We are happy to announce the release of: neutron 11.0.7: OpenStack Networking This release is part of the pike stable release series. The source is available from: https://git.openstack.org/cgit/openstack/neutron Download the package from: https://tarballs.openstack.org/neutron/ Please report issues through: https://bugs.launchpad.net/neutron/+bugs For more details, please see below. 11.0.7 ^^^^^^ Critical Issues *************** * The neutron-openvswitch-agent can sometimes spend too much time handling a large number of ports, exceeding its timeout value, "agent_boot_time", for L2 population. Because of this, some flow update operations will not be triggerred, resulting in lost flows during agent restart, especially for host-to-host vxlan tunnel flows, causing the original tunnel flows to be treated as stale due to the different cookie IDs. The agent's first RPC loop will also do a stale flow clean-up procedure and delete them, leading to a loss of connectivity. Please ensure that all neutron-server and neutron- openvswitch-agent binaries are upgraded for the changes to take effect, after which the L2 population "agent_boot_time" config option will no longer be used. Bug Fixes ********* * Fixes bug 1501206 (https://bugs.launchpad.net/neutron/+bug/1501206). This ensures that DHCP agent instances running dnsmasq as a DNS server can no longer be exploited as DNS amplifiers when the tenant network is using publicly routed IP addresses by adding an option that will allow them to only serve DNS requests from local networks. * Fixes an issue causing IP allocation on port update to fail when the initial IP allocation was deferred due to lack of binding info. If both the port mac_address and binding info (binding_host_id) were updated in the same request, the fixed_ips field was added to the request internally. The code to complete the deferred allocation failed to execute in that case. (For more information see bug 1811905 (https://bugs.launchpad.net/neutron/+bug/1811905).) * The neutron-openvswitch-agent was changed to notify the neutron- server in its first RPC loop that it has restarted. This signals neutron-server to provide updated L2 population information to correctly program FDB entries, ensuring connectivity to instances is not interrupted. This fixes the following bugs: 1794991 (https://bugs.launchpad.net/neutron/+bug/1794991), 1799178 (https://bugs.launchpad.net/neutron/+bug/1799178), 1813703 (https://bugs.launchpad.net/neutron/+bug/1813703), 1813714 (https://bugs.launchpad.net/neutron/+bug/1813714), 1813715 (https://bugs.launchpad.net/neutron/+bug/1813715). Other Notes *********** * The metering agent iptables driver can now load its interface driver by using a stevedore alias in the "metering_agent.ini" file. For example, "interface_driver = openvswitch" instead of "interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver" Changes in neutron 11.0.6..11.0.7 --------------------------------- 36a1e193cb Don't pass None arg to neutron-keepalived-state-change 8865466e9f OVS agent: always send start flag during initial sync 4651fac9cb Specify tenant_id in TestRevisionPlugin objects ff0a444526 Fix QoS rule update 672a4328a9 Add rootwrap filters to kill state change monitor e6ec35f679 Fix port update deferred IP allocation with host_id + new MAC 51a7666533 Divide-and-conquer security group beasts a6c3d3ae3c Try to enable dnsmasq process several times 6191355da6 [OVS] Exception message when retrieving bridge-id and is not present ad1d4358ec [Functional tests] Change way how conntrack entries are checked 1c72d30d2d Change duplicate OVS bridge datapath-ids 125fc48111 Remove conntrack rule when FIP is deleted 62fe7852bb More accurate agent restart state transfer fb84771d13 Divide-and-conquer local bridge flows beasts a9bc8ab1e1 Fix KeyError in OVS firewall 6345337681 Check if process' cmdline is "space separarated" 9274bb5e4c Replace openstack.org git:// URLs with https:// 93cd1921f1 ovs: survive errors from check_ovs_status 876e1d7969 ovs: raise RuntimeError in _get_dp if id is None e2f93a2703 [Functional] Don't assert that HA router don't have IPs configured 6b41b07dc3 ovsfw: Update SG rules even if OVSFW Port is not found bfdd867580 Improve invalid port ranges error message 6c9a282bcd Enable ipv6_forwarding in HA router's namespace 91c26f5658 Set initial ha router state in neutron-keepalived-state-change 9961fa068b Do not release DHCP lease when no client ID is set on port e53afe831a When converting sg rules to iptables, do not emit dport if not supported 5aa1c315fc Spawn metadata proxy on dvr ha standby routers a906ace3ef DVR edge router: avoid accidental centralized floating IP remove 6d375dcced ovsfw: Don't create rules if updated port doesn't exist 8b255a648c Add new test decorator skip_if_timeout 3af8e2719c Fix notification about arp entries for dvr routers 6098f54722 Add lock_path in installation guide 10c981512a Fix update of ports cache in router_info class d218a8abb2 Ensure dnsmasq is down before enabling it in restart method b2418bc248 Block port update from unbound DHCP agent f9cbd939b9 Fix performance regression adding rules to security groups 399f1c1b65 Always fill UDP checksums in DHCPv6 replies 72d9c3ccb3 Secure dnsmasq process against external abuse edd8ad31d7 Check port VNIC type when associating a floating IP 4f5c5ab433 Enable 'all' IPv6 forwarding knob correctly c5a1214ca6 protect DHCP agent cache out of sync c86473d1a6 Add kill_timeout to AsyncProcess 9b399af547 Fullstack: init trunk agent's driver only when necessary dab82d56c4 Don't modify global variables in unit tests 329de01d09 Do state report after setting start_flag on OVS restart d36cb19813 Do not delete trunk bridges if service port attached cc7e3e92fe Fix the bug about DHCP port whose network has multiple subnets. fccc786fd5 Force all fdb entries update after ovs-vswitchd restart 6e3102b095 Get centralized FIP only on router's snat host a2b6f4af6b DevStack: OVS: Only install kernel-* packages when needed 888cbc2970 Include all rootwrap filters when building wheels f7f09c79e5 DVR: Centralized FloatingIPs are not cleared after migration. c08f99c7e0 Fix connection between 2 dvr routers a4fe8a03ae Wait to ipv6 forwarding be really changed by L3 agent c757992da1 Add missing step for ovs deploy guides cb2b2d20e6 iptables-restore wait period cannot be zero b527af20bb Use system protocol assigments for iptables protocol map 7dad724b0d Install centralized floating IP nat rules to all ha nodes 663d6486a3 Add capabilities for privsep 16c2d64bdc Add permanent ARP entries for DVR fip/qrouter veth pair 2fba9f42b9 Allow Ipv6 addresses for nova_metadata_host d0931c4e55 dhcp: serializing port delete and network rpc calls aa4cbc9cde Drop strict-order flag from dnsmasq invocation a54a7235a5 Fix iptables metering driver entrypoint dc13609435 Update metering driver to load interface driver Diffstat (except docs and test files) ------------------------------------- devstack/lib/ovs | 12 +- .../install/controller-install-option1-obs.rst | 12 + .../install/controller-install-option1-ubuntu.rst | 12 + .../install/controller-install-option2-obs.rst | 12 + .../install/controller-install-option2-ubuntu.rst | 12 + etc/neutron/rootwrap.d/l3.filters | 13 +- neutron/agent/common/ovs_lib.py | 22 +- neutron/agent/dhcp/agent.py | 123 ++++++--- neutron/agent/l3/agent.py | 65 ++++- neutron/agent/l3/dvr_edge_ha_router.py | 7 +- neutron/agent/l3/dvr_edge_router.py | 39 ++- neutron/agent/l3/dvr_fip_ns.py | 7 + neutron/agent/l3/dvr_local_router.py | 50 +++- neutron/agent/l3/ha.py | 37 ++- neutron/agent/l3/ha_router.py | 11 +- neutron/agent/l3/keepalived_state_change.py | 22 ++ neutron/agent/l3/router_info.py | 53 ++-- neutron/agent/l3/router_processing_queue.py | 17 +- neutron/agent/linux/async_process.py | 34 ++- neutron/agent/linux/dhcp.py | 60 +++-- neutron/agent/linux/ip_lib.py | 6 + neutron/agent/linux/iptables_firewall.py | 66 ++++- neutron/agent/linux/iptables_manager.py | 2 +- .../agent/linux/openvswitch_firewall/exceptions.py | 4 + .../agent/linux/openvswitch_firewall/firewall.py | 49 ++-- neutron/agent/linux/openvswitch_firewall/rules.py | 16 +- neutron/agent/linux/utils.py | 15 +- neutron/agent/metadata/agent.py | 7 +- neutron/agent/rpc.py | 5 +- neutron/agent/securitygroups_rpc.py | 16 +- .../api/rpc/agentnotifiers/dhcp_rpc_agent_api.py | 7 +- neutron/api/rpc/handlers/dhcp_rpc.py | 13 +- neutron/cmd/sanity/checks.py | 15 ++ neutron/cmd/sanity_check.py | 15 ++ neutron/common/constants.py | 15 ++ neutron/common/ipv6_utils.py | 12 + neutron/db/ipam_pluggable_backend.py | 10 +- neutron/db/l3_db.py | 25 ++ neutron/db/l3_dvr_db.py | 127 ++++++++- neutron/db/l3_dvr_ha_scheduler_db.py | 9 +- neutron/db/l3_dvrscheduler_db.py | 170 +++++++++--- neutron/db/securitygroups_db.py | 147 +++++------ neutron/extensions/securitygroup.py | 5 +- neutron/objects/base.py | 2 +- neutron/plugins/ml2/drivers/l2pop/mech_driver.py | 9 +- .../drivers/openvswitch/agent/common/constants.py | 33 +++ .../openvswitch/agent/openflow/native/br_int.py | 2 + .../openvswitch/agent/openflow/native/br_phys.py | 1 + .../openvswitch/agent/openflow/native/br_tun.py | 1 + .../openvswitch/agent/openflow/native/ofswitch.py | 15 +- .../agent/openflow/native/ovs_bridge.py | 8 +- .../drivers/openvswitch/agent/ovs_neutron_agent.py | 74 +++++- neutron/plugins/ml2/rpc.py | 12 +- neutron/privileged/__init__.py | 5 +- .../metering/drivers/iptables/iptables_driver.py | 9 +- neutron/services/qos/qos_plugin.py | 3 +- .../drivers/openvswitch/agent/ovsdb_handler.py | 14 + .../agent/l3/test_keepalived_state_change.py | 30 ++- .../functional/agent/linux/test_netlink_lib.py | 8 +- .../l3_router/test_l3_dvr_router_plugin.py | 14 +- .../openvswitch/agent/test_ovsdb_handler.py | 8 + .../linux/openvswitch_firewall/test_firewall.py | 21 +- .../agent/linux/openvswitch_firewall/test_rules.py | 13 +- .../unit/agent/linux/test_iptables_firewall.py | 30 +++ .../plugins/ml2/drivers/l2pop/test_mech_driver.py | 23 +- .../agent/openflow/native/test_ovs_bridge.py | 5 + .../openvswitch/agent/test_ovs_neutron_agent.py | 60 ++++- .../drivers/openvswitch/agent/test_ovs_tunnel.py | 13 +- .../unit/scheduler/test_l3_agent_scheduler.py | 46 +++- .../services/revisions/test_revision_plugin.py | 1 + .../openvswitch/agent/test_ovsdb_handler.py | 4 +- playbooks/legacy/neutron-fullstack/run.yaml | 2 +- playbooks/legacy/neutron-functional/run.yaml | 2 +- .../legacy/neutron-grenade-dvr-multinode/run.yaml | 2 +- .../legacy/neutron-grenade-multinode/run.yaml | 2 +- playbooks/legacy/neutron-grenade/run.yaml | 2 +- playbooks/legacy/neutron-rally-neutron/run.yaml | 24 +- .../neutron-tempest-dvr-ha-multinode-full/run.yaml | 2 +- playbooks/legacy/neutron-tempest-dvr/run.yaml | 2 +- .../legacy/neutron-tempest-linuxbridge/run.yaml | 2 +- .../legacy/neutron-tempest-multinode-full/run.yaml | 2 +- playbooks/legacy/neutron-tempest-ovsfw/run.yaml | 2 +- .../dnsmasq-local-service-c8eaa91894a7d6d4.yaml | 8 + ...e-request-as-binding-data-2a01c1ed1a8eff66.yaml | 10 + ...ver-load-interface-driver-ca397f1db40ec643.yaml | 7 + ...cise-agent-state-transfer-67c771cb1ee04dd0.yaml | 27 ++ setup.cfg | 14 +- 118 files changed, 2655 insertions(+), 642 deletions(-)
participants (1)
-
no-reply@openstack.org