Zed Series Release Notes¶
18.0.0.0b1-382¶
Prelude¶
Historically, Open vSwitch (OVS) could not interact directly with iptables to implement security groups. Thus, the OVS agent and Compute service use a Linux bridge between each instance (VM) and the OVS integration bridge br-int to implement security groups. Now the OVS agent includes an optional firewall driver that natively implements security groups as flows in OVS rather than the Linux bridge device and iptables. This increases scalability and performance.
New Features¶
Support for the networking-baremetal mechanism driver and agent has been implemented. The ironic-neutron-agent is a neutron agent that populates the host to physical network mapping for baremetal nodes in neutron. Neutron uses this to calculate the segment to host mapping information. This feature may be enabled by adding
ml2.baremetal
to theneutron_plugin_types
list in/etc/openstack_deploy/user_variables.yml
.
Support for the networking-generic-switch mechanism driver has been implemented. This allows Ironic to interface with Neutron when the
neutron
network interface has been configured. This feature may be enabled by addingml2.genericswitch
to theneutron_plugin_types
list in/etc/openstack_deploy/user_variables.yml
.
You can configure options for dnsmasq by adding those to the newly introduced
neutron_dhcp_config_list
list. This helps to configure e.g.no-negcache
to get around https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1974230.
The
provider_networks
library has been updated to support the definition of bond member interfaces that can automatically be added as bond ports to OVS provider bridges setup during a deployment. This feature is currently limited to DPDK-based deployments. To activate this feature, add thenetwork_bond_interfaces
key to the respective provider network definition inopenstack_user_config.yml
. For more information, refer to the latest Open vSwitch w/ DPDK deployment guide.
The Neutron Service Function Chaining Extension (SFC) can optionally be deployed and configured by defining the following service plugins:
flow_classifier
sfc
neutron_plugin_base: - router - metering - flow_classifier - sfc
For more information about SFC in Neutron, refer to the following:
The
provider_networks
library has been updated to support the definition of network interfaces that can automatically be added as ports to OVS provider bridges setup during a deployment. To activate this feature, add thenetwork_interface
key to the respective flat and/or vlan provider network definition inopenstack_user_config.yml
. For more information, refer to the latest Open vSwitch deployment guide.
The service setup in keystone for neutron will now be executed through delegation to the
neutron_service_setup_host
which, by default, islocalhost
(the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override inuser_variables.yml
.neutron_service_setup_host: "{{ groups['utility_all'][0] }}"
Neutron VPN as a Service (VPNaaS) with customized configuration files can now be defined with the variable
neutron_vpnaas_custom_config
. deployers should defineneutron_vpnaas_custom_config
in ‘user_variables.yml’. Example:neutron_vpnaas_custom_config: - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template" dest: "{{ neutron_conf_dir }}/strongswan.conf.template" - src: "/etc/openstack_deploy/strongswan/strongswan.d" dest: "/etc/strongswan.d" - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template" dest: "{{ neutron_conf_dir }}/ipsec.conf.template" - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template" dest: "{{ neutron_conf_dir }}/ipsec.secret.template"
We should be also define
neutron_l3_agent_ini_overrides
in ‘user_variables.yml’ to telll3_agent
use the new config file. Example:neutron_l3_agent_ini_overrides: ipsec: enable_detailed_logging: True strongswan: strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template" openswan: ipsec_config_template: "{{ neutron_conf_dir }}/ipsec.conf.template"
The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the
neutron_install_method
variable todistro
.
Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in neutron.
You can override the default
iptables_hybrid
firewall driver for Open vSwitch by settingneutron_firewall_driver: openvswitch
OVN is now protected via SSL. you can disable it via neutron_ovn_ssl. It is not supported to switch from non-ssl to ssl.
Upgrade Notes¶
Adds the
subnet_dns_publish_fixed_ip
option extension in ml2 plugin. The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs.
The
neutron_db_pool_size
variable was previously deprecated and is now removed. A replacement variable was introduced in the Xena release.
The plugin names for the classifier and sfc changed:
networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin => flow_classifier
networking_sfc.services.sfc.plugin.SfcPlugin => sfc
The
provider_networks
library has been updated to support the definition of network interfaces that can automatically be added as ports to OVS provider bridges setup during a deployment. As a result, thenetwork_interface
value applied to theneutron_provider_networks
override inuser_variables.yml
, as described in previous Open vSwitch deployment guides, is no longer effective. If overrides are necessary, usenetwork_interface_mappings
within the provider network override and specify the respective bridge-to-interface mapping (e.g. “br-provider:bond1”). For more information, refer to the latest Open vSwitch deployment guide.
Introduce this feature to empty compute nodes, and migrate VMs over once the agents have been restarted.
OVN is now configured with SSL enabled by default, upgrading existing ovn deployment is not tested. When upgrading it might be wise to set neutron_ovn_ssl to false and manage the ssl configuration at a later stage.
Deprecation Notes¶
For consistency reasons,
neutron_db_pool_size
was deprecated in favor ofneutron_db_max_pool_size
which is in a standardized format used in other repositories. However, it will be supported until Yoga release.
Dragonflow is no longer maintained as an OpenStack project and has therefore been removed from OpenStack-Ansible as a supported ML2 driver for neutron.
The custom PowerVM code has been removed as it is not tested. The code in question can be replaced with the following setting;
neutron_firewall_driver: openvswitch
Support of the legacy neutron L3 tool has been dropped. Deployers are appreciated to use built-in l3-agent options for configuring HA.
The deprecated Neutron LBaaS v2 plugin has been removed from the Neutron role.
The variable
neutron_requires_pip_packages
is no longer required and has therefore been removed.
The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - neutron_oslomsg_rpc_servers replaces neutron_rabbitmq_servers - neutron_oslomsg_rpc_port replaces neutron_rabbitmq_port - neutron_oslomsg_rpc_use_ssl replaces neutron_rabbitmq_use_ssl - neutron_oslomsg_rpc_userid replaces neutron_rabbitmq_userid - neutron_oslomsg_rpc_vhost replaces neutron_rabbitmq_vhost - neutron_oslomsg_notify_servers replaces neutron_rabbitmq_telemetry_servers - neutron_oslomsg_notify_port replaces neutron_rabbitmq_telemetry_port - neutron_oslomsg_notify_use_ssl replaces neutron_rabbitmq_telemetry_use_ssl - neutron_oslomsg_notify_userid replaces neutron_rabbitmq_telemetry_userid - neutron_oslomsg_notify_vhost replaces neutron_rabbitmq_telemetry_vhost
Support for an Open vSwitch dataplate with NSH support using the
ovs_nsh_support
variable has been immediately deprecated and removed due to built-in support for NSH in recent Open vSwitch releases. The prior PPA provided a custom release of OVS 2.9, which is no longer appropriate for recent releases of OSA and respective operating systems.
Critical Issues¶
This feature requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer includes conntrack support. Kernel version 3.3, but less than 4.3, does not include conntrack support and requires building the OVS modules.
Bug Fixes¶
Fixes neutron HA routers, by enabling
neutron-l3-agent
to invoke the required helper script.
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
When defining provider networks, vlan ranges are no longer required. When a vlan range is not specified, the provider label
net_name
still be set innetwork_vlan_ranges
, but automatic VLAN allocation will not be available.Implementation Example:
host_bind_override: "bond1" type: "vlan" net_name: "physnet1" group_binds: - neutron_linuxbridge_agent
The RyuBgpDriver is no longer available and replaced by the OsKenBgpDriver of the neutron_dynamic_routing project.
Fixed issue where neutron-metadata-agent and neutron-dhcp-agent were started on network_hosts for OVN scenario along with neutron-ovn-metadata-agent. These services will be disabled and masked for existing environments. Manual clean-up of systemd services and correpsonsive neutron agents is still needed. New deployments won’t have these services deployed from the beginning.
Other Notes¶
Gate jobs for OpenDaylight, SFC, and OVS w/ NSH have been removed in preparation for deprecation of those deployment scenarios and related code.