Disable in-band management for bridges before setting up controllers

Disabling in-band management for bridge will effectively disable it for
all controllers which are or will be set for the bridge. This will
prevent us from having short time between configuring controller and
setting connection_mode of the controller to "out-of-band" when
controller works in the default "in-band" connection mode and adds some
hidden flows to the bridge.

Closes-Bug: #1992953
Change-Id: Ibca81eb59fbfad71f223832228f408fb248c5dfa
(cherry picked from commit 8fcf00a)

Author: slawqo

neutron/agent/common/ovs_lib.py

@@ -260,6 +260,18 @@ def default_cookie(self):
     def set_agent_uuid_stamp(self, val):
         self._default_cookie = val
 
+    def disable_in_band(self):
+        """Disable in-band remote management for the bridge.
+
+        That configuration will apply to all controllers configured for the
+        bridge.
+        """
+        other_config = {
+            'disable-in-band': 'true'}
+        self.ovsdb.db_set(
+            'Bridge', self.br_name,
+            ('other_config', other_config)).execute(check_error=True)
+
     def set_controller(self, controllers):
         self.ovsdb.set_controller(self.br_name,
                                   controllers).execute(check_error=True)
@@ -754,13 +766,6 @@ def get_local_port_mac(self):
             msg = _('Unable to determine mac address for %s') % self.br_name
             raise Exception(msg)
 
-    def set_controllers_connection_mode(self, connection_mode):
-        """Set bridge controllers connection mode.
-
-        :param connection_mode: "out-of-band" or "in-band"
-        """
-        self.set_controller_field('connection_mode', connection_mode)
-
     def set_controllers_inactivity_probe(self, interval):
         """Set bridge controllers inactivity probe interval.
 

neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge.py

@@ -73,18 +73,8 @@ def _get_dp(self):
                     self._cached_dpid = new_dpid
 
     def setup_controllers(self, conf):
-        url = ipv6_utils.valid_ipv6_url(conf.OVS.of_listen_address,
-                                        conf.OVS.of_listen_port)
-        controller = "tcp:" + url
-        existing_controllers = self.get_controller()
-        if controller not in existing_controllers:
-            LOG.debug("Setting controller %s for bridge %s.",
-                      controller, self.br_name)
-            self.set_controller([controller])
-
-        self.add_protocols(ovs_consts.OPENFLOW10, ovs_consts.OPENFLOW13)
-        # NOTE(ivc): Force "out-of-band" controller connection mode (see
-        # "In-Band Control" [1]).
+        # NOTE(slaweq): Disable remote in-band management for all controllers
+        # in the bridge
         #
         # By default openvswitch uses "in-band" controller connection mode
         # which adds hidden OpenFlow rules (only visible by issuing ovs-appctl
@@ -96,8 +86,26 @@ def setup_controllers(self, conf):
         # br-int and br-tun must be configured with the "out-of-band"
         # controller connection mode.
         #
+        # Setting connection_mode for controllers should be done in single
+        # transaction together with controllers setup but it will be easier to
+        # disable in-band remote management for bridge which
+        # effectively means that this configurations will applied to all
+        # controllers in the bridge
+        #
         # [1] https://github.com/openvswitch/ovs/blob/master/DESIGN.md
-        self.set_controllers_connection_mode("out-of-band")
+        # [2] https://bugzilla.redhat.com/show_bug.cgi?id=2134772
+        self.disable_in_band()
+
+        url = ipv6_utils.valid_ipv6_url(conf.OVS.of_listen_address,
+                                        conf.OVS.of_listen_port)
+        controller = "tcp:" + url
+        existing_controllers = self.get_controller()
+        if controller not in existing_controllers:
+            LOG.debug("Setting controller %s for bridge %s.",
+                      controller, self.br_name)
+            self.set_controller([controller])
+
+        self.add_protocols(ovs_consts.OPENFLOW10, ovs_consts.OPENFLOW13)
         self.set_controllers_inactivity_probe(conf.OVS.of_inactivity_probe)
 
     def drop_port(self, in_port):

neutron/tests/functional/agent/test_ovs_lib.py

@@ -15,7 +15,6 @@
 
 import collections
 from unittest import mock
-import uuid
 
 from neutron_lib import constants as const
 from oslo_config import cfg
@@ -139,6 +138,15 @@ def test_controller_lifecycle(self):
         self.br.del_controller()
         self.assertEqual([], self.br.get_controller())
 
+    def test_disable_in_band(self):
+        self.br.disable_in_band()
+        br_other_config = self.ovs.ovsdb.db_find(
+            'Bridge', ('name', '=', self.br.br_name), columns=['other_config']
+        ).execute()[0]['other_config']
+        self.assertEqual(
+            'true',
+            br_other_config.get('disable-in-band', '').lower())
+
     def test_non_index_queries(self):
         controllers = ['tcp:127.0.0.1:6633']
         self.br.set_controller(controllers)
@@ -394,33 +402,6 @@ def test_delete_ports(self):
         self.br.delete_ports(all_ports=True)
         self.assertEqual(len(self.br.get_port_name_list()), 0)
 
-    def test_set_controller_connection_mode(self):
-        controllers = ['tcp:192.0.2.0:6633']
-        self._set_controllers_connection_mode(controllers)
-
-    def test_set_multi_controllers_connection_mode(self):
-        controllers = ['tcp:192.0.2.0:6633', 'tcp:192.0.2.1:55']
-        self._set_controllers_connection_mode(controllers)
-
-    def _set_controllers_connection_mode(self, controllers):
-        self.br.set_controller(controllers)
-        self.assertEqual(sorted(controllers), sorted(self.br.get_controller()))
-        self.br.set_controllers_connection_mode('out-of-band')
-        self._assert_controllers_connection_mode('out-of-band')
-        self.br.del_controller()
-        self.assertEqual([], self.br.get_controller())
-
-    def _assert_controllers_connection_mode(self, connection_mode):
-        controllers = self.br.db_get_val('Bridge', self.br.br_name,
-                                         'controller')
-        controllers = [controllers] if isinstance(
-            controllers, uuid.UUID) else controllers
-        for controller in controllers:
-            self.assertEqual(connection_mode,
-                             self.br.db_get_val('Controller',
-                                                controller,
-                                                'connection_mode'))
-
     def test_db_create_references(self):
         with self.ovs.ovsdb.transaction(check_error=True) as txn:
             queue = txn.add(self.ovs.ovsdb.db_create("Queue",

neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_bridge_test_base.py

@@ -147,10 +147,9 @@ def _test_setup_controllers(self, existing_controllers):
         m_set_controller = mock.patch.object(self.br, 'set_controller')
         m_set_probe = mock.patch.object(self.br,
                                         'set_controllers_inactivity_probe')
-        m_set_ccm = mock.patch.object(self.br,
-                                      'set_controllers_connection_mode')
+        m_disable_in_band = mock.patch.object(self.br, 'disable_in_band')
 
-        with m_set_ccm as set_ccm, \
+        with m_disable_in_band as disable_in_band, \
                 m_add_protocols as add_protocols, \
                 m_set_controller as set_controller, \
                 m_get_controller as get_controller, \
@@ -163,7 +162,7 @@ def _test_setup_controllers(self, existing_controllers):
                 set_controller.assert_not_called()
             else:
                 set_controller.assert_called_once_with(["tcp:127.0.0.1:6633"])
-            set_ccm.assert_called_once_with("out-of-band")
+            disable_in_band.assert_called_once_with()
             add_protocols.assert_called_once_with(
                 constants.OPENFLOW10, constants.OPENFLOW13)