Operating System: All
Platform: All

This test is failing due to multiple reasons on different configurations.

The main reason it is failing is regression introduced here https://git.opendaylight.org/gerrit/#/c/52175/, causing a change in the port to port_security_enabled=False not to unbind the service - so the port still goes through the ACL even though it shouldn't.

The reason all transparent jobs fail is that the test was recently corrected in Tempest - and it fails on transparent as expected since there is no mac spoofing check, this is basically a test that should be grouped with the other ACL tests.

The reason learn security groups are unstable is yet to be determined. Technically there is no anti-spoofing rules in learn so the test should not pass due to that, but it also seems like it fails earlier.

When port-security is enabled/disabled bind/unbind was not getting invoked, hence leaving the SG flows in the dispatcher. [1] should solve the issue.

[1]https://git.opendaylight.org/gerrit/#/c/52875/

I had a look at the macspoofing test that’s failing only in mitaka now all the time.
I'm pretty sure the reason it's failing is because of the default SG bug that was fixed in newton networking-odl and not in mitaka [1]

We skip a similar test 'hotplug_nic' due to this reason [2].

Here's a failure [3], you can see that the test does something very similar to the hotplug nic test (adds a nic with default security rules, pings from it to another vm on that network).
It's failing on that ping, before any spoofing/port_security is changed [4], line 834.

I think it's safe to skip this test in Mitaka, not worth the trouble IMO.
Otherwise can ask neutron to cherry-pick this though it's been 4 months.

Jamo, I put up [5] to just skip this test. Can't run it in sandbox as its in shutdown mode.

[1] https://review.openstack.org/#/c/390783/
[2] https://git.opendaylight.org/gerrit/#/c/49411/
[3] https://logs.opendaylight.org/releng/jenkins092/netvirt-csit-1node-openstack-mitaka-upstream-stateful-carbon/201/archives/tempest/tempest_output_tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_port_security_macspoofing_port.log.gz
[4] https://github.com/openstack/tempest/blob/master/tempest/scenario/test_network_basic_ops.py
[5] https://git.opendaylight.org/gerrit/53285

https://logs.opendaylight.org/releng/jenkins092/netvirt-csit-1node-openstack-newton-nodl-v2-upstream-stateful-carbon/268/archives/log.html.gz#s1-s2-s1-t16

tempest failures appear to mostly have been resolved. We can re-open any
of the tempest bugs if/when they appear again in CSIT.

https://logs.opendaylight.org/releng/jenkins092/netvirt-csit-1node-openstack-newton-nodl-v2-upstream-learn-carbon/243/archives/log.html.gz#s1-s2-s1-t16

closing as part of a general bug cleanup. Will re-open if we see it again.

https://logs.opendaylight.org/releng/jenkins092/netvirt-csit-1node-openstack-newton-nodl-v2-upstream-learn-carbon/333/log.html.gz#s1-s2-s1-t16

https://logs.opendaylight.org/releng/jenkins092/netvirt-csit-1node-openstack-newton-nodl-v2-upstream-learn-carbon/353/log.html.gz#s1-s2-s1-t16

no longer seen in CSIT

seen again in nitrogen:

https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/netvirt-csit-1node-openstack-ocata-upstream-stateful-snat-conntrack-nitrogen/195/robot-plugin/log_full.html.gz#s1-s5-t12

here's one in oxygen:

https://logs.opendaylight.org/releng/vex-yul-odl-jenkins-1/netvirt-csit-1node-openstack-queens-upstream-stateful-snat-conntrack-oxygen/214/