[release-announce] neutron 13.0.3 (rocky)

We are delighted to announce the release of: neutron 13.0.3: OpenStack Networking This release is part of the rocky stable release series. The source is available from: https://git.openstack.org/cgit/openstack/neutron Download the package from: https://tarballs.openstack.org/neutron/ Please report issues through: https://bugs.launchpad.net/neutron/+bugs For more details, please see below. 13.0.3 ^^^^^^ Critical Issues *************** * The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value, "agent_boot_time", for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent's first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron- openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population "agent_boot_time" config option will no longer be used. Bug Fixes ********* * Fixes bug 1501206 (https://bugs.launchpad.net/neutron/+bug/1501206). This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks. * Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905 (https://bugs.launchpad.net/neutron/+bug/1811905).) * The neutron-openvswitch-agent was changed to notify the neutron- server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991 (https://bugs.launchpad.net/neutron/+bug/1794991), 1799178 (https://bugs.launchpad.net/neutron/+bug/1799178), 1813703 (https://bugs.launchpad.net/neutron/+bug/1813703), 1813714 (https://bugs.launchpad.net/neutron/+bug/1813714), 1813715 (https://bugs.launchpad.net/neutron/+bug/1813715). Changes in neutron 13.0.2..13.0.3 --------------------------------- 279c99ab7d Don't pass None arg to neutron-keepalived-state-change 056e049e2b Improve port dhcp Provisioning 1d81086f55 Try to enable dnsmasq process several times 289f66bd74 [Functional tests] Change way how conntrack entries are checked 7590f3f591 Specify tenant_id in TestRevisionPlugin objects f7262f5280 [OVS] Exception message when retrieving bridge-id and is not present 97bf23244d Fix slow SG api calls when limiting fields 6b9d8bf308 OVS agent: always send start flag during initial sync 004caf773a Change ovs version we use in fullstack tests 6494fcc2e4 Divide-and-conquer security group beasts 8f8c899c69 Rename router processing queue code to be more generic eb6cacb16c Set lower addr to avoid IP out of range e096e2427c Remove conntrack rule when FIP is deleted cc49ab5501 More accurate agent restart state transfer e7788ed0c8 Fix QoS rule update af67d516a5 Divide-and-conquer local bridge flows beasts 569b3fddab Fix KeyError in OVS firewall 836d5eca4f Check if process' cmdline is "space separarated" 96b0b90b89 Add enforcer logic for neutron policy 344495f1a8 Replace openstack.org git:// URLs with https:// 8b7955dade Add rootwrap filters to kill state change monitor e5202b9fb1 [Functional] Don't assert that HA router don't have IPs configured e813fc8d05 Improve invalid port ranges error message 570f6086c0 Fix fullstack test_dscp_marking_packets test c07e6a5ea8 Enable ipv6_forwarding in HA router's namespace 56c591996b Set initial ha router state in neutron-keepalived-state-change ce037876a7 Do not release DHCP lease when no client ID is set on port 558a977902 When converting sg rules to iptables, do not emit dport if not supported bc828851ab Spawn metadata proxy on dvr ha standby routers 3c66b1c453 DVR-HA: Unbinding a HA router from agent does not clear HA interface 28a7dd12fe Delete port binding level for deleted bindings c620b3c91e DVR edge router: avoid accidental centralized floating IP remove e6f22ce81c Add new test decorator skip_if_timeout 5bf56bde87 Fix notification about arp entries for dvr routers 964dd28a95 Switch isolated metadata proxy to bind to 169.254.169.254 679e8ee6cc Fix update of ports cache in router_info class b7796f6c91 DHCP: fix default dns search name 0465269554 Ensure dnsmasq is down before enabling it in restart method f8a192e22e Fix performance regression adding rules to security groups 50a7a74e97 Always fill UDP checksums in DHCPv6 replies b3f32e1900 Fix port update deferred IP allocation with host_id + new MAC a7afd6e86d Secure dnsmasq process against external abuse 777dc929dd Change duplicate OVS bridge datapath-ids 1e6ce6f963 Remove a bare raise noticed by the linter b92ecfc615 Update neutron files for new over-indentation hacking rule (E117) 18f2cea730 Remove IPv6 addresses in dnsmasq leases file 573b0be3e8 Add lock_path in installation guide e04ee2c5b6 Clear residual qos rules after l2-agent restarts. 9f003cf497 Use status_code instead of status in requests 8294bcf92e protect DHCP agent cache out of sync 0f14e30fa4 Check port VNIC type when associating a floating IP 886782c177 [DVR] Allow multiple subnets per external network 025e767b94 Add kill_timeout to AsyncProcess 684b10234e Don't modify global variables in unit tests dfedafe5f6 Enable 'all' IPv6 forwarding knob correctly 6a56d38798 Do state report after setting start_flag on OVS restart eb8d4e3383 Block port update from unbound DHCP agent 25ab89f7d3 Do not delete trunk bridges if service port attached fea4365500 Fix the bug about DHCP port whose network has multiple subnets. ae2ef68140 Force all fdb entries update after ovs-vswitchd restart 2c11424178 Reinitialize ovs firewall after ovs-vswitchd restart 8f3fd6815c Imported Translations from Zanata 115a9f5558 Get centralized FIP only on router's snat host 3206492a3b Update docs for disabling DNS server announcement 7ce626b407 DVR: Centralized FloatingIPs are not cleared after migration. 35033083b9 Fix connection between 2 dvr routers bbb60c0d69 DevStack: OVS: Only install kernel-* packages when needed 6dd6980eb2 Wait to ipv6 forwarding be really changed by L3 agent 9882c79398 Add missing step for ovs deploy guides 0fa1d46979 Verify port_forwarding subnet and IP address both c039f0f1c4 iptables-restore wait period cannot be zero Diffstat (except docs and test files) ------------------------------------- devstack/lib/ovs | 12 +- .../install/controller-install-option1-obs.rst | 12 + .../install/controller-install-option1-ubuntu.rst | 12 + .../install/controller-install-option2-obs.rst | 12 + .../install/controller-install-option2-ubuntu.rst | 12 + etc/neutron/rootwrap.d/l3.filters | 13 +- neutron/agent/common/ovs_lib.py | 19 +- .../resource_processing_queue.py} | 127 ++++---- neutron/agent/dhcp/agent.py | 267 +++++++++++------ neutron/agent/l2/extensions/qos.py | 6 + neutron/agent/l3/agent.py | 188 ++++++++---- neutron/agent/l3/dvr_edge_ha_router.py | 7 +- neutron/agent/l3/dvr_edge_router.py | 31 +- neutron/agent/l3/dvr_fip_ns.py | 46 +-- neutron/agent/l3/dvr_local_router.py | 15 +- neutron/agent/l3/dvr_snat_ns.py | 2 +- neutron/agent/l3/ha.py | 37 ++- neutron/agent/l3/ha_router.py | 13 +- neutron/agent/l3/keepalived_state_change.py | 22 ++ neutron/agent/l3/router_info.py | 59 ++-- neutron/agent/linux/async_process.py | 34 ++- neutron/agent/linux/dhcp.py | 77 +++-- neutron/agent/linux/interface.py | 32 +- neutron/agent/linux/ip_lib.py | 21 +- neutron/agent/linux/iptables_firewall.py | 20 +- neutron/agent/linux/iptables_manager.py | 2 +- .../agent/linux/openvswitch_firewall/firewall.py | 24 +- neutron/agent/linux/openvswitch_firewall/rules.py | 16 +- neutron/agent/linux/utils.py | 15 +- neutron/agent/metadata/agent.py | 3 +- neutron/agent/metadata/driver.py | 21 +- neutron/agent/rpc.py | 5 +- neutron/agent/securitygroups_rpc.py | 16 +- .../api/rpc/agentnotifiers/dhcp_rpc_agent_api.py | 54 +++- neutron/api/rpc/handlers/dhcp_rpc.py | 15 +- neutron/cmd/sanity/checks.py | 15 + neutron/cmd/sanity_check.py | 15 + neutron/common/constants.py | 15 + neutron/db/ipam_pluggable_backend.py | 10 +- neutron/db/l3_db.py | 58 +++- neutron/db/l3_dvr_db.py | 127 +++++++- neutron/db/l3_dvr_ha_scheduler_db.py | 9 +- neutron/db/l3_dvrscheduler_db.py | 170 ++++++++--- .../a8b517cff8ab_add_routerport_bindings_for_ha.py | 7 +- neutron/db/securitygroups_db.py | 178 ++++++----- neutron/extensions/securitygroup.py | 5 +- neutron/locale/de/LC_MESSAGES/neutron.po | 79 +---- neutron/locale/es/LC_MESSAGES/neutron.po | 79 +---- neutron/locale/fr/LC_MESSAGES/neutron.po | 80 +---- neutron/locale/it/LC_MESSAGES/neutron.po | 79 +---- neutron/locale/ja/LC_MESSAGES/neutron.po | 82 +----- neutron/locale/ko_KR/LC_MESSAGES/neutron.po | 107 ++----- neutron/locale/pt_BR/LC_MESSAGES/neutron.po | 78 +---- neutron/locale/ru/LC_MESSAGES/neutron.po | 74 +---- neutron/locale/tr_TR/LC_MESSAGES/neutron.po | 63 +--- neutron/locale/zh_CN/LC_MESSAGES/neutron.po | 72 +---- neutron/locale/zh_TW/LC_MESSAGES/neutron.po | 72 +---- neutron/objects/base.py | 43 ++- neutron/objects/qos/qos_policy_validator.py | 24 +- neutron/objects/securitygroup.py | 6 +- neutron/plugins/ml2/drivers/l2pop/mech_driver.py | 7 +- .../drivers/openvswitch/agent/common/constants.py | 36 +++ .../agent/extension_drivers/qos_driver.py | 23 +- .../openvswitch/agent/openflow/native/br_int.py | 2 + .../openvswitch/agent/openflow/native/br_phys.py | 1 + .../openvswitch/agent/openflow/native/br_tun.py | 1 + .../openvswitch/agent/openflow/native/ofswitch.py | 15 +- .../drivers/openvswitch/agent/ovs_neutron_agent.py | 66 ++++- neutron/plugins/ml2/plugin.py | 6 +- neutron/plugins/ml2/rpc.py | 30 +- neutron/policy.py | 22 ++ neutron/privileged/agent/linux/ip_lib.py | 14 +- neutron/services/qos/qos_plugin.py | 3 +- .../drivers/openvswitch/agent/ovsdb_handler.py | 14 + .../agent/l3/test_keepalived_state_change.py | 30 +- .../functional/agent/linux/test_netlink_lib.py | 8 +- .../l3_router/test_l3_dvr_router_plugin.py | 14 +- .../portforwarding/test_port_forwarding.py | 37 ++- .../openvswitch/agent/test_ovsdb_handler.py | 8 + .../test_resource_processing_queue.py} | 65 +++-- .../linux/openvswitch_firewall/test_firewall.py | 11 + .../agent/linux/openvswitch_firewall/test_rules.py | 13 +- .../unit/agent/linux/test_iptables_firewall.py | 14 + .../rpc/agentnotifiers/test_dhcp_rpc_agent_api.py | 37 ++- .../test_expose_port_forwarding_in_fip.py | 89 +++++- .../plugins/ml2/drivers/l2pop/test_mech_driver.py | 23 +- .../agent/test_linuxbridge_neutron_agent.py | 18 +- .../macvtap/agent/test_macvtap_neutron_agent.py | 11 +- .../mech_driver/test_mech_sriov_nic_switch.py | 28 +- .../agent/extension_drivers/test_qos_driver.py | 4 +- .../openvswitch/agent/test_ovs_neutron_agent.py | 52 +++- .../drivers/openvswitch/agent/test_ovs_tunnel.py | 13 +- .../unit/scheduler/test_l3_agent_scheduler.py | 46 ++- .../service_providers/test_driver_controller.py | 4 +- .../services/revisions/test_revision_plugin.py | 1 + .../openvswitch/agent/test_ovsdb_handler.py | 4 +- .../legacy/neutron-fullstack-python35/run.yaml | 2 +- .../legacy/neutron-fullstack-with-uwsgi/run.yaml | 2 +- playbooks/legacy/neutron-fullstack/run.yaml | 2 +- .../legacy/neutron-functional-python35/run.yaml | 2 +- .../legacy/neutron-functional-with-uwsgi/run.yaml | 2 +- playbooks/legacy/neutron-functional/run.yaml | 2 +- .../legacy/neutron-grenade-dvr-multinode/run.yaml | 2 +- .../legacy/neutron-grenade-multinode/run.yaml | 2 +- playbooks/legacy/neutron-grenade/run.yaml | 2 +- .../neutron-tempest-dvr-ha-multinode-full/run.yaml | 2 +- playbooks/legacy/neutron-tempest-dvr/run.yaml | 2 +- .../neutron-tempest-iptables_hybrid/run.yaml | 2 +- .../legacy/neutron-tempest-linuxbridge/run.yaml | 2 +- .../legacy/neutron-tempest-multinode-full/run.yaml | 2 +- .../legacy/neutron-tempest-postgres-full/run.yaml | 2 +- .../neutron-tempest-with-ryu-master/run.yaml | 2 +- .../dnsmasq-local-service-c8eaa91894a7d6d4.yaml | 8 + ...e-request-as-binding-data-2a01c1ed1a8eff66.yaml | 10 + ...cise-agent-state-transfer-67c771cb1ee04dd0.yaml | 27 ++ .../source/locale/fr/LC_MESSAGES/releasenotes.po | 90 ------ .../source/locale/ja/LC_MESSAGES/releasenotes.po | 301 ------------------- .../locale/ko_KR/LC_MESSAGES/releasenotes.po | 103 ------- setup.cfg | 2 + 168 files changed, 3640 insertions(+), 2485 deletions(-)