Victoria Series Release Notes

17.4.1-82

New Features

  • Add support for deleting ML2/OVN agents. Previously, deleting an agent would return a Bad Request error. In addition to deleting the agent, this change also drastically improves the scalability of the ML2/OVN agent handling code.

  • Add use_random_fully setting to allow an operator to disable the iptables random-fully property on an iptable rules.

Known Issues

  • The high availability of metadata service on isolated networks is limited or non-existent. IPv4 metadata is redundant when the DHCP agent managing it is redundant, but recovery is tied to the renewal of the DHCP lease, making most recoveries very slow. IPv6 metadata is not redundant at all as the IPv6 metadata address can only be configured in a single place at a time as it is link-local. Multiple agents trying to configure it will generate an IPv6 duplicate address detection failure.

    Administrators may observe the IPv6 metadata address in “dadfailed” state in the DHCP namespace for this reason, which is only an indication it is not highly available. Until a redesign is made to the isolated metadata service there is not a better deployment option. See bug 1953165 for information.

  • If the use_random_fully setting is disabled, it will prevent random fully from being used and if there’re 2 guests in different networks using the same source_ip and source_port and they try to reach the same dest_ip and dest_port, packets might be dropped in the kernel do to the racy tuple generation . Disabling this setting should only be done if source_port is really important such as in network firewall ACLs and that the source_ip are never repeating within the platform.

Bug Fixes

  • 1986003 Fixed an issue with concurrent requests to activate the same port binding where one of the requests returned a 500 Internal Server Error. With the fix one request will return successfully and the other will return a 409 Conflict (Binding already active). This fixes errors in nova live-migrations where those concurrent requests might be sent. Nova handles the 409/Conflict response gracefully.

  • For IPv4 subnets when dns_nameservers is not set in the subnet, servers defined in ‘ovn/dns_servers’ config option or system’s resolv.conf are used, but for IPv6 subnets these are not used. The same will now be used for IPv6 subnets too. Additionally dns servers added in ‘ovn/dns_servers’ config option or system’s resolv.conf will be filtered as per the subnet’s IP version. For more info see the bug report 1951816.

  • Fix an issue in the OVN driver where network metadata could become unavailable if the metadata port was ever deleted, even if accidental. To re-create the port, a user can now disable, then enable, DHCP for one of the subnets associated with the network using the Neutron API. This will try and create the port, similar to what happens in the DHCP agent for ML2/OVS. For more information, see bug 2015377.

Other Notes

  • Added the missing extension uplink-status-propagation to the ML2/OVN mechanism driver. This extension is used by the ML2/SR-IOV mechanism driver, that could be loaded with ML2/OVN. Now it is possible to create ports with the “uplink-status-propagation” flag defined.

17.4.0

Bug Fixes

  • Enforce policy for ‘qos_policy_id’ attribute of Floating IP so only authorized users can set/unset it. For more info see bug LP#1957175.

Other Notes

  • OVN mechanism driver allows only to have one physical network per bridge.

17.3.0

Bug Fixes

  • Changes the API behaviour while using OVN driver to enforce that it’s not possible to delete all the IPs from a router port. For more info see bug LP#1948457

  • The agent reporting state to the server now uses a RPC timeout set to the report_interval configuration option value. See 1948676.

17.2.1

Security Issues

  • Fix bug 1939733 by dropping from the dhcp extra option values everything what is after first newline (\n) character before passing them to the dnsmasq.

17.2.0

Known Issues

  • When using the minimim-bandwidth QoS feature due to bug https://launchpad.net/bugs/1921150 physical NIC resource providers were for some time created with the wrong parent (i.e. the hypervisor RP). This is now partially fixed and new resource providers are created now with the expected parent (i.e. the agent RP). However Placement does not allow re-parenting an already existing resource provider, therefore the following Placement DB update may be needed after the fix for bug 1921150 is applied: neutron/tools/bug-1921150-re-parent-device-rps.sql Until all resource providers have the proper parent, neutron-server will retry the re-parenting update, which will be rejected every time, therefore expect polluted logs and some wasted load on Placement. However please note that the bandwidth-aware scheduling is supposed to work even with the wrongly parented resource providers.

Bug Fixes

  • 1926693 The logic to detect the hypervisor hostname, which was introduced by change 69660, has been fixed and now returns the result consistent with libvirt.

  • The new resource_provider_defualt_hypervisor option has been added, to replace the default hypervisor name to locates the root resource provider without giving a complete list of interfaces or bridges in the resource_provider_hypervisors option. This option is located in the [ovs] ini-section for ovs-agent and [sriov_nic] ini-section for sriov-agent.

17.1.2

Other Notes

  • The OVN Metadata Agent now creates the network namespaces including the Neutron network UUID in its name. Previously, the OVN datapath UUID was used and it was not obvious for operators and during debugging to figure out which namespace corresponded to what Neutron network.

17.1.1

Bug Fixes

  • Fixes a configuration problem in the OVN driver that prevented external IGMP queries from reaching the Virtual Machines. See bug 1918108 for details.

Other Notes

  • To improve performance of the DHCP agent, it will no longer configure the DHCP server for every port type created in Neutron. For example, for floating IP or router HA interfaces there is no need since a client will not make a DHCP request for them

17.1.0

Known Issues

  • Even with the “igmp_snooping_enable” configuration option stating that traffic would not be flooded to unregistered VMs when this option was enabled, the ML2/OVN driver didn’t follow that behavior. This has now been fixed and ML2/OVN will no longer flood traffic to unregistered VMs when this configuration option is set to True.

Bug Fixes

  • Stop sending agent heartbeat from ovs agent when it detects OVS is dead. This helps to alarm cloud operators that there is something wrong on the given node.

  • Fixed MAC learning issue when ovs offload enabled. OVS firewall reduce the usage of normal actions to reduce cpu utilization. This causing flood rule because there is no MAC learning on ingress traffic. While this ok for none offload case, when using ovs offload flood rule is not offloaded. This fix the MAC learning in the offload, so we avoid flood rule. #1897637.

17.0.0

Prelude

Added support for floating IPs port forwarding in OVN.

New Features

  • A new configuration option http_retries was added. This option allows configuring the number of times the nova or ironic client should retry on a failed HTTP call.

  • New config option keepalived_use_no_track was added. If keepalived version used on the deployment does not support no_track flag in its config file (e.g. keepalived 1.x), this option should be set to False. Default value of this option is True.

  • DVR routers now support flat networks.

  • The dns-assignment will reflect the dns-domain defined in the network or sent by user when creating the port using –dns-domain rather than just take the dns-domain defined in the neutron configuration

  • Support for floating IPs port forwarding has been added to OVN backend.

  • Make the metadata service available over the IPv6 link-local address fe80::a9fe:a9fe. Metadata over IPv6 works on both isolated networks and networks with an IPv6 subnet connected to a Neutron router as well as on dual-stack and on IPv6-only networks. There are no new config options. The usual config options (enable_isolated_metadata, force_metadata, enable_metadata_proxy) now control the metadata service over both IPv4 and IPv6. This change only affects the guests’ access to the metadata service over tenant networks. This feature changes nothing about how the metadata-agent talks to Nova’s metadata service. The guest OS is expected to pick up routes from Router Advertisements for this feature to work on networks connected to a router. At least the following IPv6 subnet modes work:

    • --ipv6-ra-mode slaac --ipv6-address-mode slaac

    • --ipv6-ra-mode dhcpv6-stateless --ipv6-address-mode dhcpv6-stateless

    • --ipv6-ra-mode dhcpv6-stateful --ipv6-address-mode dhcpv6-stateful

    Please note that the metadata IPv6 address (being link-local) is not complete without a zone identifier (in a Linux guest that is usually the interface name concatenated after a percent sign). Please also note that in URLs you should URL-encode the percent sign itself. For example, assuming that the primary network interface in the guest is eth0 the base metadata URL is http://[fe80::a9fe:a9fe%25eth0]:80/.

  • Added support for router availability zones in OVN. The OVN driver can now read from the router’s availability_zone_hints field and schedule router ports accordingly with the given availability zones.

  • A previous change to set neutron-server child process names also modified neutron agent ones. This can impact monitoring systems relying on /proc/PID/environ formatting or ps -e output. Now neutron agents all have process names formatted this way (showing both an old style process name and full process name visible in recent releases) neutron-agent-name (original process name including interpreter)

    See bug 1881297 for more details.

Upgrade Notes

  • The configuration option firewall_driver is no longer used by neutron-server, it only applies to the L2 agent. This was required for backward-compatibility for hybrid plugging, but since the Newton release the L2 agent has been able to report hybrid plugging is needed in it’s report message back to the server.

  • Limit the ML2 VLAN allocations to [1, 4094] values in the database engine. This constraint, enforced in the database engine, could not be supported yet. In this case, it will be ignored. For more information, see the note in neutron.db.migration.alembic_migrations.versions.victoria.expand.dfe425060830_limit_vlan_allocation_id_values.py.

  • The metadata over IPv6 feature makes each dhcp-agent restart trigger a quick restart of dhcp-agent-controlled metadata-proxies, so they can pick up their new config making them also bind to fe80::a9fe:a9fe. These restarts make the metadata service transiently unavailable. This is done in order to enable the metadata service on pre-existing isolated networks during an upgrade. Please also note that pre-existing instances may need to re-acquire all information acquired over Router Discovery and/or DHCP for this feature to start working.

  • The default value for the metadata_workers configuration option has changed to 2 for the ML2/OVN driver. For ML2/OVS the default value remains the same. Each driver has different approaches when serving metadata to the instances and the previous default value of “<number of CPUs> / 2” did not make sense for ML2/OVN as the OVN metadata agents are distributed running on Compute nodes instead of Controller nodes. In fact, the previous default value could cause scalability issues with ML2/OVN and was overwritten by the deployment tools to avoid problems.

  • Monitoring tools relying on exact process names should be checked after upgrade, and modified if needed.

Deprecation Notes

  • Abstract method plug_new from the neutron.agent.linux.interface.LinuxInterfaceDriver class now accepts an optional parameter link_up. Usage of this method, which takes from 5 to 9 positional arguments, without link_up is now deprecated and will not be possible starting in the W release. Third-party drivers which inherit from this base class should update the implementation of their plug_new method.

  • Deprecate the use of remote_ip_prefix in metering label rules, and it will be removed in future releases. One should use instead the source_ip_prefix and/or destination_ip_prefix parameters. For more details, please refer to the spec: https://review.opendev.org/#/c/744702/.

  • Terminology such as master and slave have been replaced with more inclusive words, such as primary and backup wherever possible.

    The configuration option vnic_type_blacklist has been deprecated for both the OpenvSwitch and SRIOV mechanism drivers, and replaced with vnic_type_prohibit_list. They will be removed in a future release.

Bug Fixes

  • 1671448 Access for Neutron quotas now governed using standard configurable RBAC policies: ‘get_quota’, ‘update_quota’, ‘delete_quota’

  • 1875981 Neutron now correctly removes associated DNS records when an admin deletes ports, servers or floation IPs.

  • Fixed bug 1876092 which caused DUP ICMP replies on the flat networks used with DVR routers.

  • Fixed an issue where the client on a dual-stack (IPv4 + IPv6) network failed to get configuration from the dnsmasq DHCP server. See bug: 1876094.

Other Notes

  • When uplink-status-propagation extension is enabled, new ports created will default the value of propagate_uplink_status to True.