diff --git a/neutron/agent/common/ovs_lib.py b/neutron/agent/common/ovs_lib.py index e2f26c00664..5fc0f9a3390 100644 --- a/neutron/agent/common/ovs_lib.py +++ b/neutron/agent/common/ovs_lib.py @@ -244,6 +244,18 @@ class OVSBridge(BaseOVS): def set_agent_uuid_stamp(self, val): self._default_cookie = val + def disable_in_band(self): + """Disable in-band remote management for the bridge. + + That configuration will apply to all controllers configured for the + bridge. + """ + other_config = { + 'disable-in-band': 'true'} + self.ovsdb.db_set( + 'Bridge', self.br_name, + ('other_config', other_config)).execute(check_error=True) + def set_controller(self, controllers): self.ovsdb.set_controller(self.br_name, controllers).execute(check_error=True) @@ -737,13 +749,6 @@ class OVSBridge(BaseOVS): msg = _('Unable to determine mac address for %s') % self.br_name raise Exception(msg) - def set_controllers_connection_mode(self, connection_mode): - """Set bridge controllers connection mode. - - :param connection_mode: "out-of-band" or "in-band" - """ - self.set_controller_field('connection_mode', connection_mode) - def set_controllers_inactivity_probe(self, interval): """Set bridge controllers inactivity probe interval. diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge.py b/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge.py index 16a60cae258..30f0d9c52d0 100644 --- a/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge.py +++ b/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge.py @@ -71,18 +71,8 @@ class OVSAgentBridge(ofswitch.OpenFlowSwitchMixin, self._cached_dpid = new_dpid def setup_controllers(self, conf): - url = ipv6_utils.valid_ipv6_url(conf.OVS.of_listen_address, - conf.OVS.of_listen_port) - controller = "tcp:" + url - existing_controllers = self.get_controller() - if controller not in existing_controllers: - LOG.debug("Setting controller %s for bridge %s.", - controller, self.br_name) - self.set_controller([controller]) - - self.add_protocols(ovs_consts.OPENFLOW10, ovs_consts.OPENFLOW13) - # NOTE(ivc): Force "out-of-band" controller connection mode (see - # "In-Band Control" [1]). + # NOTE(slaweq): Disable remote in-band management for all controllers + # in the bridge # # By default openvswitch uses "in-band" controller connection mode # which adds hidden OpenFlow rules (only visible by issuing ovs-appctl @@ -94,8 +84,26 @@ class OVSAgentBridge(ofswitch.OpenFlowSwitchMixin, # br-int and br-tun must be configured with the "out-of-band" # controller connection mode. # + # Setting connection_mode for controllers should be done in single + # transaction together with controllers setup but it will be easier to + # disable in-band remote management for bridge which + # effectively means that this configurations will applied to all + # controllers in the bridge + # # [1] https://github.com/openvswitch/ovs/blob/master/DESIGN.md - self.set_controllers_connection_mode("out-of-band") + # [2] https://bugzilla.redhat.com/show_bug.cgi?id=2134772 + self.disable_in_band() + + url = ipv6_utils.valid_ipv6_url(conf.OVS.of_listen_address, + conf.OVS.of_listen_port) + controller = "tcp:" + url + existing_controllers = self.get_controller() + if controller not in existing_controllers: + LOG.debug("Setting controller %s for bridge %s.", + controller, self.br_name) + self.set_controller([controller]) + + self.add_protocols(ovs_consts.OPENFLOW10, ovs_consts.OPENFLOW13) self.set_controllers_inactivity_probe(conf.OVS.of_inactivity_probe) def drop_port(self, in_port): diff --git a/neutron/tests/functional/agent/test_ovs_lib.py b/neutron/tests/functional/agent/test_ovs_lib.py index b34b45a657f..1318b5006f1 100644 --- a/neutron/tests/functional/agent/test_ovs_lib.py +++ b/neutron/tests/functional/agent/test_ovs_lib.py @@ -15,7 +15,6 @@ import collections from unittest import mock -import uuid from neutron_lib import constants as const from oslo_config import cfg @@ -139,6 +138,15 @@ class OVSBridgeTestCase(OVSBridgeTestBase): self.br.del_controller() self.assertEqual([], self.br.get_controller()) + def test_disable_in_band(self): + self.br.disable_in_band() + br_other_config = self.ovs.ovsdb.db_find( + 'Bridge', ('name', '=', self.br.br_name), columns=['other_config'] + ).execute()[0]['other_config'] + self.assertEqual( + 'true', + br_other_config.get('disable-in-band', '').lower()) + def test_non_index_queries(self): controllers = ['tcp:127.0.0.1:6633'] self.br.set_controller(controllers) @@ -394,33 +402,6 @@ class OVSBridgeTestCase(OVSBridgeTestBase): self.br.delete_ports(all_ports=True) self.assertEqual(len(self.br.get_port_name_list()), 0) - def test_set_controller_connection_mode(self): - controllers = ['tcp:192.0.2.0:6633'] - self._set_controllers_connection_mode(controllers) - - def test_set_multi_controllers_connection_mode(self): - controllers = ['tcp:192.0.2.0:6633', 'tcp:192.0.2.1:55'] - self._set_controllers_connection_mode(controllers) - - def _set_controllers_connection_mode(self, controllers): - self.br.set_controller(controllers) - self.assertEqual(sorted(controllers), sorted(self.br.get_controller())) - self.br.set_controllers_connection_mode('out-of-band') - self._assert_controllers_connection_mode('out-of-band') - self.br.del_controller() - self.assertEqual([], self.br.get_controller()) - - def _assert_controllers_connection_mode(self, connection_mode): - controllers = self.br.db_get_val('Bridge', self.br.br_name, - 'controller') - controllers = [controllers] if isinstance( - controllers, uuid.UUID) else controllers - for controller in controllers: - self.assertEqual(connection_mode, - self.br.db_get_val('Controller', - controller, - 'connection_mode')) - def test_db_create_references(self): with self.ovs.ovsdb.transaction(check_error=True) as txn: queue = txn.add(self.ovs.ovsdb.db_create("Queue", diff --git a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge_test_base.py b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge_test_base.py index 3c07be3d9b1..2f8083d0922 100644 --- a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge_test_base.py +++ b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge_test_base.py @@ -147,10 +147,9 @@ class OVSBridgeTestBase(ovs_test_base.OVSOSKenTestBase): m_set_controller = mock.patch.object(self.br, 'set_controller') m_set_probe = mock.patch.object(self.br, 'set_controllers_inactivity_probe') - m_set_ccm = mock.patch.object(self.br, - 'set_controllers_connection_mode') + m_disable_in_band = mock.patch.object(self.br, 'disable_in_band') - with m_set_ccm as set_ccm, \ + with m_disable_in_band as disable_in_band, \ m_add_protocols as add_protocols, \ m_set_controller as set_controller, \ m_get_controller as get_controller, \ @@ -163,7 +162,7 @@ class OVSBridgeTestBase(ovs_test_base.OVSOSKenTestBase): set_controller.assert_not_called() else: set_controller.assert_called_once_with(["tcp:127.0.0.1:6633"]) - set_ccm.assert_called_once_with("out-of-band") + disable_in_band.assert_called_once_with() add_protocols.assert_called_once_with( constants.OPENFLOW10, constants.OPENFLOW13)