diff --git a/neutron/agent/linux/ovs_lib.py b/neutron/agent/linux/ovs_lib.py index 2827dba1944..4197b4ec811 100644 --- a/neutron/agent/linux/ovs_lib.py +++ b/neutron/agent/linux/ovs_lib.py @@ -123,6 +123,10 @@ class OVSBridge(BaseOVS): return res.strip().split('\n') return res + def set_secure_mode(self): + self.run_vsctl(['--', 'set-fail-mode', self.br_name, 'secure'], + check_error=True) + def set_protocols(self, protocols): self.run_vsctl(['--', 'set', 'bridge', self.br_name, "protocols=%s" % protocols], diff --git a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py index 06e361cc769..fa5c49d16b6 100644 --- a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py +++ b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py @@ -172,6 +172,7 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin, self.int_br_device_count = 0 self.int_br = ovs_lib.OVSBridge(integ_br, self.root_helper) + self.int_br.set_secure_mode() # Stores port update notifications for processing in main rpc loop self.updated_ports = set() self.setup_rpc() diff --git a/neutron/tests/unit/agent/linux/test_ovs_lib.py b/neutron/tests/unit/agent/linux/test_ovs_lib.py index 81671bc011b..8a19ed39a59 100644 --- a/neutron/tests/unit/agent/linux/test_ovs_lib.py +++ b/neutron/tests/unit/agent/linux/test_ovs_lib.py @@ -168,6 +168,12 @@ class OVS_Lib_Test(base.BaseTestCase): ['ovs-vsctl', self.TO, '--', 'get-controller', self.BR_NAME], root_helper=self.root_helper) + def test_set_secure_mode(self): + self.br.set_secure_mode() + self.execute.assert_called_once_with( + ['ovs-vsctl', self.TO, '--', 'set-fail-mode', self.BR_NAME, + 'secure'], root_helper=self.root_helper) + def test_set_protocols(self): protocols = 'OpenFlow13' self.br.set_protocols(protocols) diff --git a/neutron/tests/unit/openvswitch/test_ovs_neutron_agent.py b/neutron/tests/unit/openvswitch/test_ovs_neutron_agent.py index 7dc65bb20ac..fa163fc43b2 100644 --- a/neutron/tests/unit/openvswitch/test_ovs_neutron_agent.py +++ b/neutron/tests/unit/openvswitch/test_ovs_neutron_agent.py @@ -118,6 +118,8 @@ class TestOvsNeutronAgent(base.BaseTestCase): mock.patch('neutron.plugins.openvswitch.agent.ovs_neutron_agent.' 'OVSNeutronAgent.setup_ancillary_bridges', return_value=[]), + mock.patch('neutron.agent.linux.ovs_lib.OVSBridge.' + 'set_secure_mode'), mock.patch('neutron.agent.linux.ovs_lib.OVSBridge.' 'get_local_port_mac', return_value='00:00:00:00:00:01'), @@ -912,6 +914,8 @@ class AncillaryBridgesTest(base.BaseTestCase): mock.patch('neutron.agent.linux.ovs_lib.OVSBridge.' 'get_local_port_mac', return_value='00:00:00:00:00:01'), + mock.patch('neutron.agent.linux.ovs_lib.OVSBridge.' + 'set_secure_mode'), mock.patch('neutron.agent.linux.ovs_lib.get_bridges', return_value=bridges), mock.patch( diff --git a/neutron/tests/unit/openvswitch/test_ovs_tunnel.py b/neutron/tests/unit/openvswitch/test_ovs_tunnel.py index c192cae650b..cb4c7cd9813 100644 --- a/neutron/tests/unit/openvswitch/test_ovs_tunnel.py +++ b/neutron/tests/unit/openvswitch/test_ovs_tunnel.py @@ -107,6 +107,7 @@ class TunnelTest(base.BaseTestCase): self.mock_int_bridge = self.ovs_bridges[self.INT_BRIDGE] self.mock_int_bridge.get_local_port_mac.return_value = '000000000001' self.mock_int_bridge_expected = [ + mock.call.set_secure_mode(), mock.call.get_local_port_mac(), mock.call.delete_port('patch-tun'), mock.call.remove_all_flows(),