We are overjoyed to announce the release of:
neutron 8.0.0: OpenStack Networking
This release is part of the mitaka release series.
For more details, please see below.
The ML2 plug-in supports calculating the MTU for instances using
overlay networks by subtracting the overlay protocol overhead from the
value of 'pathmtu', ideally the physical (underlying) network MTU,
and providing the smaller value to instances via DHCP. Prior to
Mitaka, 'pathmtu' defaults to 0 which disables this feature. In
Mitaka, 'path_mtu' defaults to 1500, a typical MTU for physical
networks, to improve the "out of box" experience for typical
The ML2 plug-in supports calculating the MTU for networks that are
realized as flat or VLAN networks, by consulting the 'segmentmtu'
option. Prior to Mitaka, 'segmentmtu' defaults to 0 which disables
this feature. This creates slightly confusing API results when
querying Neutron networks, since the plugins that support the MTU API
extension would return networks with the MTU equal to zero. Networks
with an MTU of zero make little sense, since nothing could ever be
transmitted. In Mitaka, 'segment_mtu' now defaults to 1500 which is
the standard MTU for Ethernet networks in order to improve the "out of
box" experience for typical deployments.
The LinuxBridge agent now supports QoS bandwidth limiting.
External networks can now be controlled using the RBAC framework that
was added in Liberty. This allows networks to be made available to
specific tenants (as opposed to all tenants) to be used as an external
gateway for routers and floating IPs.
DHCP and L3 Agent scheduling is availability zone aware.
The "get-me-a-network" feature simplifies the process for launching an
instance with basic network connectivity (via an externally connected
private tenant network).
Support integration with external DNS service.
Add popular IP protocols to the security group code. End-users can
specify protocol names instead of protocol numbers in both RESTful API
and python-neutronclient CLI.
ML2: ports can now recover from binding failed state.
RBAC support for QoS policies
Add description field to security group rules, networks, ports,
routers, floating IPs, and subnet pools.
Add tag mechanism for network resources
Timestamp fields are now added to neutron core resources.
Announcement of tenant prefixes and host routes for floating IP's via
BGP is supported
Allowed address pairs can now be cleared by passing None in addition
to an empty list. This is to make it possible to use the
--action=clear option with the neutron client. neutron port-update
Core configuration files are automatically generated.
maxfixedipsperport has been deprecated and will be removed in the
Newton or Ocata cycle depending on when all identified usecases of the
options are satisfied via another quota system.
OFAgent is decomposed and deprecated in the Mitaka cycle.
Add new VNIC type for SR-IOV physical functions.
High Availability (HA) of SNAT service is supported for Distributed
Virtual Routers (DVRs).
An OVS agent configured to run in DVR mode will fail to start if it
cannot get proper DVR configuration values from the server on start-
up. The agent will no longer fallback to non-DVR mode, since it may
lead to inconsistency in the DVR-enabled cluster as the Neutron server
does not distinguish between DVR and non-DVR OVS agents.
Improve DVR's resiliency during Nova VM live migration events.
The Linuxbridge agent now supports l2 agent extensions.
Adding MacVtap ML2 driver and L2 Agent as new vswitch choice
Support for MTU selection and advertisement.
Neutron now provides network IP availability information.
Neutron is integrated with Guru Meditation Reports library.
oslo.messaging.notify.drivers entry points are deprecated
In Mitaka, the combination of 'pathmtu' defaulting to 1500 and
'advertisemtu' defaulting to True provides a value of MTU
accounting for any overlay protocol overhead on the network to
instances using DHCP. For example, an instance attaching to a VXLAN
network receives a 1450 MTU from DHCP accounting for 50 bytes of
overhead from the VXLAN overlay protocol if using IPv4 endpoints.
In Mitaka, queries to the Networking API for network objects will
now return network objects that contain a sane MTU value.
The LinuxBridge agent can now configure basic bandwidth limiting
QoS rules set for ports and networks. It introduces two new config
options for LinuxBridge agent. First is 'kernelhz' option which is
value of host kernel HZ setting. It is necessary for proper
calculation of minimum burst value in tbf qdisc setting. Second is
'tbflatency' which is value of latency to be configured in tc-tbf
setting. Details about this option can be found in tc-tbf manual
External networks can now be controlled using the RBAC framework
that was added in Liberty. This allows networks to be made available
to specific tenants (as opposed to all tenants) to be used as an
external gateway for routers and floating IPs. By default this
feature will also allow regular tenants to make their networks
available as external networks to other individual tenants (or even
themselves), but they are prevented from using the wildcard to share
to all tenants. This behavior can be adjusted via policy.json by the
operator if desired.
A DHCP agent is assigned to an availability zone; the network will
be hosted by the DHCP agent with availability zone specified by the
An L3 agent is assigned to an availability zone; the router will
be hosted by the L3 agent with availability zone specified by the
user. This supports the use of availability zones with HA routers.
DVR isn't supported now because L3HA and DVR integration isn't
Once Nova takes advantage of this feature, a user can launch an
instance without explicitly provisioning network resources.
Floating IPs can have dnsname and dnsdomain attributes
associated with them
Ports can have a dnsname attribute associated with them. The
network where a port is created can have a dnsdomain associated
Floating IPs and ports will be published in an external DNS
service if they have dnsname and dnsdomain attributes associated
The reference driver integrates neutron with designate
Drivers for other DNSaaS can be implemented
Driver is configured in the default section of neutron.conf using
Ports that failed to bind when an L2 agent was offline can now
recover after the agent is back online.
Neutron now supports sharing of QoS policies between a subset of
Security group rules, networks, ports, routers, floating IPs, and
subnet pools may now contain an optional description which allows
users to easily store details about entities.
Users can set tags on their network resources.
Networks can be filtered by tags. The supported filters are
'tags', 'tags-any', 'not-tags' and 'not-tags-any'.
Add timestamp fields 'createdat', 'updatedat' into neutron core
resources like network, subnet, port and subnetpool.
And support for querying these resources by changed-since, it will
return the resources changed after the specfic time string like
By default, the DHCP agent provides a network MTU value to
instances using the corresponding DHCP option if core plugin
calculates the value. For ML2 plugin, calculation mechanism is
enabled by setting [ml2] path_mtu option to a value greater than
Allow non-admin users to define "external" extra-routes.
Announcement of tenant subnets via BGP using centralized Neutron
router gateway port as the next-hop
Announcement of floating IP host routes via BGP using the
centralized Neutron router gateway port as the next-hop
Announcement of floating IP host routes via BGP using the floating
IP agent gateway as the next-hop when the floating IP is associated
through a distributed router
Neutron no longer includes static example configuration files.
Instead, use tools/generateconfigfile_samples.sh to generate them.
The files are generated with a .sample extension.
Add derived attributes to the network to tell users which address
scopes the network is in.
The subnet API now includes a new usedefaultsubnetpool
attribute. This attribute can be specified on creating a subnet in
lieu of a subnetpoolid. The two are mutually exclusive. If it is
specified as True, the default subnet pool for the requested
ipversion will be looked up and used. If no default exists, an
error will be returned.
Neutron now supports creation of ports for exposing physical
functions as network devices to guests.
High Availability support for SNAT services on Distributed Virtual
Routers. Routers can now be created with the flags distributed=True
and ha=True. The created routers will provide Distributed Virtual
Routing as well as SNAT high availability on the l3 agents
configured for dvr_snat mode.
Use the value of the network 'mtu' attribute for the MTU of
virtual network interfaces such as veth pairs, patch ports, and tap
devices involving a particular network.
Enable end-to-end support for arbitrary MTUs including jumbo
frames between instances and provider networks by moving MTU
disparities between flat or VLAN networks and overlay networks from
layer-2 devices to layer-3 devices that support path MTU discovery
The Linuxbridge agent can now be extended by 3rd parties using a
Libvirt qemu/kvm instances can now be attached via MacVtap in
bridge mode to a network. VLAN and FLAT attachments are supported.
Other attachmentes than compute are not supported.
When advertise_mtu is set in the config, Neutron supports
advertising the LinkMTU using Router Advertisements.
A new API endpoint /v2.0/network-ip-availabilities that allows an
admin to quickly get counts of usedips and totalips for network(s)
is available. New endpoint allows filtering by networkid,
networkname, tenantid, and ipversion. Response returns network
and nested subnet data that includes used and total IPs.
SriovNicSwitchMechanismDriver driver now exposes a new VIF type
'hostdev_physical' for ports with vnic type 'direct-physical' (used
for SR-IOV PF passthrough). This will enable Nova to provision PFs
as Neutron ports.
The RPC and notification queues have been separated into different
queues. Specify the transporturl to be used for notifications
within the [oslomessagingnotifications] section of the
configuration file. If no transporturl is specified in
[oslomessagingnotifications], the transport_url used for RPC will
Neutron services should respond to SIGUSR2 signal by dumping
valuable debug information to standard error output.
New security groups firewall driver is introduced. It's based on
OpenFlow using connection tracking.
Neutron can interact with keystone v3.
The combination of 'pathmtu' and 'advertisemtu' only adjusts the
MTU for instances rather than all virtual network components between
instances and provider/public networks. In particular, setting
'path_mtu' to a value greater than 1500 can cause packet loss even
if the physical network supports it. Also, the calculation does not
consider additional overhead from IPv6 endpoints.
When using DVR, if a floating IP is associated to a fixed IP
direct access to the fixed IP is not possible when traffic is sent
from outside of a Neutron tenant network (north-south traffic).
Traffic sent between tenant networks (east-west traffic) is not
affected. When using a distributed router, the floating IP will mask
the fixed IP making it inaccessible, even though the tenant subnet
is being announced as accessible through the centralized SNAT
router. In such a case, traffic sent to the instance should be
directed to the floating IP. This is a limitation of the Neutron L3
agent when using DVR and will be addressed in a future release.
Only creation of dvr/ha routers is currently supported. Upgrade
from other types of routers to dvr/ha router is not supported on
More synchronization between Nova and Neutron is needed to
properly handle live migration failures on either side. For
instance, if live migration is reverted or canceled, some dangling
Neutron resources may be left on the destination host.
To ensure any kind of migration works between all compute nodes,
make sure that the same physicalinterfacemappings is configured on
each MacVtap compute node. Having different mappings could cause
live migration to fail (if the configured physical network interface
does not exist on the target host), or even worse, result in an
instance placed on the wrong physical network (if the physical
network interface exists on the target host, but is used by another
physical network or not used at all by OpenStack). Such an instance
does not have access to its configured networks anymore. It then has
layer 2 connectivity to either another OpenStack network, or one of
the hosts networks.
OVS firewall driver doesn't work well with other features using
Operators using the ML2 plug-in with 'path_mtu' defaulting to 0
may need to perform a database migration to update the MTU for
existing networks and possibly disable existing workarounds for MTU
problems such as increasing the physical network MTU to 1550.
Operators using the ML2 plug-in with existing data may need to
perform a database migration to update the MTU for existing networks
Add popular IP protocols to security group code.
To disable, use [DEFAULT] advertise_mtu = False.
The router_id option is deprecated and will be removed in the 'N'
Does not change MTU for existing virtual network interfaces.
Actions that create virtual network interfaces on an existing
network with the 'mtu' attribute containing a value greater than
zero could cause issues for network traffic traversing existing and
new virtual network interfaces.
The Hyper-V Neutron Agent has been fully decomposed from Neutron.
rityGroupsDriver firewall driver has been deprecated and will be
removed in the 'O' cycle. Update the neutronhypervagent.conf
files on the Hyper-V nodes to use
which is the networking_hyperv security groups driver.
When using ML2 and the Linux Bridge agent, the default value for
the ARP Responder under L2Population has changed. The responder is
now disabled to improve compatibility with the allowed-address-pair
extension and to match the default behavior of the ML2 OVS agent.
The logical network will now utilize traditional flood and learn
through the overlay. When upgrading, existing vxlan devices will
retain their old setup and be unimpacted by changes to this flag. To
apply this to older devices created with the Liberty agent, the
vxlan device must be removed and then the Mitaka agent restarted.
The agent will recreate the vxlan devices with the current settings
upon restart. To maintain pre-Mitaka behavior, enable the
arp_responder in the Linux Bridge agent VXLAN config file prior to
starting the updated agent.
Neutron depends on keystoneauth instead of keystoneclient.
The defaultsubnetpools option is now deprecated and will be
removed in the Newton release. The same functionality is now
provided by setting is_default attribute on subnetpools to True
using the API or client.
The 'forcegatewayon_subnet' option is deprecated and will be
removed in the 'Newton' cycle.
The 'networkdevicemtu' option is deprecated and will be removed
in the 'Newton' cycle. Please use the system-wide segment_mtu
setting which the agents will take into account when wiring VIFs.
maxfixedipsperport has been deprecated and will be removed in
the Newton or Ocata cycle depending on when all identified usecases
of the options are satisfied via another quota system. If you depend
on this configuration option to stop tenants from consuming IP
addresses, please leave a comment on the bug report
The 'segmentmtu' option of the ML2 configuration has been
deprecated and replaced with the 'globalphysnetmtu' option in the
main Neutron configuration. This option is meant to be used by all
plugins for an operator to reference their physical network's MTU,
regardless of the backend plugin. Plugins should access this config
option via the 'getdeploymentphysnetmtu' method added to
neutron.plugins.common.utils to avoid being broken on any potential
renames in the future.
Prior to Mitaka, the settings that control the frequency of router
advertisements transmitted by the radvd daemon were not able to be
adjusted. Larger deployments may wish to decrease the frequency in
which radvd sends multicast traffic. The 'minrtradvinterval' and
'maxrtradvinterval' settings in the L3 agent configuration file
map directly to the 'MinRtrAdvInterval' and 'MaxRtrAdvInterval' in
the generated radvd.conf file. Consult the manpage for radvd.conf
for more detailed information.
Fixes bug 1537734
Prior to Mitaka, name resolution in instances requires specifying
DNS resolvers via the 'dnsmasqdnsservers' option in the DHCP agent
configuration file or via neutron subnet options. In this case, the
data plane must provide connectivity between instances and upstream
DNS resolvers. Omitting both of these methods causes the dnsmasq
service to offer the IP address on which it resides to instances for
name resolution. However, the static dnsmasq '--no-resolv' process
argument prevents name resolution via dnsmasq, leaving instances
without name resolution. Mitaka introduces the
'dnsmasqlocalresolv' option, default value False to preserve
backward-compatibility, that enables the dnsmasq service to provide
name resolution for instances via DNS resolvers on the host running
the DHCP agent. In this case, the data plane must provide
connectivity between the host and upstream DNS resolvers rather than
between the instances and upstream DNS resolvers. Specifying DNS
resolvers via the 'dnsmasqdnsservers' option in the DHCP agent
configuration overrides the 'dnsmasqlocalresolv' option for all
subnets using the DHCP agent.
Before Mitaka, when a default subnetpool was defined in the
configuration, a request to create a subnet would fall back to using
it if no specific subnet pool was specified. This behavior broke
the semantics of subnet create calls in this scenario and is now
considered an API bug. This bug has been fixed so that there is no
automatic fallback with the presence of a default subnet pool.
Workflows which depended on this new behavior will have to be
modified to set the new usedefaultsubnetpool attribute when
creating a subnet.
Create DVR router namespaces pro-actively on the destination node
during live migration events. This helps minimize packet loss to
floating IP traffic.
Explicitly configure MTU of virtual network interfaces rather than
using default values or incorrect values that do not account for
overlay protocol overhead.
The server will fail to start if any of the declared required
extensions, as needed by core and service plugins, are not properly
partially closes bug 1468803
The Linuxbridge agent now supports the ability to toggle the local
ARP responder when L2Population is enabled. This ensures
compatibility with the allowed-address-pairs extension. closes bug
Fix SR-IOV agent macvtap assigned VF check when linux kernel <
Loaded agent extensions of SR-IOV agent are now shown in agent
Please read the OpenStack Networking Guide
For overlay networks managed by ML2 core plugin, the calculation
algorithm subtracts the overlay protocol overhead from the value of
[ml2] path_mtu. The DHCP agent provides the resulting (smaller) MTU
to instances using overlay networks.
The [DEFAULT] advertise_mtu option must contain a consistent value
on all hosts running the DHCP agent.
Typical networks can use [ml2] path_mtu = 1500.
The Openflow Agent(OFAgent) mechanism driver is decomposed
completely from neutron tree in the Mitaka. The OFAgent driver and
its agent also are deprecated in favor of OpenvSwitch mechanism
driver with "native" of_interface in the Mitaka and will be removed
in the next release.
For details please read Blueprint mtu-selection-and-advertisement
OVS firewall driver requires OVS 2.5 version or higher with linux
kernel 4.3 or higher. More info at OVS github page
The oslo.messaging.notify.drivers entry points that were left in
tree for backward compatibility with Icehouse are deprecated and
will be removed after liberty-eol. Configure notifications using the
oslo_messaging configuration options in neutron.conf.
Changes in neutron 188.8.131.52rc2..8.0.0
3213eb1 Support Routes==2.3
4283a7e Constraint requirements using mitaka upper-constraints.txt file
fc69097 Imported Translations from Zanata
41be555 Imported Translations from Zanata
b435ec5 Imported Translations from Zanata
bec65f6 api tests: Check correct extensions
99915fa Fix setting peer to bridge interfaces
4b86f17 Skip fullstack L3 HA test
4504a74 conn_testers: Bump timeout for ICMPv6 echo tests
Diffstat (except docs and test files)
neutron/api/extensions.py | 10 +-
neutron/locale/es/LCMESSAGES/neutron.po | 1701 +++++++++++++++++++-
neutron/locale/fr/LCMESSAGES/neutron.po | 1286 ++++++++++++++-
neutron/locale/ja/LCMESSAGES/neutron.po | 161 +-
.../locale/koKR/LCMESSAGES/neutron-log-error.po | 1270 +++++++++++++++
.../locale/koKR/LCMESSAGES/neutron-log-info.po | 862 ++++++++++
.../koKR/LCMESSAGES/neutron-log-warning.po | 616 +++++++
neutron/locale/koKR/LCMESSAGES/neutron.po | 1577 +++++++++++++++++-
.../drivers/openvswitch/agent/ovsneutronagent.py | 4 +-
.../api/admin/testexternalnetworkextension.py | 4 +-
.../api/admin/testsharednetworkextension.py | 4 +-
.../openvswitch/agent/testovsneutronagent.py | 16 +-
.../drivers/openvswitch/agent/testovstunnel.py | 4 +-
tox.ini | 2 +-
17 files changed, 7369 insertions(+), 171 deletions(-)
OpenStack-announce mailing list