Zed Series Release Notes

18.0.0.0b1-382

Prelude

Historically, Open vSwitch (OVS) could not interact directly with iptables to implement security groups. Thus, the OVS agent and Compute service use a Linux bridge between each instance (VM) and the OVS integration bridge br-int to implement security groups. Now the OVS agent includes an optional firewall driver that natively implements security groups as flows in OVS rather than the Linux bridge device and iptables. This increases scalability and performance.

New Features

  • Support for the networking-baremetal mechanism driver and agent has been implemented. The ironic-neutron-agent is a neutron agent that populates the host to physical network mapping for baremetal nodes in neutron. Neutron uses this to calculate the segment to host mapping information. This feature may be enabled by adding ml2.baremetal to the neutron_plugin_types list in /etc/openstack_deploy/user_variables.yml.

  • Support for the networking-generic-switch mechanism driver has been implemented. This allows Ironic to interface with Neutron when the neutron network interface has been configured. This feature may be enabled by adding ml2.genericswitch to the neutron_plugin_types list in /etc/openstack_deploy/user_variables.yml.

  • The provider_networks library has been updated to support the definition of bond member interfaces that can automatically be added as bond ports to OVS provider bridges setup during a deployment. This feature is currently limited to DPDK-based deployments. To activate this feature, add the network_bond_interfaces key to the respective provider network definition in openstack_user_config.yml. For more information, refer to the latest Open vSwitch w/ DPDK deployment guide.

  • The Neutron Service Function Chaining Extension (SFC) can optionally be deployed and configured by defining the following service plugins:

    • flow_classifier

    • sfc

    neutron_plugin_base:
    - router
    - metering
    - flow_classifier
    - sfc
    

    For more information about SFC in Neutron, refer to the following:

  • The provider_networks library has been updated to support the definition of network interfaces that can automatically be added as ports to OVS provider bridges setup during a deployment. To activate this feature, add the network_interface key to the respective flat and/or vlan provider network definition in openstack_user_config.yml. For more information, refer to the latest Open vSwitch deployment guide.

  • The service setup in keystone for neutron will now be executed through delegation to the neutron_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

    neutron_service_setup_host: "{{ groups['utility_all'][0] }}"
    
  • Neutron VPN as a Service (VPNaaS) with customized configuration files can now be defined with the variable neutron_vpnaas_custom_config. deployers should define neutron_vpnaas_custom_config in ‘user_variables.yml’. Example:

    neutron_vpnaas_custom_config:
      - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template"
        dest: "{{ neutron_conf_dir }}/strongswan.conf.template"
      - src: "/etc/openstack_deploy/strongswan/strongswan.d"
        dest: "/etc/strongswan.d"
      - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template"
        dest: "{{ neutron_conf_dir }}/ipsec.conf.template"
      - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template"
        dest: "{{ neutron_conf_dir }}/ipsec.secret.template"
    

    We should be also define neutron_l3_agent_ini_overrides in ‘user_variables.yml’ to tell l3_agent use the new config file. Example:

    neutron_l3_agent_ini_overrides:
      ipsec:
        enable_detailed_logging: True
      strongswan:
        strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template"
      openswan:
        ipsec_config_template:  "{{ neutron_conf_dir }}/ipsec.conf.template"
    
  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the neutron_install_method variable to distro.

  • Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in neutron.

  • You can override the default iptables_hybrid firewall driver for Open vSwitch by setting neutron_firewall_driver: openvswitch

  • OVN is now protected via SSL. you can disable it via neutron_ovn_ssl. It is not supported to switch from non-ssl to ssl.

Upgrade Notes

  • Adds the subnet_dns_publish_fixed_ip option extension in ml2 plugin. The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs.

  • The neutron_db_pool_size variable was previously deprecated and is now removed. A replacement variable was introduced in the Xena release.

  • The plugin names for the classifier and sfc changed:

    • networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin => flow_classifier

    • networking_sfc.services.sfc.plugin.SfcPlugin => sfc

  • The provider_networks library has been updated to support the definition of network interfaces that can automatically be added as ports to OVS provider bridges setup during a deployment. As a result, the network_interface value applied to the neutron_provider_networks override in user_variables.yml, as described in previous Open vSwitch deployment guides, is no longer effective. If overrides are necessary, use network_interface_mappings within the provider network override and specify the respective bridge-to-interface mapping (e.g. “br-provider:bond1”). For more information, refer to the latest Open vSwitch deployment guide.

  • Introduce this feature to empty compute nodes, and migrate VMs over once the agents have been restarted.

  • OVN is now configured with SSL enabled by default, upgrading existing ovn deployment is not tested. When upgrading it might be wise to set neutron_ovn_ssl to false and manage the ssl configuration at a later stage.

Deprecation Notes

  • For consistency reasons, neutron_db_pool_size was deprecated in favor of neutron_db_max_pool_size which is in a standardized format used in other repositories. However, it will be supported until Yoga release.

  • Dragonflow is no longer maintained as an OpenStack project and has therefore been removed from OpenStack-Ansible as a supported ML2 driver for neutron.

  • The custom PowerVM code has been removed as it is not tested. The code in question can be replaced with the following setting;

    neutron_firewall_driver: openvswitch

  • Support of the legacy neutron L3 tool has been dropped. Deployers are appreciated to use built-in l3-agent options for configuring HA.

  • The deprecated Neutron LBaaS v2 plugin has been removed from the Neutron role.

  • The variable neutron_requires_pip_packages is no longer required and has therefore been removed.

  • The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - neutron_oslomsg_rpc_servers replaces neutron_rabbitmq_servers - neutron_oslomsg_rpc_port replaces neutron_rabbitmq_port - neutron_oslomsg_rpc_use_ssl replaces neutron_rabbitmq_use_ssl - neutron_oslomsg_rpc_userid replaces neutron_rabbitmq_userid - neutron_oslomsg_rpc_vhost replaces neutron_rabbitmq_vhost - neutron_oslomsg_notify_servers replaces neutron_rabbitmq_telemetry_servers - neutron_oslomsg_notify_port replaces neutron_rabbitmq_telemetry_port - neutron_oslomsg_notify_use_ssl replaces neutron_rabbitmq_telemetry_use_ssl - neutron_oslomsg_notify_userid replaces neutron_rabbitmq_telemetry_userid - neutron_oslomsg_notify_vhost replaces neutron_rabbitmq_telemetry_vhost

  • Support for an Open vSwitch dataplate with NSH support using the ovs_nsh_support variable has been immediately deprecated and removed due to built-in support for NSH in recent Open vSwitch releases. The prior PPA provided a custom release of OVS 2.9, which is no longer appropriate for recent releases of OSA and respective operating systems.

Critical Issues

  • This feature requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer includes conntrack support. Kernel version 3.3, but less than 4.3, does not include conntrack support and requires building the OVS modules.

Bug Fixes

  • Fixes neutron HA routers, by enabling neutron-l3-agent to invoke the required helper script.

  • Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

  • When defining provider networks, vlan ranges are no longer required. When a vlan range is not specified, the provider label net_name still be set in network_vlan_ranges, but automatic VLAN allocation will not be available.

    Implementation Example:

    host_bind_override: "bond1"
    type: "vlan"
    net_name: "physnet1"
    group_binds:
    - neutron_linuxbridge_agent
    
  • The RyuBgpDriver is no longer available and replaced by the OsKenBgpDriver of the neutron_dynamic_routing project.

  • Fixed issue where neutron-metadata-agent and neutron-dhcp-agent were started on network_hosts for OVN scenario along with neutron-ovn-metadata-agent. These services will be disabled and masked for existing environments. Manual clean-up of systemd services and correpsonsive neutron agents is still needed. New deployments won’t have these services deployed from the beginning.

Other Notes

  • Gate jobs for OpenDaylight, SFC, and OVS w/ NSH have been removed in preparation for deprecation of those deployment scenarios and related code.