Description of problem: tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group test failed in CI run error: 2018-05-06 10:36:00,738 1358 INFO [tempest.lib.common.rest_client] Request (TestSecurityGroupsBasicOps:_run_cleanups): 202 DELETE http://10.0.0.102:8774/v2.1/os-keypairs/tempest-TestSecurityGroupsBasicOps-1802014022 0.042s 2018-05-06 10:36:00,738 1358 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'} Body: None Response - Headers: {'status': '202', u'content-length': '0', 'content-location': 'http://10.0.0.102:8774/v2.1/os-keypairs/tempest-TestSecurityGroupsBasicOps-1802014022', u'x-compute-request-id': 'req-93dbfb2b-a79a-4be9-91ff-8022c715970b', u'vary': 'OpenStack-API-Version,X-OpenStack-Nova-API-Version', u'server': 'Apache', u'openstack-api-version': 'compute 2.1', u'connection': 'close', u'x-openstack-nova-api-version': '2.1', u'date': 'Sun, 06 May 2018 14:36:00 GMT', u'content-type': 'application/json', u'x-openstack-request-id': 'req-93dbfb2b-a79a-4be9-91ff-8022c715970b'} Body: }}} Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/tempest/common/utils/__init__.py", line 107, in wrapper return func(*func_args, **func_kwargs) File "/usr/lib/python2.7/site-packages/tempest/common/utils/__init__.py", line 88, in wrapper return f(*func_args, **func_kwargs) File "/usr/lib/python2.7/site-packages/tempest/scenario/test_security_groups_basic_ops.py", line 621, in test_port_security_disable_security_group should_succeed=False) File "/usr/lib/python2.7/site-packages/tempest/scenario/manager.py", line 913, in check_remote_connectivity self.fail(msg) File "/usr/lib/python2.7/site-packages/unittest2/case.py", line 666, in fail raise self.failureException(msg) AssertionError: 10.100.0.8 is reachable from 10.0.0.220 Version-Release number of selected component (if applicable): OSP-13 -p 2018-05-04.1 openvswitch-ovn-common-2.9.90-1.el7.x86_64 openvswitch-ovn-host-2.9.90-1.el7.x86_64 python-networking-ovn-4.0.1-0.20180420150809.c7c16d4.el7ost.noarch openvswitch-ovn-central-2.9.90-1.el7.x86_64 puppet-ovn-12.4.0-0.20180329043503.36ff219.el7ost.noarch python-networking-ovn-metadata-agent-4.0.1-0.20180420150809.c7c16d4.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1.run ci job 2. 3. Actual results: test failed Expected results: test should pass Additional info:
It's a bug and we need to fix it in networking-ovn. When a port has port security enabled and non security groups we shouldn't allow any traffic to it. If port security is disabled, we should allow it. This is what the test expects.
This test [0] will still fail in CI sometimes due to [1]. Tried myself with just 1 compute and the issue is gone, traffic is now blocked on ports with no SGs and port security enabled. [1] tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group [0] https://bugzilla.redhat.com/show_bug.cgi?id=1566148
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086