[release-announce] neutron 14.2.0 (stein)

We are ecstatic to announce the release of:

neutron 14.2.0: OpenStack Networking

This release is part of the stein stable release series.

The source is available from:

https://opendev.org/openstack/neutron

Download the package from:

https://tarballs.openstack.org/neutron/

Please report issues through:

https://bugs.launchpad.net/neutron/+bugs

For more details, please see below.

14.2.0 ^^^^^^

Deprecation Notes *****************

* Abstract method "plug_new" from the neutron.agent.linux.interface.LinuxInterfaceDriver class now accepts an optional parameter "link_up". Usage of this method, which takes from 5 to 9 positional arguments, without "link_up" is now deprecated and will not be possible starting in the W release. Third-party drivers which inherit from this base class should update the implementation of their "plug_new" method.

Security Issues ***************

* A change was made to the metadata proxy to not allow a user to override header values, it will now always insert the correct information and remove unnecessary fields before sending requests to the metadata agent. For more information, see bug 1865036 (https://bugs.launchpad.net/neutron/+bug/1865036).

Bug Fixes *********

* Bug https://bugs.launchpad.net/neutron/+bug/1732067 described a flooding issue on the neutron-ovs-agent integration bridge. And bug https://bugs.launchpad.net/neutron/+bug/1841622 proposed a solution for it. The accepted egress packets will be taken care in the final egress tables (61 when openflow firewall is not enabled, table 94 otherwise) with direct output flows for unicast traffic with a minimum influence on the existing cloud networking. A new config option "explicitly_egress_direct", with default value False, was added for the aim of distinguishing clouds which are running the network node mixed with compute services, upstream neutron CI should be an example. In such situation, this "explicitly_egress_direct" should be set to False, because there are numerous cases from HA routers which can not be covered, particularly when you have centralized floating IPs running in such mixed hosts. Otherwise, set "explicitly_egress_direct" to True to avoid the flooding. One more note is if your network nodes are for networing services only, we recommand you disable all the security_group to get a higher performance.

* Fixes an issue that the OVS firewall driver does not configure security group rules using remote group properly when a corresponding remote group has no port on a local hypervisor. For more information see bugs: 1862703 (https://bugs.launchpad.net/neutron/+bug/1862703) and 1854131.

* Add a new match rule based on physical VLAN tag for OpenFlow firewall traffic identifying mechanism to the TRANSIENT table. This fixes the distributed router east-west traffic between VLAN type networks. For more information, see bug 1831534 (https://bugs.launchpad.net/neutron/+bug/1831534).

Changes in neutron 14.1.0..14.2.0 ---------------------------------

bc8c38bda8 Allow usage of legacy 3rd-party interface drivers acb5fba408 Only notify nova of port status changes if configured 5f02ac5445 Add Rocky milestone tag for alembic migration revisions 0b035c910f Cap pycodestyle to be < 2.6.0 3ed429019b Router synch shouldn't return unrelated routers 90d17e4e85 Adding LOG statements to debug 1838449 98ec672e81 Report L3 extensions enabled in the L3 agent's config 8adac1ac3e Default (shared) network segment range is not mandatory 3796c03fd1 Fix queries to retrieve allocations with network_segment_range 5f7b55424a move neutron only common constants to private module bdfdb812a2 Improve VLAN allocations synchronization 995018d754 Workaround in NetworkSegmentRange OVO until "project_id" migration ff607c3f22 Check "security_group_rule" quota during security group creation 3e64388bb6 Avoid raising NetworkInterfaceNotFound exception in DHCP agent logs 2d319eeadc Check project_id when creating and updating NetworkSegmentRange 13f01238b6 [L3 HA] Add "no_track" option to VIPs in keepalived config 5af25c8591 Kill all processes running in a namespace before deletion bf05b63f1b Implement "list_ns_pids" inside Neutron 383d238548 Add rootwrap filter rule for radvd-kill script 61dc621c1b Filter by owner SGs when retrieving the SG rules a10413eb3f Change ovs-agent iteration log level to INFO 551464dd77 Ensure netlink.nla_slot tuple key is a string 9dc499da2b Configure keepalived interfaces according to config file 5f83713571 Increase waiting time for network rescheduling e2f01c65d9 Prioritize port create and update ready messages b9a2968100 Do not link up HA router gateway in backup node 08f3633990 Add trunk subports to be one of dvr serviced device owners 355f454747 Wait before deleting trunk bridges for DPDK vhu 914cd7e15a [DVR] Don't populate unbound ports in router's ARP cache 2d0adf4a05 Optimize DVR related port DB query f1ef0d2337 Use rally-openstack 1.7.0 for stable/stein 5a28141fc8 Unnecessary routers should not be created 4dc0a61cd5 Remove extra header fields in proxied metadata requests c12ccd1b8f Ensure that default SG exists during list of SG rules API call 5578c7073f Add accepted egress direct flow eec11491c3 Add VLAN type conntrack direct flow c37f5bd4b9 Random IP for concurrent create pf and update_port 01d0612a3a Do not initialize snat-ns twice aee87e72b1 ovs agent: signal to plugin if tunnel refresh needed 1e70b1cdff Mock check if ipv6 is enabled in L3 agent unit tests 4916bbc5f3 Re-use existing ProcessLauncher from wsgi in RPC workers 4193c6ca0e Check SG members instead of ports to skip flow update 5a0c3e1fdd dhcp-agent: equalize port create_low/update/delete priority 6376391b45 [OVS] Handle added/removed ports in the same polling iteration

Diffstat (except docs and test files) -------------------------------------

.zuul.yaml | 3 +- .../contributor/internals/openvswitch_firewall.rst | 2 + etc/neutron/rootwrap.d/debug.filters | 6 +- etc/neutron/rootwrap.d/l3.filters | 1 + neutron/agent/dhcp/agent.py | 37 ++- neutron/agent/l3/agent.py | 3 +- neutron/agent/l3/dvr_edge_ha_router.py | 8 +- neutron/agent/l3/dvr_edge_router.py | 10 +- neutron/agent/l3/ha.py | 9 + neutron/agent/l3/ha_router.py | 38 ++- neutron/agent/l3/router_info.py | 20 +- neutron/agent/linux/interface.py | 51 +++- neutron/agent/linux/ip_lib.py | 17 +- neutron/agent/linux/iptables_firewall.py | 5 +- neutron/agent/linux/keepalived.py | 22 +- .../agent/linux/openvswitch_firewall/firewall.py | 196 ++++++++++++- neutron/agent/metadata/agent.py | 7 + neutron/agent/metadata/driver.py | 7 +- neutron/agent/securitygroups_rpc.py | 4 + .../api/rpc/agentnotifiers/dhcp_rpc_agent_api.py | 4 +- neutron/api/rpc/handlers/l3_rpc.py | 11 +- neutron/common/_constants.py | 45 +++ neutron/common/constants.py | 22 -- neutron/common/utils.py | 4 +- neutron/conf/plugins/ml2/drivers/ovs_conf.py | 8 +- neutron/db/db_base_plugin_common.py | 11 +- neutron/db/dvr_mac_db.py | 41 ++- neutron/db/l3_dvr_db.py | 23 ++ neutron/db/l3_dvrscheduler_db.py | 26 +- .../rocky/expand/867d39095bf4_port_forwarding.py | 5 + neutron/db/models/plugins/ml2/geneveallocation.py | 8 + .../models/plugins/ml2/gre_allocation_endpoints.py | 8 + neutron/db/models/plugins/ml2/vlanallocation.py | 8 + neutron/db/models/plugins/ml2/vxlanallocation.py | 8 + neutron/db/securitygroups_db.py | 30 +- neutron/objects/network_segment_range.py | 112 +++++++- neutron/objects/plugins/ml2/base.py | 42 +++ neutron/objects/plugins/ml2/flatallocation.py | 4 +- neutron/objects/plugins/ml2/geneveallocation.py | 9 +- neutron/objects/plugins/ml2/greallocation.py | 9 +- neutron/objects/plugins/ml2/vlanallocation.py | 37 ++- neutron/objects/plugins/ml2/vxlanallocation.py | 9 +- neutron/objects/securitygroup.py | 20 ++ neutron/plugins/ml2/drivers/helpers.py | 142 +++------ .../drivers/openvswitch/agent/common/constants.py | 2 + .../openvswitch/agent/openflow/native/br_int.py | 10 +- .../openvswitch/agent/ovs_dvr_neutron_agent.py | 21 ++ .../drivers/openvswitch/agent/ovs_neutron_agent.py | 320 ++++++++++++++------- neutron/plugins/ml2/drivers/type_vlan.py | 53 ++-- neutron/plugins/ml2/rpc.py | 8 +- neutron/privileged/__init__.py | 3 +- neutron/privileged/agent/linux/ip_lib.py | 56 +++- neutron/server/wsgi_eventlet.py | 2 +- neutron/service.py | 17 +- .../drivers/openvswitch/agent/ovsdb_handler.py | 3 + .../functional/agent/linux/test_keepalived.py | 5 +- .../privileged/agent/linux/test_ip_lib.py | 35 +++ .../portforwarding/test_port_forwarding.py | 21 +- .../linux/openvswitch_firewall/test_firewall.py | 172 ++++++++++- .../objects/plugins/ml2/test_geneveallocation.py | 6 +- .../unit/objects/plugins/ml2/test_greallocation.py | 6 +- .../objects/plugins/ml2/test_vlanallocation.py | 6 +- .../objects/plugins/ml2/test_vxlanallocation.py | 6 +- .../unit/objects/test_network_segment_range.py | 236 +++++++++++++-- .../agent/openflow/native/test_br_int.py | 28 +- .../openvswitch/agent/test_ovs_neutron_agent.py | 106 ++++--- .../drivers/openvswitch/agent/test_ovs_tunnel.py | 9 +- .../unit/plugins/ml2/drivers/test_type_vlan.py | 18 ++ .../unit/privileged/agent/linux/test_ip_lib.py | 9 +- .../unit/scheduler/test_l3_agent_scheduler.py | 5 + neutron/wsgi.py | 6 + ...without-link_up-parameter-27f8310eb1e1910a.yaml | 10 + .../accepted_egress_direct-cc23873e213c6919.yaml | 20 ++ ...ity-group-no-port-on-host-9177e66d4b16e90c.yaml | 8 + ...roxy-header-vulnerability-60c44eb7c76d560c.yaml | 8 + ...lan-type-conntrack-direct-d3d544f8471ed4ff.yaml | 8 + test-requirements.txt | 2 +- 101 files changed, 2348 insertions(+), 559 deletions(-)

Requirements updates --------------------

diff --git a/test-requirements.txt b/test-requirements.txt index 7f71cfda0c..e4e6d09c69 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -10 +10 @@ flake8-import-order==0.12 # LGPLv3 -pycodestyle>=2.0.0 # MIT +pycodestyle>=2.0.0,<2.6.0 # MIT