net: NAD live-update metadata preservation test for Linux bridge

STP:
https://github.com/RedHatQE/openshift-virtualization-tests-design-docs/blob/main/stps/sig-network/hotpluggable-nad-ref.md

Add test_vm_state_iface_info_preserved: verifies that updating the NAD
reference on a running VM's secondary Linux bridge network does not
alter the guest interface MAC address, name, or IP addresses.

Introduces bridge_vm() — a shared VM factory for Linux bridge tests
with multiple secondary interfaces — and the supporting fixtures
(ref_vm, under_test_vm_two_ifaces, bridge_nad_a/b).

Signed-off-by: Asia Khromov <azhivovk@redhat.com>
Assisted-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: azhivovk

tests/network/l2_bridge/nad_ref_change/conftest.py

@@ -0,0 +1,141 @@
+from collections.abc import Generator
+
+import pytest
+from kubernetes.dynamic import DynamicClient
+from ocp_resources.namespace import Namespace
+
+import tests.network.libs.nodenetworkconfigurationpolicy as libnncp
+from libs.net.ip import filter_link_local_addresses, random_cidr_addresses_by_family
+from libs.net.netattachdef import CNIPluginBridgeConfig, NetConfig, NetworkAttachmentDefinition
+from libs.net.vmspec import lookup_iface_status, wait_for_ifaces_status
+from libs.vm.vm import BaseVirtualMachine
+from tests.network.l2_bridge.libl2bridge import MULTI_IFACE_ARP_RUNCMD
+from tests.network.l2_bridge.nad_ref_change.lib_helpers import (
+    GUEST_IFACE_1,
+    GUEST_IFACE_2,
+    NET_SEED,
+    VM_IFACE_1,
+    VM_IFACE_2,
+    bridge_vm,
+)
+from tests.network.libs.connectivity import poll_tcp_connectivity
+
+
+@pytest.fixture(scope="module")
+def bridge_nad_a(
+    admin_client: DynamicClient,
+    namespace: Namespace,
+    bridge_nncp: libnncp.NodeNetworkConfigurationPolicy,
+    vlan_index_number: Generator[int],
+) -> Generator[NetworkAttachmentDefinition]:
+    bridge = bridge_nncp.desired_state_spec.interfaces[0].name  # type: ignore
+    with NetworkAttachmentDefinition(
+        name="nad-vlan-a",
+        namespace=namespace.name,
+        config=NetConfig(
+            name="nad-vlan-a", plugins=[CNIPluginBridgeConfig(bridge=bridge, vlan=next(vlan_index_number))]
+        ),
+        client=admin_client,
+    ) as nad:
+        yield nad
+
+
+@pytest.fixture(scope="module")
+def bridge_nad_b(
+    admin_client: DynamicClient,
+    namespace: Namespace,
+    bridge_nncp: libnncp.NodeNetworkConfigurationPolicy,
+    vlan_index_number: Generator[int],
+) -> Generator[NetworkAttachmentDefinition]:
+    bridge = bridge_nncp.desired_state_spec.interfaces[0].name  # type: ignore[union-attr, index]
+    with NetworkAttachmentDefinition(
+        name="nad-vlan-b",
+        namespace=namespace.name,
+        config=NetConfig(
+            name="nad-vlan-b", plugins=[CNIPluginBridgeConfig(bridge=bridge, vlan=next(vlan_index_number))]
+        ),
+        client=admin_client,
+    ) as nad:
+        yield nad
+
+
+@pytest.fixture(scope="module")
+def ref_vm(
+    namespace: Namespace,
+    unprivileged_client: DynamicClient,
+    bridge_nad_a: NetworkAttachmentDefinition,
+    bridge_nad_b: NetworkAttachmentDefinition,
+) -> Generator[BaseVirtualMachine]:
+    iface_a_ips = random_cidr_addresses_by_family(net_seed=NET_SEED, host_address=1)
+    iface_b_ips = random_cidr_addresses_by_family(net_seed=NET_SEED, host_address=2)
+    with bridge_vm(
+        namespace=namespace.name,
+        name="ref-vm",
+        client=unprivileged_client,
+        nad_names=[bridge_nad_a.name, bridge_nad_b.name],
+        ip_addresses=[iface_a_ips, iface_b_ips],
+        iface_names=[VM_IFACE_1, VM_IFACE_2],
+        runcmd=MULTI_IFACE_ARP_RUNCMD,
+    ) as vm:
+        vm.start(wait=True)
+        vm.wait_for_agent_connected()
+        wait_for_ifaces_status(
+            vm=vm,
+            ip_addresses_by_spec_net_name={
+                VM_IFACE_1: [addr.split("/")[0] for addr in iface_a_ips],
+                VM_IFACE_2: [addr.split("/")[0] for addr in iface_b_ips],
+            },
+        )
+        yield vm
+
+
+@pytest.fixture(scope="class")
+def under_test_vm_two_ifaces(
+    namespace: Namespace,
+    unprivileged_client: DynamicClient,
+    bridge_nad_a: NetworkAttachmentDefinition,
+    bridge_nad_b: NetworkAttachmentDefinition,
+    ref_vm: BaseVirtualMachine,
+) -> Generator[BaseVirtualMachine]:
+    iface_a_ips = random_cidr_addresses_by_family(net_seed=NET_SEED, host_address=3)
+    iface_b_ips = random_cidr_addresses_by_family(net_seed=NET_SEED, host_address=4)
+    with bridge_vm(
+        namespace=namespace.name,
+        name="under-test-vm-two-ifaces",
+        client=unprivileged_client,
+        nad_names=[bridge_nad_a.name, bridge_nad_a.name],
+        ip_addresses=[iface_a_ips, iface_b_ips],
+        iface_names=[VM_IFACE_1, VM_IFACE_2],
+        runcmd=MULTI_IFACE_ARP_RUNCMD,
+    ) as vm:
+        vm.start(wait=True)
+        vm.wait_for_agent_connected()
+        wait_for_ifaces_status(
+            vm=vm,
+            ip_addresses_by_spec_net_name={
+                VM_IFACE_1: [addr.split("/")[0] for addr in iface_a_ips],
+                VM_IFACE_2: [addr.split("/")[0] for addr in iface_b_ips],
+            },
+        )
+        for ip in filter_link_local_addresses(
+            ip_addresses=lookup_iface_status(vm=ref_vm, iface_name=VM_IFACE_1).ipAddresses
+        ):
+            poll_tcp_connectivity(
+                client_vm=vm,
+                server_vm=ref_vm,
+                server_ip=str(ip),
+                client_bind_dev=GUEST_IFACE_1,
+                server_bind_dev=GUEST_IFACE_1,
+            )
+        for ip in filter_link_local_addresses(
+            ip_addresses=lookup_iface_status(vm=ref_vm, iface_name=VM_IFACE_2).ipAddresses
+        ):
+            poll_tcp_connectivity(
+                client_vm=vm,
+                server_vm=ref_vm,
+                server_ip=str(ip),
+                client_bind_dev=GUEST_IFACE_1,
+                server_bind_dev=GUEST_IFACE_2,
+                expect_connectivity=False,
+            )
+        yield vm

tests/network/l2_bridge/nad_ref_change/lib_helpers.py

@@ -0,0 +1,89 @@
+from typing import Final
+
+from kubernetes.dynamic import DynamicClient
+
+from libs.net.vmspec import lookup_iface_status
+from libs.vm.factory import base_vmspec, fedora_vm
+from libs.vm.spec import (
+    CloudInitNoCloud,
+    Devices,
+    Interface,
+    Multus,
+    Network,
+)
+from libs.vm.vm import BaseVirtualMachine, add_volume_disk, cloudinitdisk_storage
+from tests.network.libs import cloudinit
+from tests.network.libs.cloudinit import primary_iface_cloud_init
+
+NET_SEED: Final[int] = 0
+
+VM_IFACE_1: Final[str] = "iface-1"
+VM_IFACE_2: Final[str] = "iface-2"
+
+GUEST_IFACE_1: Final[str] = "eth1"
+GUEST_IFACE_2: Final[str] = "eth2"
+
+
+def iface_info(vm: BaseVirtualMachine, iface_name: str) -> dict:
+    iface = lookup_iface_status(vm=vm, iface_name=iface_name)
+    return {
+        "name": iface.name,
+        "macAddress": iface.macAddress,
+        "ipAddresses": sorted(iface.ipAddresses or []),
+    }
+
+
+def bridge_vm(
+    namespace: str,
+    name: str,
+    client: DynamicClient,
+    nad_names: list[str],
+    ip_addresses: list[list[str]],
+    iface_names: list[str],
+    runcmd: list[str] | None = None,
+) -> BaseVirtualMachine:
+    """Create a Fedora VM with a masquerade primary interface and bridge-bound secondary interfaces.
+
+    Interface layout in guest OS:
+        eth0 = masquerade (pod network, primary — handles default route and IPv6)
+        eth1 = first secondary bridge interface
+        eth2 = second secondary bridge interface (if present)
+
+    Args:
+        namespace: Namespace to deploy the VM in.
+        name: VM name.
+        client: Kubernetes dynamic client.
+        nad_names: NAD names (multus networkName) for the secondary interfaces, in spec order.
+        ip_addresses: Per-interface CIDR address lists, aligned with nad_names.
+            Each inner list contains one address per supported IP family.
+        iface_names: Logical interface names for the VM spec, aligned with nad_names.
+    """
+    spec = base_vmspec()
+    spec.template.spec.domain.devices = Devices(
+        interfaces=[
+            Interface(name="default", masquerade={}),
+            *[Interface(name=iface_name, bridge={}) for iface_name in iface_names],
+        ]
+    )
+    spec.template.spec.networks = [
+        Network(name="default", pod={}),
+        *[
+            Network(name=iface_name, multus=Multus(networkName=nad_name))
+            for iface_name, nad_name in zip(iface_names, nad_names)
+        ],
+    ]
+    ethernets = {}
+    primary = primary_iface_cloud_init()
+    if primary:
+        ethernets["eth0"] = primary
+    for i, addresses in enumerate(ip_addresses):
+        ethernets[f"eth{i + 1}"] = cloudinit.EthernetDevice(addresses=addresses)
+    userdata = cloudinit.UserData(users=[], runcmd=runcmd)
+    disk, volume = cloudinitdisk_storage(
+        data=CloudInitNoCloud(
+            networkData=cloudinit.asyaml(no_cloud=cloudinit.NetworkData(ethernets=ethernets)) if ethernets else "",
+            userData=cloudinit.format_cloud_config(userdata=userdata),
+        )
+    )
+    spec.template.spec = add_volume_disk(vmi_spec=spec.template.spec, volume=volume, disk=disk)
+    return fedora_vm(namespace=namespace, name=name, client=client, spec=spec)

tests/network/l2_bridge/nad_ref_change/test_nad_ref_change.py

@@ -13,6 +13,12 @@
 
 import pytest
 
+from tests.network.l2_bridge.nad_ref_change.lib_helpers import (
+    VM_IFACE_1,
+    iface_info,
+)
+from tests.network.libs.connectivity import update_nad_references
+
 
 @pytest.mark.incremental
 class TestRunningVMLinuxBridgeVlanChange:
@@ -25,23 +31,23 @@ class TestRunningVMLinuxBridgeVlanChange:
         Initial (both ifaces on VLAN-A):
             Under-test VM             Reference VM
             +-----------+             +-----------+
-            |  iface-1  |---VLAN-A -->|  iface-A  |
-            |  iface-2  |---VLAN-A -->|  iface-A  |
-            +-----------+             |  iface-B  |
-                                      +-----------+
+            |  iface-1  |\\           |           |
+            |           | >--VLAN-A --|  iface-1  |
+            |  iface-2  |/            |  iface-2  |
+            +-----------+             +-----------+
 
         After first test (iface-1: VLAN-A -> VLAN-B):
             Under-test VM             Reference VM
             +-----------+             +-----------+
-            |  iface-1  |---VLAN-B -->|  iface-B  |
-            |  iface-2  |---VLAN-A -->|  iface-A  |
+            |  iface-1  |---VLAN-B -->|  iface-2  |
+            |  iface-2  |---VLAN-A -->|  iface-1  |
             +-----------+             +-----------+
 
         After third test (iface-1: VLAN-B -> VLAN-A, iface-2: VLAN-A -> VLAN-B):
             Under-test VM             Reference VM
             +-----------+             +-----------+
-            |  iface-1  |---VLAN-A -->|  iface-A  |
-            |  iface-2  |---VLAN-B -->|  iface-B  |
+            |  iface-1  |---VLAN-A -->|  iface-1  |
+            |  iface-2  |---VLAN-B -->|  iface-2  |
             +-----------+             +-----------+
 
     Preconditions:
@@ -52,10 +58,13 @@ class TestRunningVMLinuxBridgeVlanChange:
         - No TCP connectivity between the under-test VM and the reference VM on NAD-VLAN-B
     """
 
-    __test__ = False
-
     @pytest.mark.polarion("CNV-15945")
-    def test_vm_state_iface_info_preserved(self):
+    def test_vm_state_iface_info_preserved(
+        self,
+        under_test_vm_two_ifaces,
+        bridge_nad_a,
+        bridge_nad_b,
+    ):
         """
         Test that the under-test VM remains running and its secondary network metadata is unchanged
         after the NAD reference change.
@@ -75,6 +84,15 @@ def test_vm_state_iface_info_preserved(self):
             - Guest first secondary interface MAC address, name, and IP addresses are the same before and after the
               NAD reference change
         """
+        iface_before = iface_info(vm=under_test_vm_two_ifaces, iface_name=VM_IFACE_1)
+
+        update_nad_references(vm=under_test_vm_two_ifaces, updates={VM_IFACE_1: bridge_nad_b.name})
+        under_test_vm_two_ifaces.wait_for_ready_status(status=True)
+
+        iface_after = iface_info(vm=under_test_vm_two_ifaces, iface_name=VM_IFACE_1)
+        assert iface_after == iface_before, (
+            f"Interface info changed after NAD reference update: before={iface_before}, after={iface_after}"
+        )
 
     @pytest.mark.polarion("CNV-15972")
     def test_connectivity(self):
@@ -87,14 +105,16 @@ def test_connectivity(self):
             - Running reference VM with secondary Linux bridge networks connected to NAD-VLAN-A and NAD-VLAN-B
 
         Steps:
-            1. Poll TCP connection from the under-test VM to the reference VM on NAD-VLAN-A
-            2. Poll TCP connection from the under-test VM to the reference VM on NAD-VLAN-B
+            1. Poll TCP connection from the under-test VM to the reference VM on NAD-VLAN-B
+            2. Poll TCP connection from the under-test VM to the reference VM on NAD-VLAN-A
 
         Expected:
             - Under-test VM eventually has TCP connectivity to the reference VM on NAD-VLAN-B
             - Under-test VM has no TCP connectivity to the reference VM on NAD-VLAN-A
         """
 
+    test_connectivity.__test__ = False
+
     @pytest.mark.polarion("CNV-15946")
     def test_two_networks(self):
         """
@@ -121,6 +141,8 @@ def test_two_networks(self):
             - Under-test VM second secondary network eventually has TCP connectivity to the reference VM on NAD-VLAN-B
         """
 
+    test_two_networks.__test__ = False
+
 
 @pytest.mark.polarion("CNV-15947")
 def test_non_migratable_vm_nad_change_not_applied():