Disable in-band management for bridges before setting up controllers

Disabling in-band management for bridge will effectively disable it for
all controllers which are or will be set for the bridge. This will
prevent us from having short time between configuring controller and
setting connection_mode of the controller to "out-of-band" when
controller works in the default "in-band" connection mode and adds some
hidden flows to the bridge.

Closes-Bug: #1992953
Change-Id: Ibca81eb59fbfad71f223832228f408fb248c5dfa
(cherry picked from commit 8fcf00a36d)

neutron/agent/common/ovs_lib.py

@@ -244,6 +244,18 @@ class OVSBridge(BaseOVS):
     def set_agent_uuid_stamp(self, val):
         self._default_cookie = val
 
+    def disable_in_band(self):
+        """Disable in-band remote management for the bridge.
+
+        That configuration will apply to all controllers configured for the
+        bridge.
+        """
+        other_config = {
+            'disable-in-band': 'true'}
+        self.ovsdb.db_set(
+            'Bridge', self.br_name,
+            ('other_config', other_config)).execute(check_error=True)
+
     def set_controller(self, controllers):
         self.ovsdb.set_controller(self.br_name,
                                   controllers).execute(check_error=True)
@@ -737,13 +749,6 @@ class OVSBridge(BaseOVS):
             msg = _('Unable to determine mac address for %s') % self.br_name
             raise Exception(msg)
 
-    def set_controllers_connection_mode(self, connection_mode):
-        """Set bridge controllers connection mode.
-
-        :param connection_mode: "out-of-band" or "in-band"
-        """
-        self.set_controller_field('connection_mode', connection_mode)
-
     def set_controllers_inactivity_probe(self, interval):
         """Set bridge controllers inactivity probe interval.
 

neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge.py

@@ -71,18 +71,8 @@ class OVSAgentBridge(ofswitch.OpenFlowSwitchMixin,
                     self._cached_dpid = new_dpid
 
     def setup_controllers(self, conf):
-        url = ipv6_utils.valid_ipv6_url(conf.OVS.of_listen_address,
+        # NOTE(slaweq): Disable remote in-band management for all controllers
-                                        conf.OVS.of_listen_port)
+        # in the bridge
-        controller = "tcp:" + url
-        existing_controllers = self.get_controller()
-        if controller not in existing_controllers:
-            LOG.debug("Setting controller %s for bridge %s.",
-                      controller, self.br_name)
-            self.set_controller([controller])
-
-        self.add_protocols(ovs_consts.OPENFLOW10, ovs_consts.OPENFLOW13)
-        # NOTE(ivc): Force "out-of-band" controller connection mode (see
-        # "In-Band Control" [1]).
         #
         # By default openvswitch uses "in-band" controller connection mode
         # which adds hidden OpenFlow rules (only visible by issuing ovs-appctl
@@ -94,8 +84,26 @@ class OVSAgentBridge(ofswitch.OpenFlowSwitchMixin,
         # br-int and br-tun must be configured with the "out-of-band"
         # controller connection mode.
         #
+        # Setting connection_mode for controllers should be done in single
+        # transaction together with controllers setup but it will be easier to
+        # disable in-band remote management for bridge which
+        # effectively means that this configurations will applied to all
+        # controllers in the bridge
+        #
         # [1] https://github.com/openvswitch/ovs/blob/master/DESIGN.md
-        self.set_controllers_connection_mode("out-of-band")
+        # [2] https://bugzilla.redhat.com/show_bug.cgi?id=2134772
+        self.disable_in_band()
+
+        url = ipv6_utils.valid_ipv6_url(conf.OVS.of_listen_address,
+                                        conf.OVS.of_listen_port)
+        controller = "tcp:" + url
+        existing_controllers = self.get_controller()
+        if controller not in existing_controllers:
+            LOG.debug("Setting controller %s for bridge %s.",
+                      controller, self.br_name)
+            self.set_controller([controller])
+
+        self.add_protocols(ovs_consts.OPENFLOW10, ovs_consts.OPENFLOW13)
         self.set_controllers_inactivity_probe(conf.OVS.of_inactivity_probe)
 
     def drop_port(self, in_port):

neutron/tests/functional/agent/test_ovs_lib.py

@@ -15,7 +15,6 @@
 
 import collections
 from unittest import mock
-import uuid
 
 from neutron_lib import constants as const
 from oslo_config import cfg
@@ -139,6 +138,15 @@ class OVSBridgeTestCase(OVSBridgeTestBase):
         self.br.del_controller()
         self.assertEqual([], self.br.get_controller())
 
+    def test_disable_in_band(self):
+        self.br.disable_in_band()
+        br_other_config = self.ovs.ovsdb.db_find(
+            'Bridge', ('name', '=', self.br.br_name), columns=['other_config']
+        ).execute()[0]['other_config']
+        self.assertEqual(
+            'true',
+            br_other_config.get('disable-in-band', '').lower())
+
     def test_non_index_queries(self):
         controllers = ['tcp:127.0.0.1:6633']
         self.br.set_controller(controllers)
@@ -394,33 +402,6 @@ class OVSBridgeTestCase(OVSBridgeTestBase):
         self.br.delete_ports(all_ports=True)
         self.assertEqual(len(self.br.get_port_name_list()), 0)
 
-    def test_set_controller_connection_mode(self):
-        controllers = ['tcp:192.0.2.0:6633']
-        self._set_controllers_connection_mode(controllers)
-
-    def test_set_multi_controllers_connection_mode(self):
-        controllers = ['tcp:192.0.2.0:6633', 'tcp:192.0.2.1:55']
-        self._set_controllers_connection_mode(controllers)
-
-    def _set_controllers_connection_mode(self, controllers):
-        self.br.set_controller(controllers)
-        self.assertEqual(sorted(controllers), sorted(self.br.get_controller()))
-        self.br.set_controllers_connection_mode('out-of-band')
-        self._assert_controllers_connection_mode('out-of-band')
-        self.br.del_controller()
-        self.assertEqual([], self.br.get_controller())
-
-    def _assert_controllers_connection_mode(self, connection_mode):
-        controllers = self.br.db_get_val('Bridge', self.br.br_name,
-                                         'controller')
-        controllers = [controllers] if isinstance(
-            controllers, uuid.UUID) else controllers
-        for controller in controllers:
-            self.assertEqual(connection_mode,
-                             self.br.db_get_val('Controller',
-                                                controller,
-                                                'connection_mode'))
-
     def test_db_create_references(self):
         with self.ovs.ovsdb.transaction(check_error=True) as txn:
             queue = txn.add(self.ovs.ovsdb.db_create("Queue",

neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge_test_base.py

@@ -147,10 +147,9 @@ class OVSBridgeTestBase(ovs_test_base.OVSOSKenTestBase):
         m_set_controller = mock.patch.object(self.br, 'set_controller')
         m_set_probe = mock.patch.object(self.br,
                                         'set_controllers_inactivity_probe')
-        m_set_ccm = mock.patch.object(self.br,
+        m_disable_in_band = mock.patch.object(self.br, 'disable_in_band')
-                                      'set_controllers_connection_mode')
 
-        with m_set_ccm as set_ccm, \
+        with m_disable_in_band as disable_in_band, \
                 m_add_protocols as add_protocols, \
                 m_set_controller as set_controller, \
                 m_get_controller as get_controller, \
@@ -163,7 +162,7 @@ class OVSBridgeTestBase(ovs_test_base.OVSOSKenTestBase):
                 set_controller.assert_not_called()
             else:
                 set_controller.assert_called_once_with(["tcp:127.0.0.1:6633"])
-            set_ccm.assert_called_once_with("out-of-band")
+            disable_in_band.assert_called_once_with()
             add_protocols.assert_called_once_with(
                 constants.OPENFLOW10, constants.OPENFLOW13)