In fullstack and functional tests where OVSPortFixture is used to create
port in OVS bridge, just after port was created by ovs interface driver,
DEAD_VLAN tag was removed from the port as it's not needed in tests.
But this could cause race condition and instead of removing DEAD_VLAN
tag, actually correct tag configured by e.g. neutron_openvswitch_agent
was removed and traffic to such port wasn't working at all.
To avoid that race, now method which adds setting DEAD_VLAN tag to the
port_replace transaction is now mocked so there will be no DEAD VLAN tag
set on such port at all.
This patch also removes unstable test decorator from the
TestDhcpAgentHA.test_multiple_agents_for_network fullstack test as it
seems for me that this was the reason why this test was failing pretty
often.
Closes-Bug: #2000150
Change-Id: I3938c94bbd531fac461e80e791c128821a4f837f
In case of error, the class ``ARPSpoofTestCase`` now provides the IPv6
and IPv4 neigh list of the source and destination ports.
This patch also adds a retry branch on the ``assert_ping`` method. If
enabled, if the first ping command fails, the method will try to execute
it again.
Related-Bug: #2003196
Change-Id: I4d1a6c799004339489fe35b44b7682f8f744560b
In Linuxbridge and OVS PortFixture, when port is created, in the fake
vm's namespace it needs to have correct mac address configured.
It seems that for some reason it's not properly configured sometimes and
that may cause failure of e.g. DHCP tests.
So this patch adds retries for 10 seconds to ensure that MAC address is
configured to the one which should be.
Closes-bug: #2000150
Change-Id: I8c6d226e626812c3ccf0a2681be68a5b080b3463
Prior to this change, trunk bridges are created by os-vif but deleted
by Neutron when the last vif is removed from it. This creates race
conditions in some use cases, like DPDK with vhostuserclient mode, when
VMs are rebooted. To avoid these races, Neutron will not delete trunk
bridges anymore. Their creation and deletion will be os-vif's
responsiblity. Since [1], Nova uses the os-vif version that contains
this functionality.
This patch also changes the trunk status change event. During a live
migration, when the trunk parent port has been bound to the destination
host (that means there is only one port binding associated) and the
status has changed to ACTIVE, the method triggers the subport binding
to the new host too. This is because there could be a race condition
between the subport binding, triggered by the OVS agent, and the parent
port binding, triggered by Nova. If when the OVS agent tries to bind the
subports, the parent port is still bound to the source host, the subport
binding remains in the source host too, instead of changing to the
destination.
This patch also reverts [2] and [3]. As commented in the previous
paragraph, this patch fixes the issue reported in LP#1997025. The trunk
port live migration with ML2/OVS must be fixed with this patch.
[1]https://review.opendev.org/c/openstack/nova/+/865031
[2]https://review.opendev.org/c/openstack/neutron/+/865295
[3]https://review.opendev.org/c/openstack/neutron/+/865424
Closes-Bug: #1869244
Closes-Bug: #1997025
Change-Id: I4e16357f3ff214fcf41e418982806c24088a2665
https://review.opendev.org/c/openstack/neutron/+/820897 added
a dead vlan flow that pushes the dead vlan tag onto frames
belonging to dead ports before these ports are reassigned to
their proper vlans. However add_flow and delete_flows race and
delete_flows may run before add_flow, in this case deleting 0 flows
but not giving us a chance to detect this: neither does it throw
an error nor does it return the number of deleted flows.
This leads to port staying inaccessible forever and hence
breaks corresponding DHCP or router.
Current patch suggests another approach to make sure no packets are
leaked from newly plugged ports: setting their "vlan_mode" attribute
to "trunk" and "trunks"=[4095] (along with assigning dead VLAN tag).
With this OVS normal pipeline will allow only packets tagged with 4095
from such ports [1], which normally not happens, but even if it does -
default rule in br-int will drop them anyway.
Thus untagged packets from such ports will also be dropped until
ovs agent sets proper VLAN tag and clears vlan_mode to default
("access").
This approach avoids the race between dhcp/l3 and ovs agents because
dhcp/l3 agents no longer modify flow table.
This partially reverts commit 7aae31c9f9
[1] https://docs.openvswitch.org/en/latest/ref/ovs-actions.7/?highlight=ovs-actions#the-ovs-normal-pipeline
Closes-Bug: #1930414
Closes-Bug: #1959564
Change-Id: I0391dd24224f8656a09ddb002e7dae8783ba37a4
In e.g. functional tests, if kill command called by
RootHelperProcess.kill() method will return error that process
with specified PID don't exists, test should not fails.
This patch adds handling of such case in this method and reraise
exception always if error code is different than 1 or
raised exception have got different error message.
Change-Id: I92c8f74f1dd2e76141e1e024a22589e9ddc4ff57
Closes-Bug: #1843418
To check the existance of a namespace, instead of listing the
namespaces directory (by default "/var/run/netns"), this patch
directly checks the existence of the namespace directory, using
"os.path.exists".
This check is faster than listing the whole directory and avoids
timeout problems as reported in the related bug.
Closes-Bug: #1947974
Change-Id: I558d50d28378beb3710d98a2113ff9549c82ae17
Implement the "kill" method (send a signal to a process) using the
Python native library "os".
In functional tests, "RootHelperProcess.kill" method should not fail if
the process does not exist.
Closes-Bug: #1843446
Closes-Bug: #1843418
Change-Id: Iee97a83779dd3e20eb3a223fb8557a94b8f15dc0
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates the "kill_process" method to privsep and
removes the unneeded rootwrap filters.
Change-Id: I48461be8b08cbc21c8af371f551b944343ba37bf
Story: #2007686
Task: #41558
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates some missing execution methods present in
the code and removes unneeded rootwrap filters.
Story: #2007686
Task: #41558
Change-Id: I1542dc4cf98658fc9a40018192498c7a5cd1c3fe
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
Change-Id: Id3db4fbba44dd5644563481b6767ad0acbdcfb3e
Story: #2007686
Task: #41558
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch replaces some "IpNetnsCommand" command execution
methods.
Change-Id: Ic5fdf221a2a2cd0951539b0e040d2a941feee287
Story: #2007686
Task: #41558
Until the related bug is fixed, if the namespace created in a
NamespaceFixture cannot be deleted due to a timeout exception,
the exception will be dismissed and a warning message logged.
The leftover namespace will not affect other test cases.
Change-Id: Idb262024ca74aaa924525150e610642f493c5dc4
Related-Bug: #1838793
With python 3.x, classes can use the metaclass= logic
to not require usage of the six library.
One step in removing all of six usage from neutron.
Change-Id: I2f815e412d9a96eb5faf2b3bb3a1e393a9db9309
NetcatTester class should handle BrokenPipeError exception
and not raise it to fail test immediately if nc process wasn't
yet started when it tries first time to read/write something to
it.
Change-Id: Ica953cc2038b24c4b3985447b393763912aa6abd
Closes-Bug: #1871908
To have correct support in rootwrap, "ping"/"ping6" command should
have the correct filters in rootwrap.
Because "ping" command is harmless, "CommandFilter" is used to allow
any binary call, regardless of the parameters used and the order.
Nevertheless, this patch also proposes to use "ping"/"ping6" with
the same parameters and a specific order, to help in the debug
process:
- ping[6] -W <timeout> <address>
- ping[6] -W <timeout> -c <count> <address>
- ping[6] -W <timeout> -c <count> -i <interval> <address>
Those commands could be called from inside a namespace. The needed
filter is also added in this patch.
Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
Closes-Bug: #1863006
If a RootHelperProcess does not start, add more information to the
exception raised: the command return code, the stdout and the stderr.
Change-Id: I229e926341c5e6c8b06f59950e3ae09864d0f1f6
Closes-Bug: #1861221
If any of the processes, client or server, spawned by NetcatTester is
not present during the stop command (kill signal sent), by default the
method will not raise an exception.
Change-Id: If8cf47a01dc353734ad07ca6cd4db7bec6c90fb6
Closes-Bug: #1852869
In "NamespaceFixture", before deleting the namespace, this patch
introduces a check to first kill all processes running on it.
Closes-Bug: #1838793
Change-Id: I27f3db33f2e7ab685523fd2d6922177d7c9cb71b
Fullstack neutron-server seems do not accept any connection
during the running period sometimes. This patch explicitly
set listening port range for neutron-server API and ovs agent
openflow.
And make sure other client side connection port does not seize
the server side listening.
Change-Id: If2a7977a3ac795db0bc7f726c0b26c5de638ea47
The bulk port creation scenario requires the ability to generate
multiple MAC addresses for the bulk added ports. This change leverages
the code added in [1] to make bulk MAC creation available.
[1] https://review.openstack.org/510830
Implements: blueprint speed-up-neutron-bulk-creation
Depends-On: https://review.openstack.org/613149
Change-Id: Ia769dadf69781ba511a19c52998949b668963a19
Agent OVS interface code adds ports without a vlan tag,
if neutron-openvswitch-agent fails to set the tag, or takes
too long, the port will be a trunk port, receiving
traffic from the external network or any other port
sending traffic on br-int.
Also, those kinds of ports are triggering a code path
on the ovs-vswitchd revalidator thread which can eventually
hog the CPU of the host (that's a bug under investigation [1])
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1558336
Co-Authored-By: Slawek Kaplonski <skaplons@redhat.com>
Change-Id: I024bbbdf7059835b2f23c264b48478c71633a43c
Closes-Bug: 1767422
Because update operation updates openflow rules three times:
1) New rules with new cookie
2) Delete old rules with old cookie
3) Change new cookie back to old cookie
and the step 2) uses --strict parameter, it's needed to apply rules
before deleting the old rules because --strict parameter cannot be
combined with non-strict. This patch applies openflow rules after
step 1), then --strict rules in step 2 are applied right away and then
rest of delete part from 2) and all new rules from 3) are applied
together.
This patch adds optional interval parameter to Pinger class which sends
more ICMP packets per second in the firewall blink tests to increase a
chance of sending a packet while firewall is in inconsistent state.
Change-Id: I25d9c87225feda1b5ddd442dd01529424186e05b
Closes-bug: #1708731
If we set environment for Neutron tests in tox.ini, we may get
type error like:
TypeError: %d format: a number is required, not str
os.environ.get method will get string, not integer. This patch
fix it.
Change-Id: Ie71302b8e33586082ae8334e6317e30d382e893a
Change network namespace add/delete/list code to use
pyroute2 library instead of calling /sbin/ip.
Also changed all in-tree callers to use the new calls.
Closes-bug: #1717582
Related-bug: #1492714
Change-Id: Id802e77543177fbb95ff15c2c7361172e8824633
/sbin may not be in the regular user's PATH or tools like sysctl/ss
may require root privileges to execute correctly on OpenSUSE, and this
makes net_helpers functions fail with OSError. There is no harm in
running ss or sysctl as root user for these functions and that allows
fullstack/functional tests to operate correctly on OpenSUSE.
The change requires a testcase to inherit from BaseSudoTestCase due
to the new run_as_root=True flag.
Change-Id: Ia4f2af1d44faacf5f7ab5471b4f18ecb27f06549
Refactoring neutron agent linux and ovsdb config opts
to be in neutron/conf/agent so that all the config options
reside in a centralized location. This simplifies the
process of looking up the config opts and provides an easy
way to import.
NeutronLibImpact
Change-Id: Ib1e0e63dec2985c417412d1ecc68e2a74ef87182
Partial-Bug: #1563069
This patch logs the command spawned by RootHelperProcess, it is
handy when debugging failed functional tests on upstream gate.
Change-Id: I743a223c4ff4882fdd760a20823150558d5e5f4a
The patch relies on the fact that traffic not going from instance
(and thus port not managed by firewall) is tagged. Traffic coming from
the instance is not tagged and thus net register is used for marking
such traffic. These two approaches make matching rules unique even if
two ports from different networks share its' mac addressess.
Traffic coming from trusted ports is marked with network in registry
so firewall can decide later to which network traffic belongs.
Closes-bug: #1626010
Change-Id: Ia05d75a01b0469a0eaa82ada67b16a9481c50f1c
RootHelperProcess extends Popen from subprocess and sets all
stdin/stdout/stderr descriptors to PIPE. These descriptors use byte
array by default in Python 3. If universal_newlines [1] is set for Popen
object, then those descriptors work in text mode.
[1] https://docs.python.org/3.5/library/subprocess.html#popen-constructor
Change-Id: I3fa2192271aed81fb6da658b8196b365a20fa286
Fixes "TypeError: unhashable type: 'IPDevice'" in
neutron.tests.functional.agent.linux.test_ipset.IpsetManagerTestCase
IPDevice class defines an __eq__() method, which in Python 3 disables
the default __hash__() method (and cannot be used in a set). Use a list
instead as it is enough for the test
Change-Id: I09c538908e55df1b8d305265774c57df1ec42f21
The result later may be concatenated with another str, and it will then
fail with: TypeError: can't concat bytes to str
It's safer to always return a str into test cases.
Change-Id: I7544322f31b4eda378eb8ee541786ea2574e1cf0
.write expects a byte string in python3, while we were passing a
str. It worked in py2 but failed in py3 with:
TypeError: memoryview: a bytes-like object is required, not 'str'
Change-Id: I7f993a06bafa3cad4147f46d5d6dc10efeac3480
select() itself has timeout mechanism, so we do not need to use
wait_until_true wrapper.
Related-Bug: #1674557
Change-Id: I35bc4716f0d1e0d92e7b7a3f6dcb6978e9d725f9
The new eventlet 0.20.x that the gate was recently bumped to [1] removed
select.poll [2]. Instead, we should use select.select that is both
supported by eventlet as well as available on all platforms.
[1] I534b8d7d6c2fa00c1fa7d84b3438e6e2b2fcad9e
[2] http://eventlet.net/doc/changelog.html#id2
Change-Id: Ie649abf495e00e7e05de47520ed89bbcd28360db
Closes-Bug: #1674557
Refactoring Neutron configuration options for agent common config to be
in neutron/conf/agent/common. This will allow centralization of all
configuration options and provide an easy way to import.
Partial-Bug: #1563069
Change-Id: Iebac0cdd3bcfd0135349128921b7ad7a1a939ab8
Needed-By: Ib676003bbe909b5a9013a3178b12dbe291d936af
Now that get_ip_version() is in common/utils.py,
change all in-tree users to use it and not
generate removal warnings.
Trivialfix
Change-Id: I623a10f3a52f80b650e5410df8b03729eb823134
Adding two tests:
* A test that for native ovs-ofctl interface verifies that stopping the
ovs-neutron-agent does not disrupt network traffic. Stopping the agent
means also stopping the OVS bridge controller, hence OVS can decide to
take over management of OpenFlow rules, clear them up, and this way
cause network traffic disruption.
* A test that creates two ports in a single network, then starts
pinging one from the other while restarting OVS agents. The test verifies
that no packet is lost during OVS agent restarts.
Change-Id: I2cd1195fc0622c8c8d614f00e9dd6884ad388d69
Related-Bug: 1514056
Related-Bug: 1607787
Neutron API accepts also protocol numbers as protocols for security
groups. This patch makes support for it in OVS firewall driver. iptables
driver already supports it.
Fullstack test covering SCTP connection was added and it requires
ip_conntrack_proto_sctp kernel module in order to make conntrack work
with SCTP.
Change-Id: I6c5665a994c4a50ddbb95cd1360be0de0a6c7e40
Closes-bug: 1625516
Slawek Kaplonski