Full Release Notes for networking-cisco



In this release, clean-up of Nexus configuration was performed by removing obsolete features. For users of tripleo and puppet-neutron repos, you must make sure you are using the correct versions of the repos that include the changes from bugs https://bugs.launchpad.net/tripleo/+bug/1793381 and https://bugs.launchpad.net/puppet-neutron/+bug/1793379.

New Features

  • Adds support for the Rocky release of OpenStack

Upgrade Notes

  • Nexus: Verify https certificates by default

    See the Security release notes for more details.

  • Nexus: Remove deprecated format of host interface mapping config

    The host to interface mapping configuration was deprecated and replaced in release 6.1.0 (see previous release notes). The deprecated configuration is now removed so the replacement configuration must take its place. The following demonstrates the old versus new configuration.

    Old: hostname_abc=ethernet:1/19,1/20

    New: host_ports_mapping=hostname_abc:[ethernet:1/19,1/20]

    Refer to https://bugs.launchpad.net/networking-cisco/+bug/1771672 for implementation details.

  • Nexus: Remove deprecated intfcfg.portchannel configuration

    The intfcfg.portchannel configuration was deprecated and replaced in release 5.4.0 (see previous release notes). The deprecated configuration is now removed so the replacement configuration intfcfg_portchannel must take its place.

  • Nexus: Remove Nexus ncclient configuration driver

    The ncclient Driver used to configure Nexus was deprecated in the Cisco 5.5.0 release. It is replaced by the current default RESTAPI Driver. The ncclient driver is now removed along with related configuration options which include ssh_port, persistent_switch_config, never_cache_ssh_connection, host_key_checks, and nexus_driver. For the RESTAPI driver to work, the :command:’feature nxapi’ must be preconfigured on the Nexus device and the correct version of NX-OS must be installed. Refer to Nexus Installation Guide. for more prerequisite details. For implementation details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1758042

Deprecation Notes

Security Issues

  • Nexus: Verify https certificates by default

    In release 5.4.0, the ability to verify https certificates was implemented. The default was originally set to False for insecure https connections to allow time to acquire certificates. In this release, the default is changed to True so certificates will be verified for secured connections.

    See release notes for release 5.4.0 for details on this feature and https://bugs.launchpad.net/networking-cisco/+bug/1778275 for implementation details.

Bug Fixes


New Features

  • Adds support for the OpenStack Neutron queens release.

Deprecation Notes

  • Nexus: Host Mapping Configuration being replaced

    The host mapping configuration beneath the header ml2_mech_cisco_nexus currently does not have a static config option name. This can lead to some issues where even typographical errors can be interpreted as a host mapping config. The config option host_ports_mapping has been introduced to resolve this shortcoming. The following demonstrates the before and after config change.

    Before: hostname_abc=ethernet:1/19, After: host_ports_mapping=hostname_abc:[ethernet:1/19]

Bug Fixes

  • Nexus: Do not raise exception during update_postcommit when port not found

    Occasionally spurious updates are seen in parallel with deletes for same vlan. In this window an update can be received after the port binding is removed. This change reports a warning message instead of raising an exception keeping it consistent with other ML2 driver behavior. This circumstance will more likely be seen when there are multiple neutron threads and controllers.

  • Nexus: Neutron trunking feature not supported in Newton

    Introduced a fix to prevent an error from being generated when using openstack newton or below branches with baremetal configurations. The error message seen is “TypeError: get_object() got an unexpected keyword” “argument ‘port_id’”. For implementation details, refer to https://review.openstack.org/#/c/542877.


Upgrade Notes

  • Cisco UCSM: The ucsmsdk is now the default replacing the UcsSdk

    The ucsmsdk is now the default package for interacting with UCSM. Use of the now deprecated UcsSdk will still work if the ucsmsdk is not installed. However, all new features will be developed using the ucsmsdk so users are encouraged to upgrade.

  • All code for CSR1kv-based routing has been removed from networking-cisco. The code was removed in commit 917480566afa2b40dc382bc4f535d173bad7736d.
  • All Nexus 1000v driver code has been removed from networking-cisco, and all n1kv related tables have been dropped. The code was removed in commit 0730ec9e6b76b3c1e75082e9dd1af55c9faeb34c
  • NCS: Remove support for Network Control System (NCS). The code was removed in commit 31e4880299d04ceb399aa38097fc5f2b26e30ab1

Deprecation Notes

  • Cisco UCSM: Use of the UcsSdk has been deprecated for removal

    Use of of the UcsSdk will be removed in a future release. It has been replaced by the ucsmsdk. While use of the UcsSdk will continue to work until its complete removal, no new features will be added so users are encouraged to upgrade.


Bug Fixes


New Features

  • Cisco UCSM: vNIC and Service Profile Template support for Single UCSM

    This feature allows a cloud admin to take advantage of the Service Profile Template and vNIC Template configuration options available on the UCS Manager. The UCSM driver can be provided with the Service Profile or the Service Profile Template configuration, and it will handle the configuration of the UCS Servers accordingly. The vNIC Templates can be used to configure several vNIC on different UCS Servers, all connected to the same physical network. The driver will handle configuration of the appropriate vNIC Template with the VLAN configuration associated with the corresponding neutron provider network.


Security Issues

  • Nexus: https certification now supported by RESTAPI Client

    The Nexus RESTAPI Client now sends requests using https instead of http which results in communication with the Nexus to be encrypted. Certificate verification can also be performed. A new configuration option ‘https_verify’ controls this latter capability. When set to False, the communication path is insecure making it vulnerable to man-in-the-middle attacks. Initially, the default for ‘https_verify’ is set to False but will change to True in the ‘Cisco 6.0.0’ release. If a certificate is already available and configured on the Nexus device, it is highly recommended to set this options to True in the neutron start-up configuration file.

    For testing or lab purposes, a temporary local certificate can be generated and the certificate filename can be provided in the configuration option ‘https_local_certificate’. This depends on the Nexus device being configured with the local key and certificate file.

    Both configuration options are available for every Nexus switch configured. Refer to the Nexus Configuration Reference for more details on these options as well as https://bugs.launchpad.net/networking-cisco/+bug/1735295

  • Nexus: Obfuscate password

    In log output, obfuscate Nexus Switch password provided in Neutron Start-up configuration.

  • Cisco UCSM: Add config to control SSL certificate checks

    This feature allows a cloud admin to disable SSL certificate checking when the UCSM driver connects to the UCS Managers provided in its configuration. SSL certificate checking is ON by default and setting the ucsm_https_verify configuration parameter to False turns it OFF. Turning it OFF makes the connection insecure and vulnerable to man-in-the-middle attacks.

Bug Fixes

  • Nexus: Remove ‘.’ from configuration variable names

    When testing new configuration variables with puppet and tripleo, the use of dot ‘.’ in configuration variable name fails. There is only one such variable which is intfcfg.portchannel. It is replaced with intfcfg_portchannel.

Other Notes

  • Nexus: RESTAPI Client Scaling Improvement

    To improve performance, the same cookie will be used in requests until it expires and the Nexus device returns a status_code of 403. When this is detected, an attempt to refresh the cookie occurs and upon successful receipt of a new cookie the request that originally failed will be resent. For more details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1735295


New Features

  • Nexus: Improved port-channel support with baremetal events

    When there are multiple ethernet interfaces in the baremetal’s neutron port event, the Nexus driver determines whether the interfaces are already configured as members of a port-channel. If not, it creates a new port-channel interface and adds the ethernet interfaces as members. In either case, trunk vlans are applied to the port-channel. For this to be successful, a new configuration variable ‘vpc_pool’ must be defined with a pool of vpc ids for each switch. This must be defined beneath the section header [ml2_mech_cisco_nexus:<switch-ip-address>]. A vpc id common between participating switches will be selected. To get more details on defining this variable, refer to networking-cisco repo, file: etc/neutron/plugins/ml2/ml2_conf_cisco.ini For implementation details on automated port-channel creation, refer to https://bugs.launchpad.net/networking-cisco/+bug/1707286 and https://bugs.launchpad.net/networking-cisco/+bug/1691822 and https://bugs.launchpad.net/networking-cisco/+bug/1705294

  • Nexus: User customizable port-channels for baremetal interfaces

    When the Nexus driver creates port-channels for baremetal events, an additional capability was provided to allow the user to custom configure port-channels that are created. This is done by way of the config variable ‘intfcfg.portchannel’ beneath each switch’s section header [ml2_mech_cisco_nexus:<switch-ip-address>]. Nexus CLI commands are defined in this variable unique for each switch and sent while creating the port-channel. For details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1706965

  • Nexus: Provider Network Limited Operations

    The Openstack administrator may want to control how the neutron port events program the Nexus switch for provider networks. Two configuration variables have been introduced to suppress vlan creation and the vlan trunk port setting on the Nexus switch for provider networks. These variables, ‘provider_vlan_auto_create’ and ‘provider_vlan_auto_trunk’, are defined under the [ml2_cisco] section header.

  • Cisco UCSM: Auto detection of Compute hosts

    This feature allows a cloud admin to expand the size of the Openstack cloud dynamically by adding more compute hosts to an existing UCS Manager. The cloud admin can now add the hostname of this new compute host to the “Name” field of its Service Profile on the UCSM. Then when a VM is scheduled on this compute host, the Cisco UCSM ML2 mechanism driver goes through all the Service Profiles of all the UCSMs known to it to figure out the UCSM and the Service Profile associated with that host. After learning the UCSM and Service Profile, the mechanism driver saves this information for future operations. Note that this method cannot be used to add more Controller nodes to the cloud.

Upgrade Notes

  • Nexus: Add host to switch/interface mapping database table

    A new database table for host to interface mapping is added for baremetal deployments. The administrator must perform a database migration to incorporate this upgrade. The new database table name is ‘cisco_ml2_nexus_host_interface_mapping’. For more details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1691194

  • Nexus: Set RESTAPI driver as default replacing ncclient driver

    The Nexus 9K handles the RESTAPI events more efficiently and without session limitations. It is now the default and will be the only choice in ‘Cisco 7.0.0’ release. This may require the administrator to upgrade the Nexus operating system. If necessary, use ‘nexus_driver=ncclient’ to temporarily go back to original default driver; however, some enhancements may not be available when using this driver. For details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1705036

  • Nexus: Set default for Configuration Replay to enabled

    Configuration replay is now enabled by default by setting the variable ‘switch_heartbeat_time’ to 30 seconds (defined under the [ml2_cisco] section header). If the administrator does not want this feature enabled, set this variable to 0. When enabled, the nexus driver checks each switch for connectivity and will restore the configuration known to the driver if a switch recovers from failure. For details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1712090

Deprecation Notes

  • Nexus: The ncclient/ssh config driver has been deprecated for removal

    Use of ncclient/ssh_driver will be removed in the ‘Cisco 7.0.0’ release. It will be replaced by the RESTAPI Driver. Some configuration options are also deprecated for removal since they relate only to the ncclient driver. These include ‘persistent_switch_config’, ‘never_cache_ssh_connection’, ‘host_key_checks’, and ‘nexus_driver’. For details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1705036

Bug Fixes

  • ASR1k: Fix greenpool.py traceback in Ocata

    The ASR1k plugin was wrapping neutron and plugin DB operations in common transactions that was generating a lot of strange tracebacks in the neutron server logs. This commit removes the transaction wrapper to make the operations more independent of each other, eliminating the tracebacks entirely.

Other Notes

  • Nexus: Remove unused configuration variables

    The configuration variables ‘svi_round_robin’, ‘provider_vlan_name_prefix’, and ‘vlan_name_prefix’ are no longer used by the nexus driver and can be removed. For further details, refer to https://bugs.launchpad.net/networking-cisco/+bug/1712118