Stein Series Release Notes¶
Prevent Linux Bridge from replying to ARP messages. It should reply only if the target IP address is a local address configured on the incoming interface and it should always use the best local address. See The ARP flux problem for more information.
As part of a bug #1715317, MAC ageing was disabled for the intermediate bridge created as part of the hybrid plug mechanism. During the removal of
brctl, this behavior was inadvertently applied to all linux bridges created by os-vif including those used in the linuxbridge driver. As a result this can lead to packet flooding (see bug #1837252) when instances are migrated. This behavior has been reverted so that the default mac ageing is determined by the kernel and is not set when using the os-vif linux bridge plugin.
Added native implementation of OVSDB API in
nativeAPIs could be selected by setting the configuration variable
ovsdb_interface. A new configuration variable,
ovsdb_connection, is added. This variable defines the connection string for the OVSDB backend.
Changed default value of
ovsdb_connectionto “tcp:127.0.0.1:6640”, to match the default value set in Neutron project. This connection string is needed by OVSDB native interface.
With this release, packagers of
os-vifno longer need to create a dependency on
brctlis largely considered obsolete and has been replaced with iproute2 by default in many linux distributions. RHEL 8 will not ship
brctlin its default repos. As part of a larger effort to remove usage of
os-vifhas replaced its usage of
pyroute2. This does not introduce any new requirements as
pyroute2is already a requirement.
A new set of attributes to port profiles has been introduced, namely
Datapath Offload Types, with
DatapathOffloadRepresentorallowing os-vif to pass the required metadata for representors conforming to the kernel switchdev representor model.
The API for
VIFPortProfileOVSRepresentorhas been frozen pending deprecation of the class. Users should transition to setting the
DatapathOffloadRepresentorobject to pass representor information.
In 1.13.0 it was reported that bug #1734320 was partially resolved by change Iaf15fa7a678ec2624f7c12f634269c465fbad930. It has since emerged that that change introduced another bug due to an interaction with libvirt. It was understood that libvirt would not recreate the ovs port if it was present on the ovs bridge when spawning a vm however on inspection of the libvirt code this is not the case. In this release we have reverted the change to os-vif and libvirt will be the only entity to create the ovs port when vif_type is set to ovs and hybrid_plug is set to false in the neutron port binding details. Bug #1734320 is not expected to be present if hybrid_plug=true or vif_type vhost-user is used on linux. On windows if hybrid_plug is false on bug #1734320 is also not expected to be present. A new mitigation to bug #1734320 will be developed for the remaining case of hybrid_plug=false on linux.
In this release the OVS plugin was extended to always plug VIFs even when libvirt could plug the vif. This will enable faster migration leveraging the multiple port bindings work completed in the Rocky release.
In this release an edgecase where libvirt plugged the VIF instead of os-vif was addressed. Previously if
ovs_hybrid_plugwas set to
Falsein the port binding details, os-vif would only ensure the ovs bridge existed and the plugging would be done by libvirt. As a result during live migration, there was a short interval where a guest could receive tagged broadcast, multicast, or flooded traffic to/from another tenant. This vulnerability is described in bug 1734320. By ensuring that os-vif always creates the OVS port as part of vif plugging we enable neutron to isolate the port prior to nova resuming the VM on the destination node. Note that as Nova cannot rely on Neutron to send
network-vif-pluggedevents on completion of wiring up an interface it cannot wait to receive a notification before proceeding with the migration. As a result this is a partial mitigation and additional changes will be required to fully address this bug.
A new config option was introduced for the OVS VIF plugin. The
isolate_vifoption was added as a partial mitigation of bug 1734320. The
isolate_vifoption defaults to
Falsefor backwards compatibility with SDN controller based OpenStack deployments. For all deployments using the reference implementation of ML2/OVS with the neutron L2 agents,
isolate_vifshould be set to
True. This option instructs the OVS plugin to assign the VIF to the Neutron dead VLAN (4095) when attaching the interface to OVS. By setting the VIF’s VLAN to this dead VLAN number, we eliminate the small attack vector that exists for other tenants to read packets during the VIF’s bring up.
Added an abstract OVSDB API in
vif_plug_ovs. All calls to OVS database will de done using this unique API. Command line implementation using
ovs-vsctlwas refactored as a backend for this abstract API. A new configuration variable,
ovsdb_interface, is added to select the interface for interacting with the OVS database.
Removed IPTools implementation. IPTools driver was implemented to avoid a bug in pyroute2 library, currently solved. This implementation was marked as “deprecated” two releases ago. IP Linux commands now use Pyroute2.