We are tickled pink to announce the release of: neutron 12.0.6: OpenStack Networking This release is part of the queens stable release series. The source is available from: https://git.openstack.org/cgit/openstack/neutron Download the package from: https://tarballs.openstack.org/neutron/ Please report issues through: https://bugs.launchpad.net/neutron/+bugs For more details, please see below. 12.0.6 ^^^^^^ Critical Issues *************** * The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value, "agent_boot_time", for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent's first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron- openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population "agent_boot_time" config option will no longer be used. Bug Fixes ********* * Previously a network's dns_domain attribute was ignored by the DHCP agent. With this release, OpenStack deployments using Neutron's DHCP agent will be able to specify a per network dns_domain and have instances configure that domain in their dns resolver configuration files (Linux's /etc/resolv.conf) to allow for local partial DNS lookups. The per-network dns_domain value will override the DHCP agent's default dns_domain configuration value. Note that it's also possible to update a network's dns_domain, and that new value will be propogated to new instances or when instances renew their DHCP lease. However, existing leases will live on with the old dns_domain value. * Fixes bug 1501206 (https://bugs.launchpad.net/neutron/+bug/1501206). This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks. * Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905 (https://bugs.launchpad.net/neutron/+bug/1811905).) * The neutron-openvswitch-agent was changed to notify the neutron- server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991 (https://bugs.launchpad.net/neutron/+bug/1794991), 1799178 (https://bugs.launchpad.net/neutron/+bug/1799178), 1813703 (https://bugs.launchpad.net/neutron/+bug/1813703), 1813714 (https://bugs.launchpad.net/neutron/+bug/1813714), 1813715 (https://bugs.launchpad.net/neutron/+bug/1813715). Changes in neutron 12.0.5..12.0.6 --------------------------------- 44d34170cc Add enforcer logic for neutron policy 21387750a9 Don't pass None arg to neutron-keepalived-state-change 9aafd5f131 Fix slow SG api calls when limiting fields 55fa2d7ed4 OVS agent: always send start flag during initial sync cc1412f76a Specify tenant_id in TestRevisionPlugin objects 195c137831 Divide-and-conquer security group beasts 810774b352 Try to enable dnsmasq process several times dfd1af8e68 [OVS] Exception message when retrieving bridge-id and is not present 19912a30bd [Functional tests] Change way how conntrack entries are checked 2eda4ef62e Remove conntrack rule when FIP is deleted 5ffca49668 More accurate agent restart state transfer 5a11b24f37 Fix QoS rule update e4bfc7d50e Divide-and-conquer local bridge flows beasts 9751ebd36d Fix KeyError in OVS firewall 93197576fa Check if process' cmdline is "space separarated" 93589f81f4 Replace openstack.org git:// URLs with https:// 12c928b77c ovs: survive errors from check_ovs_status cff6a2db88 ovs: raise RuntimeError in _get_dp if id is None 6f3620aa88 Add rootwrap filters to kill state change monitor b0c8dde359 [Functional] Don't assert that HA router don't have IPs configured eb857c8e9d Improve invalid port ranges error message 270912a8c7 Enable ipv6_forwarding in HA router's namespace 5bcca13f4a Set initial ha router state in neutron-keepalived-state-change 54dfbd94a6 Do not release DHCP lease when no client ID is set on port b88ab58daf When converting sg rules to iptables, do not emit dport if not supported 3658c71556 Spawn metadata proxy on dvr ha standby routers 2e033b3b0d DVR-HA: Unbinding a HA router from agent does not clear HA interface bf8a2c879e DVR edge router: avoid accidental centralized floating IP remove 8bf3a905e7 Add new test decorator skip_if_timeout 8554a72b6f Fix notification about arp entries for dvr routers 1e76ddf711 Fix port update deferred IP allocation with host_id + new MAC 13d23ba363 Switch isolated metadata proxy to bind to 169.254.169.254 48749c2788 Fix update of ports cache in router_info class 757129b49c Ensure dnsmasq is down before enabling it in restart method de9f813928 Add lock_path in installation guide c7031e2cd3 Change duplicate OVS bridge datapath-ids 3e0f090b5b Update neutron files for new over-indentation hacking rule (E117) 026f24a94d Fix performance regression adding rules to security groups f920dfea8c Always fill UDP checksums in DHCPv6 replies f599c15e33 Secure dnsmasq process against external abuse 828daf9f13 Remove IPv6 addresses in dnsmasq leases file 81d51ae876 Clear residual qos rules after l2-agent restarts. 88528d191f protect DHCP agent cache out of sync 1c573bb8b9 Check port VNIC type when associating a floating IP 8d99593adb [DVR] Allow multiple subnets per external network a5fe490e49 Enable 'all' IPv6 forwarding knob correctly 44441bee0b Don't modify global variables in unit tests b5a0401472 Add kill_timeout to AsyncProcess 282eadc68f Do state report after setting start_flag on OVS restart b9f9c021c9 Block port update from unbound DHCP agent e459b20fb5 Do not delete trunk bridges if service port attached ce2ddcbf3f Fix the bug about DHCP port whose network has multiple subnets. dd6a52529e Force all fdb entries update after ovs-vswitchd restart 02bcbf6fce Reinitialize ovs firewall after ovs-vswitchd restart 968dba2aaa Get centralized FIP only on router's snat host d28237afa1 Fix neutron-openvswitch-agent Windows support ac490d7d99 Update docs for disabling DNS server announcement fb9d25eb53 DevStack: OVS: Only install kernel-* packages when needed 3466832b99 Include all rootwrap filters when building wheels 184dcfa89b DVR: Centralized FloatingIPs are not cleared after migration. c801dd8ea1 Fix connection between 2 dvr routers 94f5e7d408 Wait to ipv6 forwarding be really changed by L3 agent d50654234e Add missing step for ovs deploy guides 28b90f6c14 Pass network's dns_domain to dnsmasq conf 4bfed2b169 iptables-restore wait period cannot be zero Diffstat (except docs and test files) ------------------------------------- devstack/lib/ovs | 12 +- .../install/controller-install-option1-obs.rst | 12 + .../install/controller-install-option1-ubuntu.rst | 12 + .../install/controller-install-option2-obs.rst | 12 + .../install/controller-install-option2-ubuntu.rst | 12 + etc/neutron/rootwrap.d/l3.filters | 13 +- neutron/agent/common/ip_lib.py | 2 + neutron/agent/common/ovs_lib.py | 19 +- neutron/agent/common/utils.py | 4 + neutron/agent/dhcp/agent.py | 88 +++--- neutron/agent/l2/extensions/qos.py | 6 + neutron/agent/l3/agent.py | 126 +++++++-- neutron/agent/l3/dvr_edge_ha_router.py | 7 +- neutron/agent/l3/dvr_edge_router.py | 31 ++- neutron/agent/l3/dvr_fip_ns.py | 46 ++-- neutron/agent/l3/dvr_local_router.py | 15 +- neutron/agent/l3/dvr_snat_ns.py | 2 +- neutron/agent/l3/ha.py | 37 ++- neutron/agent/l3/ha_router.py | 13 +- neutron/agent/l3/keepalived_state_change.py | 22 ++ neutron/agent/l3/router_info.py | 59 ++-- neutron/agent/l3/router_processing_queue.py | 17 +- neutron/agent/linux/async_process.py | 41 ++- neutron/agent/linux/dhcp.py | 87 ++++-- neutron/agent/linux/interface.py | 32 ++- neutron/agent/linux/ip_lib.py | 21 +- neutron/agent/linux/iptables_firewall.py | 20 +- neutron/agent/linux/iptables_manager.py | 6 +- .../agent/linux/openvswitch_firewall/firewall.py | 24 +- neutron/agent/linux/openvswitch_firewall/rules.py | 16 +- neutron/agent/linux/utils.py | 31 ++- neutron/agent/metadata/driver.py | 21 +- neutron/agent/rpc.py | 5 +- neutron/agent/securitygroups_rpc.py | 16 +- neutron/agent/windows/ip_lib.py | 6 + neutron/agent/windows/utils.py | 61 ++++- neutron/api/rpc/handlers/dhcp_rpc.py | 18 +- neutron/cmd/sanity/checks.py | 15 + neutron/cmd/sanity_check.py | 15 + neutron/common/constants.py | 15 + neutron/common/exceptions.py | 6 + neutron/db/ipam_pluggable_backend.py | 10 +- neutron/db/l3_db.py | 25 ++ neutron/db/l3_dvr_db.py | 127 ++++++++- neutron/db/l3_dvr_ha_scheduler_db.py | 9 +- neutron/db/l3_dvrscheduler_db.py | 170 +++++++++--- .../a8b517cff8ab_add_routerport_bindings_for_ha.py | 7 +- neutron/db/securitygroups_db.py | 178 ++++++------ neutron/extensions/securitygroup.py | 5 +- neutron/objects/base.py | 43 ++- neutron/objects/qos/qos_policy_validator.py | 24 +- neutron/objects/securitygroup.py | 6 +- neutron/plugins/ml2/drivers/l2pop/mech_driver.py | 7 +- .../drivers/openvswitch/agent/common/constants.py | 36 +++ .../agent/extension_drivers/qos_driver.py | 23 +- .../openvswitch/agent/openflow/native/br_int.py | 2 + .../openvswitch/agent/openflow/native/br_phys.py | 1 + .../openvswitch/agent/openflow/native/br_tun.py | 1 + .../openvswitch/agent/openflow/native/ofswitch.py | 15 +- .../agent/openflow/native/ovs_bridge.py | 8 +- .../drivers/openvswitch/agent/ovs_neutron_agent.py | 74 ++++- neutron/plugins/ml2/rpc.py | 30 +- neutron/policy.py | 22 ++ neutron/services/qos/qos_plugin.py | 3 +- .../drivers/openvswitch/agent/ovsdb_handler.py | 14 + .../agent/l3/test_keepalived_state_change.py | 30 +- .../functional/agent/linux/test_netlink_lib.py | 8 +- .../l3_router/test_l3_dvr_router_plugin.py | 14 +- .../openvswitch/agent/test_ovsdb_handler.py | 8 + .../linux/openvswitch_firewall/test_firewall.py | 11 + .../agent/linux/openvswitch_firewall/test_rules.py | 13 +- .../unit/agent/linux/test_iptables_firewall.py | 14 + .../unit/agent/linux/test_iptables_manager.py | 4 +- .../plugins/ml2/drivers/l2pop/test_mech_driver.py | 23 +- .../agent/test_linuxbridge_neutron_agent.py | 12 +- .../macvtap/agent/test_macvtap_neutron_agent.py | 11 +- .../mech_driver/test_mech_sriov_nic_switch.py | 28 +- .../agent/extension_drivers/test_qos_driver.py | 4 +- .../agent/openflow/native/test_ovs_bridge.py | 5 + .../openvswitch/agent/test_ovs_neutron_agent.py | 60 +++- .../drivers/openvswitch/agent/test_ovs_tunnel.py | 13 +- .../unit/scheduler/test_l3_agent_scheduler.py | 46 +++- .../service_providers/test_driver_controller.py | 4 +- .../services/revisions/test_revision_plugin.py | 1 + .../openvswitch/agent/test_ovsdb_handler.py | 4 +- playbooks/legacy/neutron-fullstack/run.yaml | 2 +- playbooks/legacy/neutron-functional/run.yaml | 2 +- .../legacy/neutron-grenade-dvr-multinode/run.yaml | 2 +- .../legacy/neutron-grenade-multinode/run.yaml | 2 +- playbooks/legacy/neutron-grenade/run.yaml | 2 +- playbooks/legacy/neutron-rally-neutron/run.yaml | 24 +- .../neutron-tempest-dvr-ha-multinode-full/run.yaml | 2 +- playbooks/legacy/neutron-tempest-dvr/run.yaml | 2 +- .../legacy/neutron-tempest-linuxbridge/run.yaml | 2 +- .../legacy/neutron-tempest-multinode-full/run.yaml | 2 +- playbooks/legacy/neutron-tempest-ovsfw/run.yaml | 2 +- .../notes/dns_domain-6f0e628aeb3c650c.yaml | 13 + .../dnsmasq-local-service-c8eaa91894a7d6d4.yaml | 8 + ...e-request-as-binding-data-2a01c1ed1a8eff66.yaml | 10 + ...cise-agent-state-transfer-67c771cb1ee04dd0.yaml | 27 ++ setup.cfg | 14 +- 148 files changed, 3365 insertions(+), 997 deletions(-)