During the l2-agent stop, if the policy rule is cleared,
after the l2-agent is started, the qos rule that has been applied should be cleared.
If the update_port call failed with error IpAddressAlreadyAllocatedClient,
retry a few more times in order to find IP addresses that are available.
When fullstack tests are executed manually using a debugger
(e.g.: PyCharm integrated debugger), the "cmd" folder is imported
instead of "cmd"  module.
To solve this problem, this folder and the references to this path
must be changed.
Path for policy.json file in config of fullstack's neutron-server
is generated automatically. It may happen that this path will have
value ``None`` and in such case it shouldn't be placed in
neutron's config file.
AsyncProcess.stop() method has now additional parameter
kill_timeout. If this is set to some value different than
None, eventlet.green.subprocess.Popen.wait() will be called
with this timeout, so TimeoutExpired exception will be raised
in case if process will not be killed for this "kill_timeout"
In such case process will be killed "again" with SIGKILL signal
to make sure that it is gone.
This should fix problem with failing fullstack tests, when
ovs_agent process is sometimes not killed and test timeout was
reached in this wait() method.
If directly change router gateway port IP address, the gateway IP
does not changed in router related namespace in l3 agent side. This
patch adds a method to catch a 'PORT' IP change event, and notify
the L3 agent.
In some cases it may happen that port is "binding_failed"
because L2 agent running on destination host was down but
this is "temporary" issue.
It is like that for example in case when using L3 HA and when
master and backup network nodes were e.g. rebooted.
L3 agent might start running before L2 agent on host in such case
and if it's new master node, router ports will have "binding_failed"
When agent sends heartbeat and is getting back to live,
ML2 plugin will try to bind all ports with "binding_failed"
from this host.
Since Queens, the security group logging has been merged. But there
is no fullstack test for this feature. So this patch add fullstack
test to avoid regression as https://review.openstack.org/#/c/587681
Co-Authored-By: Yushiro FURUKAWA <firstname.lastname@example.org>
Partially-implements: blueprint security-group-logging
It agains fails quite often in iptables scenarios.
We need to debug it more to find out what cause this issue
but for now let's mark this test as unstable to make
life of other people easier.
In security groups tests with "iptables" or "iptables_hybrid"
driver it will be useful to have debug_iptables_rules enabled
to check what rules are applied by L2 agent in case of test
async_process.py and ovsdb_monitor.py are now platform
independent, for which reason we can move them to
Note that a few subprojects are using async_process. We'll use
debtcollector so that we don't break those projects, while logging
a deprecation warning.
Re-start of the l3 agent hosting the active l3-ha router
shouldn't cause data plane interruption, assuming there
is no failover. Create a test explicitly for that.
It is not necessary to use 2 "central" bridges, one for "data" and
one for "external" network simulation.
Also using 2 bridge will cause problems when "external_network_bridge"
option will be removed from L3 agent and it will use integration bridge
as it should be done.
In fullstack test which is testing if there is no packet lost
during restart of agents there were restarted always all agents
which hosted router.
In case when as first was restarted 'master' agent it might
lead to the case when after restart 'master' node was switched
to second L3 agent and that caused lost of few packets and
This test should only check if restart of standby agents will
not cause any packet lost so this patch do it in this way.
MTU check can be skipped during deletion of Networks.
The MTU check doesn't provide any additional support during deletion
of the networks.
Also, if a network is created with MTU 'X' and the
global_mtu later on is decreased to 'Y', the created
network cannot be deleted due to the MTU check.
fullstack test we should first ensure that connection from external_vm
to router's external gateway is possible. If it's fine, we
can restart L3 agents and test if connectivity will not be broken.
Some QoS tests tried to list ports by attribute qos_policy_id
but this attribute is not a valid filter. In before, the tests
passed because neutron ignored the invalid filter and returned
all the ports which happened to be the correct set. However,
using qos_policy_id as filter is incorrect and this patch fixes it.
is marked as unstable now becuase it is failing quite often recently.
We need to figure out what is the reason of this issue but
to not block gates with many failures, let's mark it as unstable
_assert_ping_during_agents_restart is used in tests of L2 and L3
agents. However, when it raises an exception due to a timeout, the
associated message assumes the agent under test is L2. This patch
In fullstack test_securitygroup there were used simple
net_helpers.assert_ping() and assert_not_ping() functions
which tries to ping IP address 3 times with some short timeout
and test fails if result of ping will not be as expected.
Unfortunately sometimes in fullstack tests it might be not enough
if test is creating new SG or SG rule or apply SG to port and
just after that checks connection because L2 agent don't have
enough time to apply all rules on "host".
This patch changes it to use block_until_ping() and
block_until_no_ping() methods from FakeMachine fixture.
It will also check if ping is possible/not possible but
will try to check it for 1 minute before fails.
Similar change is also done for methods which checks TCP
connectivity using netcat helper class. It now uses
common_utils.wait_until_true() helper function instead of
During agents restart there is async ping run and there is
called function to wait until all async ping workers will
finish their job.
there are 60 pings sent with 1 second timeout so default
wait_until_true timeout which is set to 60 seconds might not
be enough in some cases.
Because of that wait_until_true timeout is now set as
twice higher value than is needed to number of packets to send
This should give enough time to finish all workers.
In case of HA routers IPv6 forwarding is not disabled by default and
then enabled only on master node.
Before this patch it was done in opposite way, so forwarding was
enabled by default and then disabled on backup nodes.
When forwarding was enabled/disabled for qg- port, MLDv2 packets are
sent and that might lead to temportary packets loss as packets to
FIP were sent to this backup node instead of master one.
In case when external bridge configured in OVS agent's bridge_mappings
will be destroyed and created again (for example by running ifup-ovs
script on Centos) bridge wasn't configured by OVS agent.
That might cause broken connectivity for OpenStack's dataplane if
dataplane network also uses same bridge.
This patch adds additional ovsdb-monitor to monitor if any
of physical bridges configured in bridge_mappings was created.
If so, agent will reconfigure it to restore proper openflow rules
Add test validating migration from iptables_hybrid firewall driver to
openvswitch. The test creates simple environment with a single node then
spawns two vms, each has its own security group. Then firewall is
switched and OVS agent is restarted. Connectivity is then validated
again, security groups are removed, tested no traffic is allowed and
then security groups are added back to make sure new firewall driver
works with updates.
ConfigFixture composed ConfigFileFixture instead of inheritance. This
patch uses inheritance over composition in order to make
ConfigFileFixture attributes accesible from the outside.