[NETVIRT-506] CSIT Sporadic failures - tempest.scenario.test_port_security_macspoofing_port Created: 01/Mar/17 Updated: 03/May/18 Resolved: 05/Apr/18 |
|
| Status: | Resolved |
| Project: | netvirt |
| Component/s: | General |
| Affects Version/s: | Carbon |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Highest |
| Reporter: | Alon Kochba | Assignee: | Sam Hague |
| Resolution: | Cannot Reproduce | Votes: | 0 |
| Labels: | csit:failures, csit:snat-conntrack, csit:sporadic | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 7885 |
| Description |
|
|
| Comments |
| Comment by Alon Kochba [ 06/Mar/17 ] |
|
This test is failing due to multiple reasons on different configurations. The main reason it is failing is regression introduced here https://git.opendaylight.org/gerrit/#/c/52175/, causing a change in the port to port_security_enabled=False not to unbind the service - so the port still goes through the ACL even though it shouldn't. The reason all transparent jobs fail is that the test was recently corrected in Tempest - and it fails on transparent as expected since there is no mac spoofing check, this is basically a test that should be grouped with the other ACL tests. The reason learn security groups are unstable is yet to be determined. Technically there is no anti-spoofing rules in learn so the test should not pass due to that, but it also seems like it fails earlier. |
| Comment by Aswin Suryanarayanan [ 06/Mar/17 ] |
|
When port-security is enabled/disabled bind/unbind was not getting invoked, hence leaving the SG flows in the dispatcher. [1] should solve the issue. [1]https://git.opendaylight.org/gerrit/#/c/52875/ |
| Comment by Alon Kochba [ 14/Mar/17 ] |
|
I had a look at the macspoofing test that’s failing only in mitaka now all the time. We skip a similar test 'hotplug_nic' due to this reason [2]. Here's a failure [3], you can see that the test does something very similar to the hotplug nic test (adds a nic with default security rules, pings from it to another vm on that network). I think it's safe to skip this test in Mitaka, not worth the trouble IMO. Jamo, I put up [5] to just skip this test. Can't run it in sandbox as its in shutdown mode. [1] https://review.openstack.org/#/c/390783/ |
| Comment by Jamo Luhrsen [ 28/Mar/17 ] |
| Comment by Jamo Luhrsen [ 25/Apr/17 ] |
|
tempest failures appear to mostly have been resolved. We can re-open any |
| Comment by Jamo Luhrsen [ 08/May/17 ] |
| Comment by Jamo Luhrsen [ 10/Jul/17 ] |
|
closing as part of a general bug cleanup. Will re-open if we see it again. |
| Comment by Jamo Luhrsen [ 17/Jul/17 ] |
| Comment by Jamo Luhrsen [ 07/Aug/17 ] |
| Comment by Jamo Luhrsen [ 27/Sep/17 ] |
|
no longer seen in CSIT |
| Comment by Jamo Luhrsen [ 21/Feb/18 ] |
|
seen again in nitrogen: |
| Comment by Jamo Luhrsen [ 20/Mar/18 ] |
|
here's one in oxygen: |