Pike Series Release Notes

11.0.8-45

Upgrade Notes

  • The first address in an IPv6 network is now a valid, usable IP for routers. It had previously been reserved, but now can be assigned to a router so that an IPv6 address ending in “::” could be a valid default route.

Other Notes

  • In order to improve heavy load ovs agent restart success rate, instead a retry or fullsync, the native driver of_connect_timeout and of_request_timeout are now set to 300s. The value does not have side effect for the regular pressure ovs agent.

  • A new option [ovs] of_inactivity_probe has been added to allow changing the inactivity probe interval when using the OVS ML2 agent with the native OpenFlow driver. Operators can increase this if they are experiencing OpenFlow timeouts. The default value is 10 seconds.

11.0.7

Critical Issues

  • The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value, agent_boot_time, for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent’s first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron-openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population agent_boot_time config option will no longer be used.

Bug Fixes

  • Fixes bug 1501206. This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks.

  • Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905.)

  • The neutron-openvswitch-agent was changed to notify the neutron-server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991, 1799178, 1813703, 1813714, 1813715.

Other Notes

  • The metering agent iptables driver can now load its interface driver by using a stevedore alias in the metering_agent.ini file. For example, interface_driver = openvswitch instead of interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

11.0.6

New Features

  • A new config option bridge_mac_table_size has been added for Neutron OVS agent. This value will be set on every Open vSwitch bridge managed by the openvswitch-neutron-agent in other_config:mac-table-size column in ovsdb. Default value for this new option is set to 50000 and it should be enough for most systems. More details about this option can be found in Open vSwitch documentation For more information see bug 1775797.

11.0.5

Bug Fixes

  • For Infiniband support, Ironic needs to send the ‘client-id’ DHCP option as a number in order for IP address assignment to work. This is now supported in Neutron, and can be specified as option number 61 as defined in RFC 4776. For more information see bug 1770932

11.0.3

New Features

  • L2 agents based on ML2 _common_agent have now the L2 extension API available. This API can be used by L2 extension drivers to request resources from the L2 agent. It is used, for example, to pass an instance of the IptablesManager to the Linuxbridge L2 agent QoS extension driver.

Bug Fixes

  • Fixes bug 1736674, security group rules are now properly applied by Linuxbridge L2 agent with QoS extension driver enabled.

  • Adding security group rules by protocol number is documented, but somehow was broken without being noticed in one of the last couple of releases. This is now fixed. For more information see bug 1716045.

11.0.2

Bug Fixes

  • The Openvswitch agent has an extension called fdb that uses the Linux bridge command. The bridge command has been added to the rootwrap openvswitch-plugin.filters file. For more information, see bug: 1730407

11.0.0

Prelude

A new agent_mode(dvr_no_external) for DVR routers has been added to allow the server to configure Floating IPs associated with DVR at the centralized node.

New Features

  • The openvswitch L2 agent now supports bi-directional bandwidth limiting.

  • The QoS service plugin now supports new attribute in qos_bandwidth_limit_rule. This new parameter is called direction and allows to specify direction of traffic for which the limit should be applied.

  • Ports have now a dns_domain attribute. A port’s dns_domain attribute has precedence over the network’s dns_domain from the point of view of publishing it to the external DNS service.

  • Allow to configure router service plugin without dvr API extension loaded and exposed. To achieve that, set the new enable_dvr option to False in neutron.conf file.

  • The new net-mtu-writable extension API definition has been added. The new extension indicates that the network mtu attribute is writeable. Plugins supporting the new extension are expected to also support net-mtu. The first plugin that gets support for the new extension is ml2.

  • Add data_plane_status attribute to port resources to represent the status of the underlying data plane. This attribute is to be managed by entities outside of the Networking service, while the status attribute is managed by the Networking service. Both status attributes are independent from one another. Third parties can report via Neutron API issues in the underlying data plane affecting connectivity from/to Neutron ports. Attribute can take values None (default), ACTIVE or DOWN, and is readable by users and writable by admins and users granted the data-plane-integrator role. Append data_plane_status to [ml2] extension_drivers config option to load the extension driver.

  • The resource tag mechanism is refactored so that the tag support for new resources can be supported easily. The resources with tag support are network, subnet, port, subnetpool, trunk, floatingip, policy, security_group, and router.

  • Neutron API can now be managed by a mod_wsgi compatible web server (e.g. apache2 (httpd), nginx, etc.)

  • Add ‘default’ behaviour to QoS policies Neutron now supports having a default QoS policy in a project, assigned automatically to all new networks created.

  • Some scenario tests require advanced Glance images (for example, Ubuntu or CentOS) in order to pass. They are now skipped by default. If you need to execute those tests, please configure tempest.conf to use an advanced image, and set image_is_advanced in neutron_plugin_options section of tempest.conf file to True. The first scenario test case that requires the new option set to execute is test_trunk.

  • The Neutron API now supports conditional updates to resources with the ‘revision_number’ attribute by setting the desired revision number in an HTTP If-Match header. This allows clients to ensure that a resource hasn’t been modified since it was retrieved by the client. Support for conditional updates on the server can be checked for by looking for the ‘revision-if-match’ extension in the supported extensions.

  • A new DVR agent type dvr_no_external has been introduced with this release. This agent type allows the Floating IPs (DNAT/North-South routing) to be centralized while the East/West routing is still distributed.

  • Proactively create DVR floating IP namespace on all compute nodes when a gateway is configured.

  • Floating IPs associated with an unbound port with DVR routers will not be distributed, but will be centralized and implemented in the SNAT namespace of the Network node or dvr_snat node. Floating IPs associated with allowed_address_pair port IP and are bound to multiple active VMs with DVR routers will be implemented in the SNAT namespace in the Network node or dvr_snat node. This will address VRRP use cases. More information about this is captured in bug 1583694.

  • Resource tag mechanism now supports subnet, port, subnetpool and router resources.

  • Implements a new extension, quota_details which extends existing quota API to show detailed information for a specified tenant. The new API shows details such as limits, used, reserved.

  • Linuxbridge L2 agent supports ingress bandwidth limit. The linuxbridge L2 agent now supports bi-directional bandwidth limiting.

  • UDP ports used by VXLAN in the LinuxBridge agent can be configured now with the VXLAN.udp_srcport_min, VXLAN.udp_srcport_max and VXLAN.udp_dstport config options. To use the IANA assigned port number, set VXLAN.udp_dstport to 4789. The default is not changed from the Linux kernel default 8472.

  • The metering agent driver can now be specified with a stevedore alias in the metering_agent.ini file. For example, driver = iptables instead of driver = neutron.services.metering.iptables.iptables_driver:IptablesMeteringDriver.

  • A new network_link_prefix configuration option is introduced that allows to alter the domain returned in the URLs included in the API responses. It behaves the same way as the compute_link_prefix and glance_link_prefix options do for Nova and Glance.

  • The openvswitch mechanism driver now supports hardware offload via SR-IOV. It allows binding direct (SR-IOV) ports. Using openvswitch 2.8.0 and ‘Linux Kernel’ 4.8 allows to control the SR-IOV VF via OpenFlow control plane and gain accelerated ‘Open vSwitch’.

  • Network QoS policies are now supported for network:router_gateway ports. Neutron QoS policies set on an external network now apply to external router ports (DVR or not).

  • New API to get details of supported rule types. The QoS service plugin can now expose details about supported QoS rule types in Neutron deployment. The new API call is allowed only for users with admin priviliges.

  • In order to reduce metadata proxy memory footprint, haproxy is now used as a replacement for neutron-ns-metadata-proxy Python implementation.

  • Subport segmentation details can now accept inherit as segmentation type during a trunk creation/update request. The trunk plugin will determine the segmentation type and ID and replace them with those of the network to which the port is connected. Only single-segment VLAN networks are set to have expected and correct results at this point.

  • Enable creation of VXLANs with different multicast addresses in linuxbridge agent allocated by VNI-address mappings. A new config option multicast_ranges was introduced.

Known Issues

  • There can be a mixture of dvr agents and dvr_no_external agents. But please avoid any VM with Floating IP migration between a dvr agent and a dvr_no_external agent. All VM ports with Floating IPs should be migrated to same agent_mode. This would be one of the restrictions.

  • Creating DVR floating IP namespace on all nodes proactively might consume public IP Address, but by using subnet service-types as explained in the networking guide consumers can use the private IPs for floating IP agent gateway ports and need not consume any public IP addresses.

  • While the bound port Floating IPs are distributed, the unbound port Floating IPs are centralized.

Upgrade Notes

  • Consider setting enable_dvr to False in neutron.conf file if your setup doesn’t support DVR. This will make Neutron stop advertising support for the dvr API extension via its /v2.0/extensions API endpoint.

  • Default quotas were bumped for the following resources: networks (from 10 to 100), subnets (from 10 to 100), ports (from 50 to 500). If you want to stick to old values, consider explicitly setting them in the neutron.conf file.

  • Previously, neutron-server was using configuration values for oslo.db that were different from library defaults. Specifically, it used the following values when they were not overridden in configuration files: max_pool_size = 10, max_overflow = 20, pool_timeout = 10. In this release, neutron-server instead relies on default values defined by the library itself. If you rely on old default values, you may need to adjust your configuration files to explicitly set the new values.

  • A new DVR agent mode of dvr_no_external was added. Changing between this mode and dvr is a disruptive operation to the dataplane.

  • The send_arp_for_ha configuration option is removed. Neutron now always sends three gratuitous ARP requests on address assigned to a port.

  • The max_fixed_ips_per_port configuration option was deprecated in the Newton cycle and removed in Pike.

  • The deprecated prevent_arp_spoofing option has been removed and the default behavior is to always prevent ARP spoofing unless port security is disabled on the port (or network).

  • Since haproxy was not used before by neutron-l3-agent and neutron-dhcp-agent, rootwrap filters for both agents have to be copied over when upgrading.

  • To upgrade to the haproxy based metadata proxy, neutron-l3-agent and neutron-dhcp-agent have to be restarted. On startup, old proxy processes will be detected and replaced with haproxy.

  • After upgrade, a macvtap agent without physical_interface_mappings configured can not be started. Specify a valid mapping to be able to start and use the macvtap agent.

Deprecation Notes

  • Users can use ‘tagging’ extension instead of the ‘tag’ extension and ‘tag-ext’ extension. Those extensions are now deprecated and will be removed in the Queens release.

  • The gateway_external_network_id L3 agent option is deprecated and will be removed in next releases, with external_network_bridge that it depends on.

  • Now that rootwrap daemon mode is supported for XenServer, the neutron-rootwrap-xen-dom0 script is deprecated and will be removed in a next release.

  • The of_interface Open vSwitch agent configuration option is deprecated and will be removed in the future. After option removal, the current default driver (native) will be the only supported of_interface driver.

  • The nova_metadata_ip option is deprecated and will be removed in Queens. It is deprecated in favor of the new nova_metadata_host option because it reflects better that the option accepts an IP address and also a DNS name.

  • The web_framework option has been deprecated and will be removed during Queens. This option was just added to make the transition to pecan easier so there is no reason operators should be using the non-default option anyway.

Bug Fixes

  • Allows the unbound port Floating IPs to be configured properly with DVR routers irrespective of its device_owner.

Other Notes

  • Changing MTU configuration options (global_physnet_mtu, physical_network_mtus, and path_mtu) and restarting neutron-serer no longer affects existing networks’ MTUs. Nevertheless, new networks will use new option values for MTU calculation. To reflect configuration changes for existing networks, one may use the new net-mtu-writable API extension to update mtu attribute for those networks.

  • Example configuration of multicast_ranges in ml2_conf.ini under the [vxlan] config. section multicast_ranges = 224.0.0.10:10:90,225.0.0.15:100:900. For VNI between 10 and 90, the multicast address 224.0.0.0.10 will be used, and for 100 through 900 225.0.0.15 will be used. Other VNI values will get standard vxlan_group address. For more info see RFE https://bugs.launchpad.net/neutron/+bug/1579068