Zed Series Release Notes

18.0.0.0b1-383

Prelude

Historically, Open vSwitch (OVS) could not interact directly with iptables to implement security groups. Thus, the OVS agent and Compute service use a Linux bridge between each instance (VM) and the OVS integration bridge br-int to implement security groups. Now the OVS agent includes an optional firewall driver that natively implements security groups as flows in OVS rather than the Linux bridge device and iptables. This increases scalability and performance.

New Features

  • Support for the networking-baremetal mechanism driver and agent has been implemented. The ironic-neutron-agent is a neutron agent that populates the host to physical network mapping for baremetal nodes in neutron. Neutron uses this to calculate the segment to host mapping information. This feature may be enabled by adding ml2.baremetal to the neutron_plugin_types list in /etc/openstack_deploy/user_variables.yml.

  • Support for the networking-generic-switch mechanism driver has been implemented. This allows Ironic to interface with Neutron when the neutron network interface has been configured. This feature may be enabled by adding ml2.genericswitch to the neutron_plugin_types list in /etc/openstack_deploy/user_variables.yml.

  • The provider_networks library has been updated to support the definition of bond member interfaces that can automatically be added as bond ports to OVS provider bridges setup during a deployment. This feature is currently limited to DPDK-based deployments. To activate this feature, add the network_bond_interfaces key to the respective provider network definition in openstack_user_config.yml. For more information, refer to the latest Open vSwitch w/ DPDK deployment guide.

  • The Neutron Service Function Chaining Extension (SFC) can optionally be deployed and configured by defining the following service plugins:

    • flow_classifier

    • sfc

    neutron_plugin_base:
- router
- metering
- flow_classifier
- sfc

    For more information about SFC in Neutron, refer to the following:

  • The provider_networks library has been updated to support the definition of network interfaces that can automatically be added as ports to OVS provider bridges setup during a deployment. To activate this feature, add the network_interface key to the respective flat and/or vlan provider network definition in openstack_user_config.yml. For more information, refer to the latest Open vSwitch deployment guide.

  • The service setup in keystone for neutron will now be executed through delegation to the neutron_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

    neutron_service_setup_host: "{{ groups['utility_all'][0] }}"

  • Neutron VPN as a Service (VPNaaS) with customized configuration files can now be defined with the variable neutron_vpnaas_custom_config. deployers should define neutron_vpnaas_custom_config in ‘user_variables.yml’. Example:

    neutron_vpnaas_custom_config:
  - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template"
    dest: "{{ neutron_conf_dir }}/strongswan.conf.template"
  - src: "/etc/openstack_deploy/strongswan/strongswan.d"
    dest: "/etc/strongswan.d"
  - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template"
    dest: "{{ neutron_conf_dir }}/ipsec.conf.template"
  - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template"
    dest: "{{ neutron_conf_dir }}/ipsec.secret.template"

    We should be also define neutron_l3_agent_ini_overrides in ‘user_variables.yml’ to tell l3_agent use the new config file. Example:

    neutron_l3_agent_ini_overrides:
  ipsec:
    enable_detailed_logging: True
  strongswan:
    strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template"
  openswan:
    ipsec_config_template:  "{{ neutron_conf_dir }}/ipsec.conf.template"

  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the neutron_install_method variable to distro.

  • Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in neutron.

  • You can override the default iptables_hybrid firewall driver for Open vSwitch by setting neutron_firewall_driver: openvswitch

  • OVN is now protected via SSL. you can disable it via neutron_ovn_ssl. It is not supported to switch from non-ssl to ssl.

Upgrade Notes

  • Adds the subnet_dns_publish_fixed_ip option extension in ml2 plugin. The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs.

  • The neutron_db_pool_size variable was previously deprecated and is now removed. A replacement variable was introduced in the Xena release.

  • The plugin names for the classifier and sfc changed:

    • networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin => flow_classifier

    • networking_sfc.services.sfc.plugin.SfcPlugin => sfc

  • The provider_networks library has been updated to support the definition of network interfaces that can automatically be added as ports to OVS provider bridges setup during a deployment. As a result, the network_interface value applied to the neutron_provider_networks override in user_variables.yml, as described in previous Open vSwitch deployment guides, is no longer effective. If overrides are necessary, use network_interface_mappings within the provider network override and specify the respective bridge-to-interface mapping (e.g. “br-provider:bond1”). For more information, refer to the latest Open vSwitch deployment guide.

  • Introduce this feature to empty compute nodes, and migrate VMs over once the agents have been restarted.

  • OVN is now configured with SSL enabled by default, upgrading existing ovn deployment is not tested. When upgrading it might be wise to set neutron_ovn_ssl to false and manage the ssl configuration at a later stage.

Deprecation Notes

  • For consistency reasons, neutron_db_pool_size was deprecated in favor of neutron_db_max_pool_size which is in a standardized format used in other repositories. However, it will be supported until Yoga release.

  • Dragonflow is no longer maintained as an OpenStack project and has therefore been removed from OpenStack-Ansible as a supported ML2 driver for neutron.

  • The custom PowerVM code has been removed as it is not tested. The code in question can be replaced with the following setting;

    neutron_firewall_driver: openvswitch

  • Support of the legacy neutron L3 tool has been dropped. Deployers are appreciated to use built-in l3-agent options for configuring HA.

  • The deprecated Neutron LBaaS v2 plugin has been removed from the Neutron role.

  • The variable neutron_requires_pip_packages is no longer required and has therefore been removed.

  • The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - neutron_oslomsg_rpc_servers replaces neutron_rabbitmq_servers - neutron_oslomsg_rpc_port replaces neutron_rabbitmq_port - neutron_oslomsg_rpc_use_ssl replaces neutron_rabbitmq_use_ssl - neutron_oslomsg_rpc_userid replaces neutron_rabbitmq_userid - neutron_oslomsg_rpc_vhost replaces neutron_rabbitmq_vhost - neutron_oslomsg_notify_servers replaces neutron_rabbitmq_telemetry_servers - neutron_oslomsg_notify_port replaces neutron_rabbitmq_telemetry_port - neutron_oslomsg_notify_use_ssl replaces neutron_rabbitmq_telemetry_use_ssl - neutron_oslomsg_notify_userid replaces neutron_rabbitmq_telemetry_userid - neutron_oslomsg_notify_vhost replaces neutron_rabbitmq_telemetry_vhost

  • Support for an Open vSwitch dataplate with NSH support using the ovs_nsh_support variable has been immediately deprecated and removed due to built-in support for NSH in recent Open vSwitch releases. The prior PPA provided a custom release of OVS 2.9, which is no longer appropriate for recent releases of OSA and respective operating systems.

Critical Issues

  • This feature requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer includes conntrack support. Kernel version 3.3, but less than 4.3, does not include conntrack support and requires building the OVS modules.

Bug Fixes

  • Fixes neutron HA routers, by enabling neutron-l3-agent to invoke the required helper script.

  • Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

  • When defining provider networks, vlan ranges are no longer required. When a vlan range is not specified, the provider label net_name still be set in network_vlan_ranges, but automatic VLAN allocation will not be available.

    Implementation Example:

    host_bind_override: "bond1"
type: "vlan"
net_name: "physnet1"
group_binds:
- neutron_linuxbridge_agent

  • The RyuBgpDriver is no longer available and replaced by the OsKenBgpDriver of the neutron_dynamic_routing project.

  • Fixed issue where neutron-metadata-agent and neutron-dhcp-agent were started on network_hosts for OVN scenario along with neutron-ovn-metadata-agent. These services will be disabled and masked for existing environments. Manual clean-up of systemd services and correpsonsive neutron agents is still needed. New deployments won’t have these services deployed from the beginning.

Other Notes

  • Gate jobs for OpenDaylight, SFC, and OVS w/ NSH have been removed in preparation for deprecation of those deployment scenarios and related code.

18.0.0.0b1

New Features

  • Enable networking-bgpvpn ml2 neutron driver to make OpenDaylight SDN Controller to support BGPVPN for external network connectivity. You can set the neutron_plugin_type to ml2.opendaylight and neutron_plugin_base to odl-router_v2 and bgpvpn to enable BGPVPN on the OpenDaylight.

17.0.0.0rc1

Bug Fixes

  • SELinux policy for neutron on CentOS 7 is now provided to fix SELinux AVCs that occur when neutron’s agents attempt to start daemons such as haproxy and dnsmasq.

17.0.0.0b3

New Features

  • An option has been added allowing the user to define the user_group LBaaSv2 uses. The new option is neutron_lbaasv2_user_group and is set within the OS specific value by default.

Upgrade Notes

  • Default quotas were bumped for the following resources: networks (from 10 to 100), subnets (from 10 to 100), ports (from 50 to 500) to match upstream defaults.

17.0.0.0b2

New Features

  • Open vSwitch dataplane with NSH support has been implemented. This feature may be activated by setting ovs_nsh_support: True in /etc/openstack_deploy/user_variables.yml.

17.0.0.0b1

New Features

  • FWaaS V2 has been added to neutron. To enable this service simply add “firewall_v2” to the “neutron_plugin_base” list.

  • The OpenDaylight SDN Controller can be deployed as a neutron ML2 backend. You can set the neutron_plugin_type to ml2.opendaylight to utilize this code path. The usage of OpenDaylight is currently experimental. Two versions are currently supported - Nitrogen and Oxygen.

16.0.0.0b3

Deprecation Notes

  • Remove neutron_rpc_backend option due to deprecation of rpc_backend option in oslo.messaging.

16.0.0.0b2

New Features

  • New variables have been added to allow a deployer to customize a neutron systemd unit file to their liking.

  • The task dropping the neutron systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and pollute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_neutron role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the neutron_*_init_config_overrides variables which use the config_template task to change template defaults.

Upgrade Notes

  • For the os_neutron role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the neutron_*_init_config_overrides variables which use the config_template task to change template defaults.

Deprecation Notes

  • The plumgrid network provider has been removed. This is being dropped without a full deprecation cycle because the company, plumgrid, no longer exists.

16.0.0.0b1

New Features

  • The number of worker threads for neutron will now be capped at 16 unless a specific value is specified. Previously, the calculated number of workers could get too high on systems with a large number of processors. This was particularly evident on POWER systems.

  • Capping the default value for the variables neutron_api_workers, neutron_num_sync_threads and neutron_metadata_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • The dragonflow plugin for neutron is now available. You can set the neutron_plugin_type to ml2.dragonflow to utilize this code path. The dragonflow code path is currently experimental.

Upgrade Notes

  • The variable neutron_dhcp_domain has been renamed to neutron_dns_domain.

Deprecation Notes

  • The neutron_keystone_auth_plugin variable has been deprecated. neutron_keystone_auth_type should be used instead to configure authentication type.

15.0.0.0rc1

New Features

  • Neutron SR-IOV can now be optionally deployed and configured. For details about the what the service is and what it provides, see the SR-IOV Installation Guide for more information.

15.0.0.0b3

New Features

  • The filename of the apt source for the ubuntu cloud archive can now be defined with the variable uca_apt_source_list_filename.

15.0.0.0b1

New Features

  • CentOS7/RHEL support has been added to the os_neutron role.

Upgrade Notes

  • The variables neutron_requirements_git_repo and neutron_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

14.0.0.0b3

New Features

  • The Project Calico Neutron networking plugin is now integrated into the os_neutron role. This can be activated using the instructions located in the role documentation.

  • The os_neutron role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting neutron_package_state to present.

  • A new variable is supported in the neutron_services dictionary called service_conf_path. This variable enables services to deploy their config templates to paths outside of /etc/neutron by specifying a directory using the new variable.

Upgrade Notes

  • Database migration tasks have been added for the dynamic routing neutron plugin.

  • The variable neutron_apt_packages has been renamed to neutron_distro_packages.

  • The variable neutron_lbaas_apt_packages has been renamed to neutron_lbaas_distro_packages.

  • The variable neutron_vpnaas_apt_packages has been renamed to neutron_vpnaas_distro_packages.

  • The variable neutron_apt_remove_packages has been renamed to neutron_remove_distro_packages.

  • The os_neutron role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option neutron_package_state should be set to present.

14.0.0.0b2

New Features

  • The os_neutron role now determines the default configuration for openvswitch-agent tunnel_types and the presence or absence of local_ip configuration based on the value of neutron_ml2_drivers_type. Deployers may directly control this configuration by overriding the neutron_tunnel_types variable .

  • The os_neutron role now configures neutron ml2 to load the l2_population mechanism driver by default based on the value of neutron_l2_population. Deployers may directly control the neutron ml2 mechanism drivers list by overriding the mechanisms variable in the neutron_plugins dictionary.

  • The LBaaSv2 service provider configuration can now be adjusted with the neutron_lbaasv2_service_provider variable. This allows a deployer to choose to deploy LBaaSv2 with Octavia in a future version.

  • The os_neutron role will now default to the OVS firewall driver when neutron_plugin_type is ml2.ovs and the host is running Ubuntu 16.04 on PowerVM. To override this default behavior, deployers should define neutron_ml2_conf_ini_overrides and ‘neutron_openvswitch_agent_ini_overrides’ in ‘user_variables.yml’. Example below

    neutron_ml2_conf_ini_overrides:
  securitygroup:
    firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
neutron_openvswitch_agent_ini_overrides:
  securitygroup:
    firewall_driver: iptables_hybrid

  • Support for Neutron distributed virtual routing has been added to the os_neutron role. This includes the implementation of Networking Guide’s suggested agent configuration. This feature may be activated by setting neutron_plugin_type: ml2.ovs.dvr in /etc/openstack_deploy/user_variables.yml.

  • The LBaaSv2 device driver is now set by the Ansible variable neutron_lbaasv2_device_driver. The default is set to use the HaproxyNSDriver, which allows for agent-based load balancers.

Upgrade Notes

  • The variable neutron_agent_mode has been removed from the os_neutron role. The appropriate value for l3_agent.ini is now determined based on the neutron_plugin_type and host group membership.

  • Installation of neutron and its dependent pip packages will now only occur within a Python virtual environment. The neutron_venv_enabled, neutron_venv_bin, neutron_non_venv_lib_dir and neutron_venv_lib_dir variables have been removed.

  • LBaaSv1 has been removed from the neutron-lbaas project in the Newton release and it has been removed from OpenStack-Ansible as well.

  • The Neutron HA tool written by AT&T is no longer enabled by default. This tool was providing HA capabilities for networks and routers that were not using the native Neutron L3HA. Because native Neutron L3HA is stable, compatible with the Linux Bridge Agent, and is a better means of enabling HA within a deployment this tool is no longer being setup by default. If legacy L3HA is needed within a deployment the deployer can set neutron_legacy_ha_tool_enabled to true to enable the legacy tooling.

  • Neutron now makes use of Ubuntu Cloud Archive by default. This can be disabled by setting neutron_uca_enable to False.

Deprecation Notes

  • The Neutron HA tool written by AT&T has been deprecated and will be removed in the Ocata release.

Bug Fixes

  • When upgrading it is possible for an old neutron-ns-metadata-proxy process to remain running in memory. If this happens the old version of the process can cause unexpected issues in a production environment. To fix this a task has been added to the os_neutron role that will execute a process lookup and kill any neutron-ns-metadata-proxy processes that are not running the current release tag. Once the old processes are removed the metadata agent running will respawn everything needed within 60 seconds.

14.0.0.0b1

New Features

  • Whether the Neutron DHCP Agent, Metadata Agent or LinuxBridge Agent should be enabled is now dynamically determined based on the neutron_plugin_type and the neutron_ml2_mechanism_drivers that are set. This aims to simplify the configuration of Neutron services and eliminate the need for deployers to override the entire neutron_services dict variable to disable these services.

  • Neutron VPN as a Service (VPNaaS) can now optionally be deployed and configured. Please see the OpenStack Networking Guide for details about the what the service is and what it provides. See the VPNaaS Install Guide for implementation details.

  • Open vSwitch driver support has been implemented. This includes the implementation of the appropriate Neutron configuration and package installation. This feature may be activated by setting neutron_plugin_type: ml2.ovs in /etc/openstack_deploy/user_variables.yml.

Upgrade Notes

  • Whether the Neutron DHCP Agent, Metadata Agent or LinuxBridge Agent should be enabled is now dynamically determined based on the neutron_plugin_type and the neutron_ml2_mechanism_drivers that are set. This aims to simplify the configuration of Neutron services and eliminate the need for deployers to override the entire neutron_services dict variable to disable these services.

  • As described in the Mitaka release notes Neutron now correctly calculates for and advertises the MTU to instances. The default DHCP configuration to advertise an MTU to instances has therefore been removed from the variable neutron_dhcp_config.

  • As described in the Mitaka release notes Neutron now correctly calculates for and advertises the MTU to instances. As such the neutron_network_device_mtu variable has been removed and the hard-coded values in the templates for advertise_mtu, path_mtu, and segment_mtu have been removed to allow upstream defaults to operate as intended.

  • The variable neutron_linuxbridge has been removed as it is no longer used.

  • The variable neutron_driver_interface has been removed. The appropriate value for neutron.conf is now determined based on the neutron_plugin_type.

  • The variable neutron_driver_firewall has been removed. The appropriate value for neutron.conf is now determined based on the neutron_plugin_type.

  • The variable neutron_ml2_mechanism_drivers has been removed. The appropriate value for ml2_conf.ini is now determined based on the neutron_plugin_type.

  • The Neutron L3 Agent configuration for the handle_internal_only_routers variable is removed in order to use the Neutron upstream default setting. The current default for handle_internal_only_routers is True, which does allow Neutron L3 router without external networks attached (as discussed per https://bugs.launchpad.net/neutron/+bug/1572390).

  • The database create and user creates have been removed from the os_neutron role. These tasks have been relocated to the playbooks.

13.0.0

New Features

  • Neutron Firewall as a Service (FWaaS) can now optionally be deployed and configured. Please see the FWaaS Configuration Reference for details about the what the service is and what it provides. See the FWaaS Install Guide for implementation details.

Upgrade Notes

  • Database migration tasks have been added for the FWaaS neutron plugin.

  • The neutron_plugin_base variable has been modifed to use the friendly names. Deployers should change any customisations to this variable to ensure that the customisation makes use of the short names instead of the full class path.

  • Database migration tasks have been added for the LBaaS neutron plugin.

Deprecation Notes

  • The old class path names used within the neutron_plugin_base have been deprecated in favor of the friendly names. Support for the use of the class path plugins will be removed in the OpenStack Newton cycle.

Security Issues

  • When enabled, Neutron Firewall as a Service (FWaaS) provides projects the option to implement perimeter security (filtering at the router), adding to filtering at the instance interfaces which is provided by ‘Security Groups’.