From 9429c2da01fa29cedcb2a65a26c1c29d0a713670 Mon Sep 17 00:00:00 2001
From: Hynek Mlnarik <hmlnarik@redhat.com>
Date: Wed, 10 Aug 2016 10:05:57 +0200
Subject: [PATCH] Set secure fail mode for physical bridges

Physical bridges can cause network disruption when ofctl controller becomes
inaccessible due to heavy load or when the traffic to controller is blocked.
By setting secure fail mode, the openflow rules remain untouched on such
an event, while with the default setting, the flows are cleared.

Co-Authored-By: Jakub Libosvar <libosvar@redhat.com>
Closes-Bug: 1607787
Change-Id: I1dffe0a248664d2a675fd1ca58530c233e335d2d
UpgradeImpact
---
 .../plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py  | 1 +
 .../ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py     | 2 ++
 .../plugins/ml2/drivers/openvswitch/agent/test_ovs_tunnel.py    | 2 ++
 3 files changed, 5 insertions(+)

diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
index 2ca97975db7..8eb63a36a76 100644
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
@@ -1106,6 +1106,7 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
             # The bridge already exists, so create won't recreate it, but will
             # handle things like changing the datapath_type
             br.create()
+            br.set_secure_mode()
             br.setup_controllers(self.conf)
             if cfg.CONF.AGENT.drop_flows_on_start:
                 br.delete_flows()
diff --git a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
index 5c4feb0e8ef..db76edd483e 100644
--- a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
@@ -1190,6 +1190,7 @@ class TestOvsNeutronAgent(object):
             expected_calls = [
                 mock.call.phys_br_cls('br-eth'),
                 mock.call.phys_br.create(),
+                mock.call.phys_br.set_secure_mode(),
                 mock.call.phys_br.setup_controllers(mock.ANY),
                 mock.call.phys_br.setup_default_table(),
                 mock.call.int_br.db_get_val('Interface', 'int-br-eth',
@@ -1304,6 +1305,7 @@ class TestOvsNeutronAgent(object):
             expected_calls = [
                 mock.call.phys_br_cls('br-eth'),
                 mock.call.phys_br.create(),
+                mock.call.phys_br.set_secure_mode(),
                 mock.call.phys_br.setup_controllers(mock.ANY),
                 mock.call.phys_br.setup_default_table(),
                 mock.call.int_br.delete_port('int-br-eth'),
diff --git a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_tunnel.py b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_tunnel.py
index 47dee58663e..43a06a76adc 100644
--- a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_tunnel.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_tunnel.py
@@ -206,6 +206,7 @@ class TunnelTest(object):
 
         self.mock_map_tun_bridge_expected = [
             mock.call.create(),
+            mock.call.set_secure_mode(),
             mock.call.setup_controllers(mock.ANY),
             mock.call.setup_default_table(),
             mock.call.port_exists('phy-%s' % self.MAP_TUN_BRIDGE),
@@ -664,6 +665,7 @@ class TunnelTestUseVethInterco(TunnelTest):
 
         self.mock_map_tun_bridge_expected = [
             mock.call.create(),
+            mock.call.set_secure_mode(),
             mock.call.setup_controllers(mock.ANY),
             mock.call.setup_default_table(),
             mock.call.add_port(self.intb),