6.6. RHBA-2015:2652 — openstack-neutron bug fix advisory

Previously, when HA routers were scheduled to multiple nodes, each such replica of the router had its own copy of its internal and external ports, however, from neutron's perspective each such port was bound only to a single host. With HA routers, only one replica of the router is active at any point in time, but the router's ports may be bound to a host that is in standby mode.
As a result, l2pop used the port binding information to configure flows. Since the neutron port for replicated interfaces could be bound to the wrong host, l2pop may have broken connectivity by configuring tunnel endpoints to the wrong host, or by configuring unicast openflow rules that point to a standby node. Additionally, some ML2 mechanism drivers would rely on the port binding information to configure ToR switches or other network gear, which was being misconfigured.
With this update, whenever keepalived performs a state transition, it notifies the L3 agent, which then notifies the neutron-server. The server then updates the port's binding information to point to the new active node. As a result, l2pop and other ML2 mechanism drivers now have a correct view of the external environment, with router ports owned by HA routers always being bound to the active node.

Previously, in certain circumstances (such as deployments using a vendor-specific implementation of the neutron L3 API), the neutron router was not available to provide the IP route for the metadata service.
This issue can be addressed using DHCP to allocate this information. Setting 'force_metadata = False' causes the DHCP server to append specific host routes to the DHCP request. As a result of performing this configuration change, the metadata service will be activated for all networks.

Prior to this update, the netns pacemaker OCF resource did not perform a full cleanup of the neutron netns services.
As a result, some of those services were orphaned, and were never restored by they l3-agent because were seen as running, but were actually disconnected.
This update addresses this by adding the missing cleanup steps to the netns cleanup OCF resource.

Previously, metadata-proxy could not be spawned in the DHCP namespace if the network was attached to any router.
Consequently, a network could not be created if the router required a metadata-proxy process in the DHCP namespace.
This update resolves this issue by adding the new config option 'force_metadata' for dhcp_agent.ini. As a result, setting 'force_metadata' to 'True' will cause the metadata-proxy to always be spawned in the DHCP namespace, even if the network is attached to a router.

Prior to this update, the Linux iptables implementation of security groups included a default rule to drop any INVALID packets. Consequently, it was possible that iptables could block legitimate traffic as INVALID, such as SCTP protocol.
This update address this issue by processing user-defined iptables rules before the INVALID DROP rule.

This neutron rebase package includes a number of notable enhancements and fixes under version 2015.1.2:

* Layer 3 High Availability:
- Fixed race condition when starting radvd processes for IPv6 networks
- Gratuitous APR updates are now repeated
- Fixed HA routers when l2population ML2 driver was used
- Fixed a bug where a HA router failed while configuring IPv6 Router Advertisements on its external gateway
- It is now possible to configure the underlying physical network for VRRP traffic

* L3: 
- Stale metadata processes are now cleaned up on sync
- Prevents attaching an interface to a router if the port does not have an IP address assigned
- Gratuitous ARPs are now skipped for IPv6 addresses

* Distributed Virtual Routing (DVR): 
- Service port ARP is now broadcast
- Routers are now unscheduled if all remaining ports are not bound to the node

* Security Groups: 
- Fixed ipset cleanup on last security group rule removal
- Fixed ipset cleanup if requested set does not exist
- IPtables manager is significantly optimized for performance
- Fixed interaction with LBaaS ports
- More fixes for default security group creation

* DHCP: 
- Fixed a bug where some IPv6 addresses might miss name resolution settings
- Scheduler is optimized to guarantee the configured number of agents serving a network
- Fixed a bug where tunnels were not created on failover, when using the l2population ML2 driver

* ML2 plugin: 
- Fixed rare race condition where a port and its network were removed in parallel

* Open vSwitch (OVS): 
- Do not use ARP responder for IPv6 addresses

* SR-IOV: 
- Fixed setting admin_state_up for ports

* Linux Bridge: 
- Fixed race condition on bridge cleanup
- Tap device MTU is now set according to underlying physical device
- Added ARP spoofing protection support (disabled by default)

* Port Security:
- Fixed late enablement of the extension for existing networks

* API: 
- Allow to unset description for an agent

Prior to this update, processing router information on L3 agent synchronization was performed inefficiently. Consequently, the neutron server load may have been unexpectedly high when using large numbers of routers under non-extreme conditions.
This update addresses this issue by improving query efficiency, and removing unnecessary operations on synchronization.
As a result, neutron server CPU usage is greatly reduced when large numbers of routers are configured.

This FWaaS rebase package includes a notable fix under version 2015.1.2
- Fixed DB tracebacks on multiple FWaaS API operations (rule insert, rule remove, and others)

This LBaaS rebase package includes a number of notable enhancements and fixes under version 2015.1.2
- Gracefully error out when attempting to delete a port attached to a VIP
- device_id is now set for a LBaaS port on creation, to prevent nova from booting an instance using the port

This VPNaaS rebase package includes a notable fix under version 2015.1.2
- Confirms that the file containing the pre-shared key for VPN connections is not world-readable