boot process requests an address using different DUID/IAID combinations. With a single address, only one gets the “static” address and the boot process will fail on the following steps. By reserving enough addresses for all the stages of the boot process this problem is resolved. (See bug: #1861032)


    This requires dnsmasq version 2.81 or later. Some distributions may backport this feauture to earlier dnsmasq version as part of the packaging, check the distributions releasenotes.

    Since the new configuration format is invalid in previous versions of dnsmasq this feauture is disabled by default. To enable the feature set the option dnsmasq_enable_addr6_list in DHCP agent configuration to True.

  • The OVN driver now makes uses of the “external” ports concept that was introduced by Core OVN. For example, with this work a VM with a SR-IOV port attached (VNIC type “direct” and no “switchdev” capability) will now be translated into an “external” port which is able reply to packets (e.g DHCP) from another host that were bypassed in the hypervisor before. Note that, for this first interaction all external ports will belong to the same HA group and will be scheduled onto the same node.

  • A new configuration option, cleanup_on_shutdown, was added to the L3 agent. If set to True the L3 agent will explicitly delete all routers on shutdown. For L3 HA routers it includes a graceful shutdown of keepalived and the state change monitor, which will allow a faster failover in certain conditions. The default value of cleanup_on_shutdown is False to maintain backward compatibility. Setting to True could affect the data plane when stopping or restarting the L3 agent.

  • Adds support for IGMP snooping (Multicast) in the OVN driver. Defaults to False. IGMP snooping requires OVN version 2.12 or above.

  • Added support for a new stateful-security-group api extension that implements stateless security groups for the iptables drivers.

  • The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs from that subnet independent of the restrictions described in the DNS integration with an external service documentation.

  • The tag_ports_during_bulk_creation ML2 plugin extension has been implemented to support tagging ports during bulk creation. As a side effect, this extension also allows tagging ports during non-bulk creation.

Upgrade Notes

  • Python 2.7 support has been dropped. The minimum version of Python now supported by Neutron is Python 3.6.

  • For users affected by bug 1853840 the hypervisor name now can be set per physical network device in config option resource_provider_hypervisors which is located in the [ovs] ini-section for ovs-agent and [sriov_nic] ini-section for sriov-agent. Hypervisor names default to socket.gethostname() which works out of the box with libvirt even when the config option is set to a non-default value.

  • The network mtu attribute is set to be non-nullable. If the mtu is empty(create before Pike version), it is set to the default value of 1500.

  • Config option agent_type, which has been deprecated since Mitaka, is now removed. Agents should now use hardcoded values for agent type.

  • A security group rule added for the entire port range, for example, TCP ports 1-65535, is not optimal for backends that implement the rule. Rules like this will now automatically be converted to apply to the procotol itself, in other words, all TCP - the port ranges will be ignored. See bug 1848213 for more details.

  • SR-IOV agent code no longer supports old kernels (<3.13) for MacVtap ports. This change is not expected to affect existing deployments since most OS distributions already have the relevant kernel patches. In addition, latest major release of all Supported distributions already have a newer kernel.

  • Currently existing security groups will all be set to stateful during the alembic migration.

Deprecation Notes

  • Deprecate ovs_integration_bridge. This configuration option is a duplicate of OVS:integration_bridge. Currently both options must be the same to avoid configuration clashes. Previously used in the DHCP agent. It will be removed in next releases.

  • Function neutron.plugins.ml2.db.get_binding_levels was deprecated in favor of neutron.plugins.ml2.db.get_binding_level_objs and now is removed.

Security Issues

  • A change was made to the metadata proxy to not allow a user to override header values, it will now always insert the correct information and remove unnecessary fields before sending requests to the metadata agent. For more information, see bug 1865036.

  • The stateless security group feature does not work with OVS nor OVN driver as the driver is not aware of the stateful attribute in the security group. If stateful attribute is provided with a False value then the attribute value is ignored and the security group would behave as stateful.

Bug Fixes

  • Bug described a flooding issue on the neutron-ovs-agent integration bridge. And bug proposed a solution for it. The accepted egress packets will be taken care in the final egress tables (61 when openflow firewall is not enabled, table 94 otherwise) with direct output flows for unicast traffic with a minimum influence on the existing cloud networking. A new config option explicitly_egress_direct, with default value False, was added for the aim of distinguishing clouds which are running the network node mixed with compute services, upstream neutron CI should be an example. In such situation, this explicitly_egress_direct should be set to False, because there are numerous cases from HA routers which can not be covered, particularly when you have centralized floating IPs running in such mixed hosts. Otherwise, set explicitly_egress_direct to True to avoid the flooding. One more note is if your network nodes are for networing services only, we recommand you disable all the security_group to get a higher performance.

  • When listing ports using the openstack port list --mac-address A:B:C:D:E:F command we might not return any result when trying to list ports by MAC address if the cases differ. This fix makes the search based on MAC address case insensitive. For more information see bug 1843428.

  • Fixed an issue where IP allocation for IPv6 stateless subnets would allocate on invalid subnets when segments are used. Auto-addressing now filters on segment ids when allocating IP addresses. See bugs: #1864225, #1864333, #1865138.

  • Fixes an issue that the OVS firewall driver does not configure security group rules using remote group properly when a corresponding remote group has no port on a local hypervisor. For more information see bugs: 1862703 and 1854131.

  • When updating the fixed-ips of a port residing on a routed provider network the port update would always fail if host was not set. See bug: 1844124.

  • Neutron now locates the root resource provider of the resource provider tree it creates by using the hypervisor name instead of the hostname. These are different in rare cases only. The hypervisor name can be set per physical network device in config option resource_provider_hypervisors which is located in the [ovs] ini-section for ovs-agent and [sriov_nic] ini-section for sriov-agent. Hypervisor names default to socket.gethostname() which works out of the box with libvirt even when the config option is set to a non-default value. We believe this change fixes bug 1853840.

  • Neutron currently does not fully respect the network-auto-schedule configuration option. If the network-auto-schedule option is set to False, the network - a) Is still scheduled on the DHCP agent when it is created b) Is scheduled on a new DHCP agent if the old DHCP mapping is removed by the user/admin. It is especially necessary where the Network Backends provide DHCP directly. This has been fixed now and if the network-auto-schedule is set to False in the config file, networks would not be automatically scheduled to the DHCP Agents. If mapping/scheduling is required, it can be done manually or by setting the network-auto-schedule to True.

  • Owners of security groups now see all security group rules which belong to the security group, even if the rule was created by the admin user. Fixes bug 1824248.

Other Notes

  • Added QoS support for direct ports in neutron. The support requires Open vSwitch 2.11.0 or newer and is based on Linux kernel 5.4.0 or newer. [bug 1843165].

  • When the enable_distributed_routing (DVR) configuration option is set to True and tunneling is enabled, the arp_responder option will be forced to True since it is now required in order for ARP to work properly. For more information, see bug 1774459.

  • A new config option, radvd_user, was added to l3_agent.ini for the L3 agent. This option defines the username passed to radvd, used to drop “root” privileges and change user ID to username and group ID to the primary group of the user. If no user specified (by default), the user executing the L3 agent will be passed. If “root” specified, because radvd is spawned as root, no “username” parameter will be passed. (For more information see bug 1844688.)