Add support for OVS as a virtual switch

To support testing the upcoming standalone networking
feature it is necessary to have a virtual switch that
allows port VLAN configuration to be changed by the
networking generic switch driver.

Setting the test_vm_bridge_type to 'ovs' will create
3 separate VLANs for testing.  One will be dedicated
as an inspection network, another to the final
'tenant' network for the node, and the remaining one
will be used for all other network types (i.e.,
cleaning, rescuing, servicing, etc...).

Related-Bug: 2113769
Assisted-by: Claude Code/claude-sonnet-4
Change-Id: I54b154a28dcbb4f89b368deaa7c16792630f6564
Signed-off-by: Allain Legacy <alegacy@redhat.com>

Author: alegacy

doc/source/contributor/testenv.rst

@@ -188,3 +188,17 @@ sushy-tools_ is also installed.
 
 .. _VirtualBMC: https://docs.openstack.org/virtualbmc/
 .. _sushy-tools: https://docs.openstack.org/sushy-tools/
+
+Virtual Switching
+-----------------
+By default, Bifrost sets up a Linux bridge as the virtual switch
+interconnecting the virtual machines that implement the nodes.  To support
+more complex test scenarios, it is possible to configure OVS as the virtual
+switch.  This enables updates to port VLAN assignments to test complex
+networking scenarios.
+
+The virtual switch type can be controlled by modifying the
+``test_vm_switch_type`` variable via ansible extra vars supplied to the Ansible
+commands or via bifrost-cli's ``-e`` option.  Setting the variable to 'ovs'
+enables the OVS switch type.
+

playbooks/roles/bifrost-create-vm-nodes/README.md

@@ -12,6 +12,10 @@ The following packages are required and ensured to be present:
 - qemu-kvm
 - sgabios (except on CentOS Stream 10 / Rocky Linux 10)
 
+Additional packages required when using test_vm_switch_type: 'ovs':
+- openvswitch-switch (Debian/Ubuntu)
+- openvswitch (RedHat/CentOS)
+
 
 Warning
 -------
@@ -150,6 +154,31 @@ test_vm_network_dhcp_end: End of DHCP range for 'test_vm_network'.
                           from scratch and when
                           'test_vm_network_enable_dhcp' is enabled.
 
+test_vm_switch_type: Type of virtual switch to use for test VMs.
+                     Defaults to 'linux_bridge'.
+                     Set to 'ovs' to use Open vSwitch with VLAN support
+                     for testing networking features.
+
+test_ovs_bridge_name: Name of the OVS bridge to create when using
+                      test_vm_switch_type: 'ovs'.
+                      Defaults to 'brtest'.
+
+test_ovs_host_vlans: List of VLAN IDs to configure on the OVS bridge.
+                     Defaults to ['10', '20', '30'].
+                     Creates separate VLANs for inspection, tenant, and
+                     other network types (cleaning, rescuing, servicing).
+                     VLAN IDs must be 1-255.
+
+test_ovs_vm_initial_vlan: Initial VLAN ID for test VMs on OVS bridge.
+                          Defaults to '10'.
+                          VMs start on this VLAN and can be moved between
+                          VLANs by the networking driver.
+
+test_ovs_user: Username for OVS restricted user access.
+               Defaults to 'ovsuser'.
+               Uses SSH key-based authentication (password login is disabled).
+               Used for controlled VLAN management operations.
+
 Dependencies
 ------------
 
@@ -158,12 +187,27 @@ None at this time.
 Example Playbook
 ----------------
 
+Basic usage with default Linux bridge:
+
+- hosts: localhost
+  connection: local
+  become: yes
+  gather_facts: yes
+  roles:
+    - role: bifrost-create-vm-nodes
+
+Using Open vSwitch for testing standalone networking features:
+
 - hosts: localhost
   connection: local
   become: yes
   gather_facts: yes
   roles:
     - role: bifrost-create-vm-nodes
+      vars:
+        test_vm_switch_type: ovs
+        test_ovs_host_vlans: ['10', '20', '30']
+        test_ovs_vm_initial_vlan: '10'
 
 License
 -------

playbooks/roles/bifrost-create-vm-nodes/defaults/main.yml

@@ -97,3 +97,18 @@ efi_nvram_locations_secboot:
   - /usr/share/OVMF/OVMF_VARS.secboot.fd
 efi_nvram_locations: >-
   {{ efi_nvram_locations_secboot if test_vm_secure_boot | bool else efi_nvram_locations_normal }}
+
+# Switch type configuration (default: linux_bridge)
+test_vm_switch_type: linux_bridge
+
+# OVS-specific configuration
+test_ovs_bridge_name: brtest
+
+# Simple VLAN configuration
+# NOTE: VLAN IDs must be 1-255 when used for IP subnets (192.168.{VLAN}.0/24)
+test_ovs_host_vlans: ['10', '20', '30']
+test_ovs_vm_initial_vlan: '10'
+
+# OVS restricted user configuration
+# Uses SSH key-based authentication (password authentication is disabled)
+test_ovs_user: ovsuser

playbooks/roles/bifrost-create-vm-nodes/handlers/main.yml

@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Restart sshd
+  systemd:
+    name: sshd
+    state: restarted

playbooks/roles/bifrost-create-vm-nodes/tasks/create_vm.yml

@@ -19,6 +19,7 @@
     vm_name: "{{ item }}"
     vm_log_file: "{{ test_vm_logdir }}/{{ item }}_console.log"
     vm_host_group: "{{ test_vm_default_groups }}"
+    vm_port_name: "{{ item }}-port0"
 
 - set_fact:
     vm_host_group: "{{ test_vm_default_groups | union(test_vm_groups[vm_name]) }}"
@@ -41,6 +42,28 @@
     command: list_vms
   register: existing_vms
 
+# Create OVS port with VLAN tag for VM when using OVS
+- name: check if OVS port already exists
+  shell:
+    cmd: |
+      set -eo pipefail
+      ovs-vsctl list-ports {{ test_ovs_bridge_name }} | grep -x {{ vm_port_name }} || echo "not_found"
+  register: ovs_port_check
+  when: test_vm_switch_type == 'ovs'
+
+- name: create OVS port with VLAN tag
+  shell: |
+    ovs-vsctl add-port {{ test_ovs_bridge_name }} {{ vm_port_name }} tag={{ test_ovs_vm_initial_vlan }} -- set interface {{ vm_port_name }} type=internal
+  when:
+    - test_vm_switch_type == 'ovs'
+    - ovs_port_check.stdout.strip() == "not_found"
+
+- name: configure OVS linux interface
+  shell: |
+    ovs-vsctl set interface {{ vm_port_name }} lldp:enable=true
+    ip link set {{ vm_port_name }} up
+  when: test_vm_switch_type == 'ovs'
+
 # NOTE(pas-ha) wrapping in block/rescue to have diagnostic output, requires Ansible>=2
 - when: vm_name not in existing_vms.list_vms
   block:
@@ -129,6 +152,20 @@
   set_fact:
     vm_mac: "{{ (testvm_xml.get_xml | regex_findall(\"<mac address='.*'/>\") | first).split('=') | last | regex_replace(\"['/>]\", '') }}"
 
+- name: set VM network configuration for OVS
+  set_fact:
+    vm_network_base: "192.168.{{ 100 + test_ovs_vm_initial_vlan | int }}."
+    vm_ip_offset: "{{ 2 + (testvm_json_data | length) }}"
+    mgmt_network_ip: "192.168.{{ 100 + test_ovs_vm_initial_vlan | int }}.1"
+  when: test_vm_switch_type == 'ovs'
+
+- name: set VM network configuration for bridge
+  set_fact:
+    vm_network_base: "192.168.122."
+    vm_ip_offset: "{{ 2 + (testvm_json_data | length) }}"
+    mgmt_network_ip: "192.168.122.1"
+  when: test_vm_switch_type == 'linux_bridge'
+
 # NOTE(pas-ha) using default username and password set by virtualbmc - "admin" and "password" respectively
 # see vbmc add --help
 - name: set the json entry for vm
@@ -139,7 +176,7 @@
       host_groups: "{{ vm_host_group }}"
       driver: "{{ test_vm_node_driver }}"
       driver_info:
-        ipmi_address: "192.168.122.1"
+        ipmi_address: "{{ mgmt_network_ip }}"
         ipmi_port: "{{ virtual_ipmi_port }}"
         ipmi_username: "admin"
         ipmi_password: "password"
@@ -149,8 +186,8 @@
         redfish_password: "password"
       nics:
         - mac: "{{ vm_mac }}"
-      ansible_ssh_host: "192.168.122.{{ testvm_json_data | length + 2 }}"
-      ipv4_address: "192.168.122.{{ testvm_json_data | length + 2 }}"
+      ansible_ssh_host: "{{ vm_network_base }}{{ vm_ip_offset }}"
+      ipv4_address: "{{ vm_network_base }}{{ vm_ip_offset }}"
       properties:
         cpu_arch: "{{ test_vm_arch }}"
         ram: "{{ test_vm_memory_size }}"
@@ -161,7 +198,7 @@
       uuid: "{{ vm_name | to_uuid }}"
       driver: "{{ test_vm_node_driver }}"
       driver_info:
-        ipmi_address: "192.168.122.1"
+        ipmi_address: "{{ mgmt_network_ip }}"
         ipmi_port: "{{ virtual_ipmi_port }}"
         ipmi_username: "admin"
         ipmi_password: "password"

playbooks/roles/bifrost-create-vm-nodes/tasks/main.yml

@@ -85,6 +85,9 @@
     group: "{{ ansible_user_gid }}"
   when: copy_from_local_path | bool
 
+- import_tasks: prepare_ovs.yml
+  when: test_vm_switch_type == 'ovs'
+
 - import_tasks: prepare_libvirt.yml
 
 - name: truncate explicit list of vm names

playbooks/roles/bifrost-create-vm-nodes/tasks/prepare_libvirt.yml

@@ -104,7 +104,7 @@
   virt_net:
     name: "{{ test_vm_network }}"
     state: present
-    xml: "{{ lookup('template', 'net.xml.j2') }}"
+    xml: "{{ lookup('template', 'ovs-net.xml.j2' if test_vm_switch_type == 'ovs' else 'net.xml.j2') }}"
     uri: "{{ test_vm_libvirt_uri }}"
 
 - name: find facts on libvirt networks

playbooks/roles/bifrost-create-vm-nodes/tasks/prepare_ovs.yml

@@ -0,0 +1,120 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Setup OVS bridge with VLAN interfaces and DHCP services
+---
+- name: enable NFV repository for OVS on CentOS Stream 10
+  package:
+    name: centos-release-nfv-openvswitch
+    state: present
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_major_version|int >= 10
+
+- name: install OVS packages
+  package:
+    name: "{{ ovs_packages }}"
+    state: present
+
+- name: ensure OVS services are started and enabled
+  systemd:
+    name: "{{ ovs_service_name }}"
+    state: started
+    enabled: yes
+
+- name: create OVS bridge
+  openvswitch.openvswitch.openvswitch_bridge:
+    bridge: "{{ test_ovs_bridge_name }}"
+    state: present
+
+- name: bring up OVS bridge
+  command: ip link set {{ test_ovs_bridge_name }} up
+
+- name: create VLAN interfaces on OVS bridge
+  shell: |
+    ovs-vsctl add-port {{ test_ovs_bridge_name }} {{ test_ovs_bridge_name }}.{{ item }} tag={{ item }} -- set interface {{ test_ovs_bridge_name }}.{{ item }} type=internal
+    ip addr add 192.168.{{ 100 + item | int }}.1/24 dev {{ test_ovs_bridge_name }}.{{ item }}
+    ip link set {{ test_ovs_bridge_name }}.{{ item }} up
+  loop: "{{ test_ovs_host_vlans }}"
+  ignore_errors: yes
+
+- name: enable IP forwarding for OVS bridge
+  sysctl:
+    name: "net.ipv4.ip_forward"
+    value: 1
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: ensure .ssh directory exists for OVS user
+  file:
+    path: /home/{{ test_ovs_user }}/.ssh
+    state: directory
+    owner: "{{ test_ovs_user }}"
+    mode: '0700'
+
+- name: create OVS user
+  user:
+    name: "{{ test_ovs_user }}"
+    password: '!'  # Disabled password
+    shell: /bin/bash
+    home: /home/{{ test_ovs_user }}
+    create_home: yes
+    groups: openvswitch
+    state: present
+
+- name: generate SSH key pair for OVS user
+  user:
+    name: "{{ test_ovs_user }}"
+    generate_ssh_key: yes
+    ssh_key_type: ed25519
+    ssh_key_file: .ssh/id_ed25519
+
+- name: read OVS user public key
+  slurp:
+    src: /home/{{ test_ovs_user }}/.ssh/id_ed25519.pub
+  register: ovs_user_pubkey
+
+- name: add public key to authorized_keys for OVS user
+  authorized_key:
+    user: "{{ test_ovs_user }}"
+    key: "{{ ovs_user_pubkey['content'] | b64decode }}"
+    state: present
+
+- name: set OVS socket group permissions
+  file:
+    path: /var/run/openvswitch/db.sock
+    group: openvswitch
+    mode: '0660'
+
+# TODO(alegacy): this could be refined so that access is restricted to a
+# specific set of OVS commands only using something like rbash
+- name: add OVS user to sudoers for privileged access
+  copy:
+    dest: /etc/sudoers.d/{{ test_ovs_user }}-ovs
+    mode: '0440'
+    content: |
+      # Allow {{ test_ovs_user }} to run OVS commands as root without password
+      {{ test_ovs_user }} ALL=(ALL) NOPASSWD: /bin/bash
+
+- name: Restrict OVS user SSH access from localhost only and disable password auth
+  ansible.builtin.blockinfile:
+    path: /etc/ssh/sshd_config
+    block: |
+      Match User {{ test_ovs_user }}
+          AllowUsers {{ test_ovs_user }}@localhost {{ test_ovs_user }}@127.0.0.1 {{ test_ovs_user }}@::1
+          PasswordAuthentication no
+          PubkeyAuthentication yes
+    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR {{ test_ovs_user }}"
+    validate: 'sshd -t -f %s'
+  notify: Restart sshd

playbooks/roles/bifrost-create-vm-nodes/templates/ovs-net.xml.j2

@@ -0,0 +1,6 @@
+<network>
+  <name>{{ test_vm_network }}</name>
+  <forward mode='bridge'/>
+  <bridge name='{{ test_ovs_bridge_name }}'/>
+  <virtualport type='openvswitch'/>
+</network>

playbooks/roles/bifrost-create-vm-nodes/templates/testvm.xml.j2

@@ -36,13 +36,24 @@
       <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
     </disk>
     <controller type='sata' index='0'/>
+    {% if test_vm_switch_type == 'ovs' %}
+    <interface type='direct'>
+      <source dev='{{ vm_port_name }}' mode='passthrough'/>
+      <virtualport type='openvswitch'/>
+      <model type='{{ test_vm_nic }}'/>
+      {% if default_boot_mode == 'uefi' %}
+        <boot order='1'/>
+      {% endif %}
+    </interface>
+    {% else %}
     <interface type='network'>
       <source network='{{ test_vm_network }}'/>
       <model type='{{ test_vm_nic }}'/>
       {% if default_boot_mode == 'uefi' %}
         <boot order='1'/>
       {% endif %}
     </interface>
+    {% endif %}
     <input type='mouse' bus='ps2'/>
     <serial type='file'>
       <source path='{{ vm_log_file }}'/>