# Copyright 2018 Rackspace US Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import ipaddress
import os
import random
import re
import shlex
import string
import subprocess
import tempfile
from cryptography.hazmat.primitives import serialization
from oslo_config import cfg
from oslo_log import log as logging
from oslo_utils import uuidutils
from tempest import clients
from tempest import config
from tempest.lib import auth
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils.linux import remote_client
from tempest.lib import exceptions
from tempest import test
import tenacity
from octavia_tempest_plugin.common import cert_utils
from octavia_tempest_plugin.common import constants as const
import octavia_tempest_plugin.services.load_balancer.v2 as lbv2
from octavia_tempest_plugin.tests import RBAC_tests
from octavia_tempest_plugin.tests import validators
from octavia_tempest_plugin.tests import waiters
CONF = config.CONF
LOG = logging.getLogger(__name__)
RETRY_ATTEMPTS = 15
RETRY_INITIAL_DELAY = 1
RETRY_BACKOFF = 1
RETRY_MAX = 5
[docs]
class LoadBalancerBaseTest(validators.ValidatorsMixin,
RBAC_tests.RBACTestsMixin, test.BaseTestCase):
"""Base class for load balancer tests."""
if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
credentials = [
'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
['lb_member', CONF.load_balancer.member_role],
['lb_member2', CONF.load_balancer.member_role]]
elif CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
credentials = [
'admin', 'primary',
['lb_admin', 'admin'],
['lb_observer', 'reader'],
['lb_global_observer', 'reader'],
['lb_member', 'member'],
['lb_member2', 'member']]
# Note: an additional non-member user is added in setup_credentials
else:
credentials = [
'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
['lb_observer', CONF.load_balancer.observer_role, 'reader'],
['lb_global_observer', CONF.load_balancer.global_observer_role,
'reader'],
# Note: Some projects are now requiring the 'member' role by
# default (nova for example) so make sure our creds have this role
['lb_member', CONF.load_balancer.member_role, 'member'],
['lb_member2', CONF.load_balancer.member_role, 'member']]
# If scope enforcement is enabled, add in the system scope credentials.
# The project scope is already handled by the above credentials.
if CONF.enforce_scope.octavia:
credentials.extend(['system_admin', 'system_reader'])
# A tuple of credentials that will be allocated by tempest using the
# 'credentials' list above. These are used to build RBAC test lists.
allocated_creds = []
for cred in credentials:
if isinstance(cred, list):
allocated_creds.append('os_roles_' + cred[0])
else:
allocated_creds.append('os_' + cred)
# Tests shall not mess with the list of allocated credentials
allocated_credentials = tuple(allocated_creds)
webserver1_response = 1
webserver2_response = 5
used_ips = []
SRC_PORT_NUMBER_MIN = 32768
SRC_PORT_NUMBER_MAX = 61000
src_port_number = SRC_PORT_NUMBER_MIN
[docs]
@classmethod
def skip_checks(cls):
"""Check if we should skip all of the children tests."""
super(LoadBalancerBaseTest, cls).skip_checks()
service_list = {
'load_balancer': CONF.service_available.load_balancer,
}
live_service_list = {
'compute': CONF.service_available.nova,
'image': CONF.service_available.glance,
'neutron': CONF.service_available.neutron
}
if not CONF.load_balancer.test_with_noop:
service_list.update(live_service_list)
for service, available in service_list.items():
if not available:
skip_msg = ("{0} skipped as {1} service is not "
"available.".format(cls.__name__, service))
raise cls.skipException(skip_msg)
# We must be able to reach our VIP and instances
if not (CONF.network.project_networks_reachable
or CONF.network.public_network_id):
msg = ('Either project_networks_reachable must be "true", or '
'public_network_id must be defined.')
raise cls.skipException(msg)
@classmethod
def _setup_new_user_role_client(cls, project_id, role_name):
user = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password()
}
user_id = cls.os_admin.users_v3_client.create_user(
**user)['user']['id']
cls._created_users.append(user_id)
roles = cls.os_admin.roles_v3_client.list_roles(
name=role_name)['roles']
if len(roles) == 0:
role = {
'name': role_name
}
role_id = cls.os_admin.roles_v3_client.create_role(
**role)['role']['id']
cls._created_roles.append(role_id)
else:
role_id = roles[0]['id']
cls.os_admin.roles_v3_client.create_user_role_on_project(
project_id, user_id, role_id
)
creds = auth.KeystoneV3Credentials(
user_id=user_id,
password=user['password'],
project_id=project_id
)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
return clients.Manager(credentials=creds)
[docs]
@classmethod
def setup_credentials(cls):
"""Setup test credentials and network resources."""
# Do not auto create network resources
cls.set_network_resources()
super(LoadBalancerBaseTest, cls).setup_credentials()
cls._created_projects = []
cls._created_users = []
cls._created_roles = []
non_dyn_users = []
if CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
# Create a non-member user for keystone_default_roles
# When using dynamic credentials, tempest cannot create a user
# without a role, it always adds at least the "member" role.
# We manually create the user with a temporary role
project_id = cls.os_admin.projects_client.create_project(
data_utils.rand_name()
)['project']['id']
cls._created_projects.append(project_id)
cls.os_not_member = cls._setup_new_user_role_client(
project_id,
data_utils.rand_name('role'))
cls.allocated_creds.append('os_not_member')
non_dyn_users.append('not_member')
# Tests shall not mess with the list of allocated credentials
cls.allocated_credentials = tuple(cls.allocated_creds)
if not CONF.load_balancer.log_user_roles:
return
# Log the user roles for this test run
role_name_cache = {}
for cred in cls.credentials + non_dyn_users:
user_roles = []
if isinstance(cred, list):
user_name = cred[0]
cred_obj = getattr(cls, 'os_roles_' + cred[0])
else:
user_name = cred
cred_obj = getattr(cls, 'os_' + cred)
params = {'user.id': cred_obj.credentials.user_id,
'project.id': cred_obj.credentials.project_id}
roles = cls.os_admin.role_assignments_client.list_role_assignments(
**params)['role_assignments']
for role in roles:
role_id = role['role']['id']
try:
role_name = role_name_cache[role_id]
except KeyError:
role_name = cls.os_admin.roles_v3_client.show_role(
role_id)['role']['name']
role_name_cache[role_id] = role_name
user_roles.append([role_name, role['scope']])
LOG.info("User %s has roles: %s", user_name, user_roles)
[docs]
@classmethod
def clear_credentials(cls):
for user_id in cls._created_users:
cls.os_admin.users_v3_client.delete_user(user_id)
for project_id in cls._created_projects:
cls.os_admin.projects_client.delete_project(project_id)
for role_id in cls._created_roles:
cls.os_admin.roles_v3_client.delete_role(role_id)
super().clear_credentials()
[docs]
@classmethod
def setup_clients(cls):
"""Setup client aliases."""
super(LoadBalancerBaseTest, cls).setup_clients()
lb_admin_prefix = cls.os_roles_lb_admin.load_balancer_v2
cls.lb_mem_float_ip_client = cls.os_roles_lb_member.floating_ips_client
cls.lb_mem_keypairs_client = cls.os_roles_lb_member.keypairs_client
cls.lb_mem_net_client = cls.os_roles_lb_member.networks_client
cls.lb_mem_ports_client = cls.os_roles_lb_member.ports_client
cls.lb_mem_routers_client = cls.os_roles_lb_member.routers_client
cls.lb_mem_SG_client = cls.os_roles_lb_member.security_groups_client
cls.lb_mem_SGr_client = (
cls.os_roles_lb_member.security_group_rules_client)
cls.lb_mem_servers_client = cls.os_roles_lb_member.servers_client
cls.lb_mem_subnet_client = cls.os_roles_lb_member.subnets_client
cls.mem_lb_client: lbv2.LoadbalancerClient = (
cls.os_roles_lb_member.load_balancer_v2.LoadbalancerClient())
cls.mem_listener_client: lbv2.ListenerClient = (
cls.os_roles_lb_member.load_balancer_v2.ListenerClient())
cls.mem_pool_client: lbv2.PoolClient = (
cls.os_roles_lb_member.load_balancer_v2.PoolClient())
cls.mem_member_client: lbv2.MemberClient = (
cls.os_roles_lb_member.load_balancer_v2.MemberClient())
cls.mem_healthmonitor_client: lbv2.HealthMonitorClient = (
cls.os_roles_lb_member.load_balancer_v2.HealthMonitorClient())
cls.mem_l7policy_client: lbv2.L7PolicyClient = (
cls.os_roles_lb_member.load_balancer_v2.L7PolicyClient())
cls.mem_l7rule_client: lbv2.L7RuleClient = (
cls.os_roles_lb_member.load_balancer_v2.L7RuleClient())
cls.lb_admin_amphora_client: lbv2.AmphoraClient = (
lb_admin_prefix.AmphoraClient())
cls.lb_admin_flavor_profile_client: lbv2.FlavorProfileClient = (
lb_admin_prefix.FlavorProfileClient())
cls.lb_admin_flavor_client: lbv2.FlavorClient = (
lb_admin_prefix.FlavorClient())
cls.mem_flavor_client: lbv2.FlavorClient = (
cls.os_roles_lb_member.load_balancer_v2.FlavorClient())
cls.mem_provider_client: lbv2.ProviderClient = (
cls.os_roles_lb_member.load_balancer_v2.ProviderClient())
cls.os_admin_servers_client = cls.os_admin.servers_client
cls.os_admin_routers_client = cls.os_admin.routers_client
cls.os_admin_subnetpools_client = cls.os_admin.subnetpools_client
cls.lb_admin_flavor_capabilities_client = (
lb_admin_prefix.FlavorCapabilitiesClient())
cls.lb_admin_availability_zone_capabilities_client = (
lb_admin_prefix.AvailabilityZoneCapabilitiesClient())
cls.lb_admin_availability_zone_profile_client = (
lb_admin_prefix.AvailabilityZoneProfileClient())
cls.lb_admin_availability_zone_client = (
lb_admin_prefix.AvailabilityZoneClient())
cls.mem_availability_zone_client = (
cls.os_roles_lb_member.load_balancer_v2.AvailabilityZoneClient())
cls.os_admin_compute_flavors_client = cls.os_admin.flavors_client
[docs]
@classmethod
def resource_setup(cls):
"""Setup resources needed by the tests."""
super(LoadBalancerBaseTest, cls).resource_setup()
conf_lb = CONF.load_balancer
cls.api_version = cls.mem_lb_client.get_max_api_version()
if conf_lb.test_subnet_override and not conf_lb.test_network_override:
raise exceptions.InvalidConfiguration(
"Configuration value test_network_override must be "
"specified if test_subnet_override is used.")
# TODO(johnsom) Remove this
# Get loadbalancing algorithms supported by provider driver.
try:
algorithms = const.SUPPORTED_LB_ALGORITHMS[
CONF.load_balancer.provider]
except KeyError:
algorithms = const.SUPPORTED_LB_ALGORITHMS['default']
# Set default algorithm as first from the list.
cls.lb_algorithm = algorithms[0]
show_subnet = cls.lb_mem_subnet_client.show_subnet
if CONF.load_balancer.test_with_noop:
cls.lb_member_vip_net = {'id': uuidutils.generate_uuid()}
cls.lb_member_vip_subnet = {'id': uuidutils.generate_uuid()}
cls.lb_member_1_net = {'id': uuidutils.generate_uuid()}
cls.lb_member_1_subnet = {'id': uuidutils.generate_uuid()}
cls.lb_member_2_net = {'id': uuidutils.generate_uuid()}
cls.lb_member_2_subnet = {'id': uuidutils.generate_uuid()}
if CONF.load_balancer.test_with_ipv6:
cls.lb_member_vip_ipv6_net = {'id': uuidutils.generate_uuid()}
cls.lb_member_vip_ipv6_subnet = {'id':
uuidutils.generate_uuid()}
cls.lb_member_1_ipv6_subnet = {'id': uuidutils.generate_uuid()}
cls.lb_member_2_ipv6_subnet = {'id': uuidutils.generate_uuid()}
cls.lb_member_vip_ipv6_subnet_stateful = True
return
elif CONF.load_balancer.test_network_override:
if conf_lb.test_subnet_override:
override_subnet = show_subnet(conf_lb.test_subnet_override)
else:
override_subnet = None
show_net = cls.lb_mem_net_client.show_network
override_network = show_net(conf_lb.test_network_override)
override_network = override_network.get('network')
cls.lb_member_vip_net = override_network
cls.lb_member_vip_subnet = override_subnet
cls.lb_member_1_net = override_network
cls.lb_member_1_subnet = override_subnet
cls.lb_member_2_net = override_network
cls.lb_member_2_subnet = override_subnet
if (CONF.load_balancer.test_with_ipv6 and
conf_lb.test_IPv6_subnet_override):
override_ipv6_subnet = show_subnet(
conf_lb.test_IPv6_subnet_override)
cls.lb_member_vip_ipv6_subnet = override_ipv6_subnet
cls.lb_member_1_ipv6_subnet = override_ipv6_subnet
cls.lb_member_2_ipv6_subnet = override_ipv6_subnet
cls.lb_member_vip_ipv6_subnet_stateful = False
if (override_ipv6_subnet[0]['ipv6_address_mode'] ==
'dhcpv6-stateful'):
cls.lb_member_vip_ipv6_subnet_stateful = True
else:
cls.lb_member_vip_ipv6_subnet = None
cls.lb_member_1_ipv6_subnet = None
cls.lb_member_2_ipv6_subnet = None
else:
cls._create_networks()
LOG.debug('Octavia Setup: lb_member_vip_net = {}'.format(
cls.lb_member_vip_net[const.ID]))
if cls.lb_member_vip_subnet:
LOG.debug('Octavia Setup: lb_member_vip_subnet = {}'.format(
cls.lb_member_vip_subnet[const.ID]))
LOG.debug('Octavia Setup: lb_member_1_net = {}'.format(
cls.lb_member_1_net[const.ID]))
if cls.lb_member_1_subnet:
LOG.debug('Octavia Setup: lb_member_1_subnet = {}'.format(
cls.lb_member_1_subnet[const.ID]))
LOG.debug('Octavia Setup: lb_member_2_net = {}'.format(
cls.lb_member_2_net[const.ID]))
if cls.lb_member_2_subnet:
LOG.debug('Octavia Setup: lb_member_2_subnet = {}'.format(
cls.lb_member_2_subnet[const.ID]))
if CONF.load_balancer.test_with_ipv6:
if cls.lb_member_vip_ipv6_subnet:
LOG.debug('Octavia Setup: lb_member_vip_ipv6_subnet = '
'{}'.format(cls.lb_member_vip_ipv6_subnet[const.ID]))
if cls.lb_member_1_ipv6_subnet:
LOG.debug('Octavia Setup: lb_member_1_ipv6_subnet = {}'.format(
cls.lb_member_1_ipv6_subnet[const.ID]))
if cls.lb_member_2_ipv6_subnet:
LOG.debug('Octavia Setup: lb_member_2_ipv6_subnet = {}'.format(
cls.lb_member_2_ipv6_subnet[const.ID]))
@classmethod
# Neutron can be slow to clean up ports from the subnets/networks.
# Retry this delete a few times if we get a "Conflict" error to give
# neutron time to fully cleanup the ports.
@tenacity.retry(
retry=tenacity.retry_if_exception_type(exceptions.Conflict),
wait=tenacity.wait_incrementing(
RETRY_INITIAL_DELAY, RETRY_BACKOFF, RETRY_MAX),
stop=tenacity.stop_after_attempt(RETRY_ATTEMPTS))
def _logging_delete_network(cls, net_id):
try:
cls.lb_mem_net_client.delete_network(net_id)
except Exception:
LOG.error('Unable to delete network {}. Active ports:'.format(
net_id))
LOG.error(cls.lb_mem_ports_client.list_ports())
raise
@classmethod
# Neutron can be slow to clean up ports from the subnets/networks.
# Retry this delete a few times if we get a "Conflict" error to give
# neutron time to fully cleanup the ports.
@tenacity.retry(
retry=tenacity.retry_if_exception_type(exceptions.Conflict),
wait=tenacity.wait_incrementing(
RETRY_INITIAL_DELAY, RETRY_BACKOFF, RETRY_MAX),
stop=tenacity.stop_after_attempt(RETRY_ATTEMPTS))
def _logging_delete_subnet(cls, subnet_id):
try:
cls.lb_mem_subnet_client.delete_subnet(subnet_id)
except Exception:
LOG.error('Unable to delete subnet {}. Active ports:'.format(
subnet_id))
LOG.error(cls.lb_mem_ports_client.list_ports())
raise
@classmethod
def _create_networks(cls):
"""Creates networks, subnets, and routers used in tests.
The following are expected to be defined and available to the tests:
cls.lb_member_vip_net
cls.lb_member_vip_subnet
cls.lb_member_vip_ipv6_subnet (optional)
cls.lb_member_1_net
cls.lb_member_1_subnet
cls.lb_member_1_ipv6_subnet (optional)
cls.lb_member_2_net
cls.lb_member_2_subnet
cls.lb_member_2_ipv6_subnet (optional)
"""
# Create tenant VIP network
network_kwargs = {
'name': data_utils.rand_name("lb_member_vip_network")}
if CONF.network_feature_enabled.port_security:
# Note: Allowed Address Pairs requires port security
network_kwargs['port_security_enabled'] = True
result = cls.lb_mem_net_client.create_network(**network_kwargs)
cls.lb_member_vip_net = result['network']
LOG.info('lb_member_vip_net: {}'.format(cls.lb_member_vip_net))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls._logging_delete_network,
cls.lb_mem_net_client.show_network,
cls.lb_member_vip_net['id'])
# Create tenant VIP subnet
subnet_kwargs = {
'name': data_utils.rand_name("lb_member_vip_subnet"),
'network_id': cls.lb_member_vip_net['id'],
'cidr': CONF.load_balancer.vip_subnet_cidr,
'ip_version': 4}
result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
cls.lb_member_vip_subnet = result['subnet']
LOG.info('lb_member_vip_subnet: {}'.format(cls.lb_member_vip_subnet))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls._logging_delete_subnet,
cls.lb_mem_subnet_client.show_subnet,
cls.lb_member_vip_subnet['id'])
# Create tenant VIP IPv6 subnet
if CONF.load_balancer.test_with_ipv6:
cls.lb_member_vip_ipv6_subnet_stateful = False
cls.lb_member_vip_ipv6_subnet_use_subnetpool = False
subnet_kwargs = {
'name': data_utils.rand_name("lb_member_vip_ipv6_subnet"),
'network_id': cls.lb_member_vip_net['id'],
'ip_version': 6}
# Use a CIDR from devstack's default IPv6 subnetpool if it exists,
# the subnetpool's cidr is routable from the devstack node
# through the default router
subnetpool_name = CONF.load_balancer.default_ipv6_subnetpool
if subnetpool_name:
subnetpool = cls.os_admin_subnetpools_client.list_subnetpools(
name=subnetpool_name)['subnetpools']
if len(subnetpool) == 1:
subnetpool = subnetpool[0]
subnet_kwargs['subnetpool_id'] = subnetpool['id']
cls.lb_member_vip_ipv6_subnet_use_subnetpool = True
if 'subnetpool_id' not in subnet_kwargs:
subnet_kwargs['cidr'] = (
CONF.load_balancer.vip_ipv6_subnet_cidr)
result = cls.lb_mem_subnet_client.create_subnet(
**subnet_kwargs)
cls.lb_member_vip_ipv6_net = cls.lb_member_vip_net
cls.lb_member_vip_ipv6_subnet = result['subnet']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls._logging_delete_subnet,
cls.lb_mem_subnet_client.show_subnet,
cls.lb_member_vip_ipv6_subnet['id'])
LOG.info('lb_member_vip_ipv6_subnet: {}'.format(
cls.lb_member_vip_ipv6_subnet))
# Create tenant member 1 network
network_kwargs = {
'name': data_utils.rand_name("lb_member_1_network")}
if CONF.network_feature_enabled.port_security:
if CONF.load_balancer.enable_security_groups:
network_kwargs['port_security_enabled'] = True
else:
network_kwargs['port_security_enabled'] = False
result = cls.lb_mem_net_client.create_network(**network_kwargs)
cls.lb_member_1_net = result['network']
LOG.info('lb_member_1_net: {}'.format(cls.lb_member_1_net))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls._logging_delete_network,
cls.lb_mem_net_client.show_network,
cls.lb_member_1_net['id'])
# Create tenant member 1 subnet
subnet_kwargs = {
'name': data_utils.rand_name("lb_member_1_subnet"),
'network_id': cls.lb_member_1_net['id'],
'cidr': CONF.load_balancer.member_1_ipv4_subnet_cidr,
'ip_version': 4}
result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
cls.lb_member_1_subnet = result['subnet']
LOG.info('lb_member_1_subnet: {}'.format(cls.lb_member_1_subnet))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls._logging_delete_subnet,
cls.lb_mem_subnet_client.show_subnet,
cls.lb_member_1_subnet['id'])
# Create tenant member 1 ipv6 subnet
if CONF.load_balancer.test_with_ipv6:
subnet_kwargs = {
'name': data_utils.rand_name("lb_member_1_ipv6_subnet"),
'network_id': cls.lb_member_1_net['id'],
'cidr': CONF.load_balancer.member_1_ipv6_subnet_cidr,
'ip_version': 6}
result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
cls.lb_member_1_subnet_prefix = (
CONF.load_balancer.member_1_ipv6_subnet_cidr.rpartition('/')[2]
)
assert(cls.lb_member_1_subnet_prefix.isdigit())
cls.lb_member_1_ipv6_subnet = result['subnet']
LOG.info('lb_member_1_ipv6_subnet: {}'.format(
cls.lb_member_1_ipv6_subnet))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls._logging_delete_subnet,
cls.lb_mem_subnet_client.show_subnet,
cls.lb_member_1_ipv6_subnet['id'])
# Create tenant member 2 network
network_kwargs = {
'name': data_utils.rand_name("lb_member_2_network")}
if CONF.network_feature_enabled.port_security:
if CONF.load_balancer.enable_security_groups:
network_kwargs['port_security_enabled'] = True
else:
network_kwargs['port_security_enabled'] = False
result = cls.lb_mem_net_client.create_network(**network_kwargs)
cls.lb_member_2_net = result['network']
LOG.info('lb_member_2_net: {}'.format(cls.lb_member_2_net))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls._logging_delete_network,
cls.lb_mem_net_client.show_network,
cls.lb_member_2_net['id'])
# Create tenant member 2 subnet
subnet_kwargs = {
'name': data_utils.rand_name("lb_member_2_subnet"),
'network_id': cls.lb_member_2_net['id'],
'cidr': CONF.load_balancer.member_2_ipv4_subnet_cidr,
'ip_version': 4}
result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
cls.lb_member_2_subnet = result['subnet']
LOG.info('lb_member_2_subnet: {}'.format(cls.lb_member_2_subnet))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls._logging_delete_subnet,
cls.lb_mem_subnet_client.show_subnet,
cls.lb_member_2_subnet['id'])
# Create tenant member 2 ipv6 subnet
if CONF.load_balancer.test_with_ipv6:
subnet_kwargs = {
'name': data_utils.rand_name("lb_member_2_ipv6_subnet"),
'network_id': cls.lb_member_2_net['id'],
'cidr': CONF.load_balancer.member_2_ipv6_subnet_cidr,
'ip_version': 6}
result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
cls.lb_member_2_subnet_prefix = (
CONF.load_balancer.member_2_ipv6_subnet_cidr.rpartition('/')[2]
)
assert(cls.lb_member_2_subnet_prefix.isdigit())
cls.lb_member_2_ipv6_subnet = result['subnet']
LOG.info('lb_member_2_ipv6_subnet: {}'.format(
cls.lb_member_2_ipv6_subnet))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls._logging_delete_subnet,
cls.lb_mem_subnet_client.show_subnet,
cls.lb_member_2_ipv6_subnet['id'])
@classmethod
def _setup_lb_network_kwargs(cls, lb_kwargs, ip_version=None,
use_fixed_ip=False):
if not ip_version:
ip_version = 6 if CONF.load_balancer.test_with_ipv6 else 4
if cls.lb_member_vip_subnet or cls.lb_member_vip_ipv6_subnet:
ip_index = data_utils.rand_int_id(start=10, end=100)
while ip_index in cls.used_ips:
ip_index = data_utils.rand_int_id(start=10, end=100)
cls.used_ips.append(ip_index)
if ip_version == 4:
subnet_id = cls.lb_member_vip_subnet[const.ID]
if CONF.load_balancer.test_with_noop:
lb_vip_address = '198.18.33.33'
else:
subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
network = ipaddress.IPv4Network(subnet['subnet']['cidr'])
lb_vip_address = str(network[ip_index])
else:
subnet_id = cls.lb_member_vip_ipv6_subnet[const.ID]
if CONF.load_balancer.test_with_noop:
lb_vip_address = '2001:db8:33:33:33:33:33:33'
else:
subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
network = ipaddress.IPv6Network(subnet['subnet']['cidr'])
lb_vip_address = str(network[ip_index])
# If the subnet is IPv6 slaac or dhcpv6-stateless
# neutron does not allow a fixed IP
if not cls.lb_member_vip_ipv6_subnet_stateful:
use_fixed_ip = False
lb_kwargs[const.VIP_SUBNET_ID] = subnet_id
if use_fixed_ip:
lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
if CONF.load_balancer.test_with_noop:
lb_kwargs[const.VIP_NETWORK_ID] = (
cls.lb_member_vip_net[const.ID])
if ip_version == 6:
lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
else:
lb_kwargs[const.VIP_NETWORK_ID] = cls.lb_member_vip_net[const.ID]
lb_kwargs[const.VIP_SUBNET_ID] = None
def _validate_listener_protocol(self, protocol, raise_if_unsupported=True):
if (protocol == const.SCTP and
not self.mem_listener_client.is_version_supported(
self.api_version, '2.23')):
if raise_if_unsupported:
raise self.skipException('SCTP listener protocol '
'is only available on Octavia '
'API version 2.23 or newer.')
return False
return True
[docs]
class LoadBalancerBaseTestWithCompute(LoadBalancerBaseTest):
[docs]
@classmethod
def remote_client_args(cls):
# In case we're using octavia-tempest-plugin with old tempest releases
# (for instance on stable/train) that don't support ssh_key_type, catch
# the exception and don't pass any argument
args = {}
try:
args['ssh_key_type'] = CONF.validation.ssh_key_type
except cfg.NoSuchOptError:
pass
return args
[docs]
@classmethod
def resource_setup(cls):
super(LoadBalancerBaseTestWithCompute, cls).resource_setup()
# If validation is disabled in this cloud, we won't be able to
# start the webservers, so don't even boot them.
if not CONF.validation.run_validation:
return
# Create a keypair for the webservers
keypair_name = data_utils.rand_name('lb_member_keypair')
result = cls.lb_mem_keypairs_client.create_keypair(
name=keypair_name)
cls.lb_member_keypair = result['keypair']
LOG.info('lb_member_keypair: {}'.format(cls.lb_member_keypair))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_keypairs_client.delete_keypair,
cls.lb_mem_keypairs_client.show_keypair,
keypair_name)
if (CONF.load_balancer.enable_security_groups and
CONF.network_feature_enabled.port_security):
# Set up the security group for the webservers
SG_name = data_utils.rand_name('lb_member_SG')
cls.lb_member_sec_group = (
cls.lb_mem_SG_client.create_security_group(
name=SG_name)['security_group'])
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SG_client.delete_security_group,
cls.lb_mem_SG_client.show_security_group,
cls.lb_member_sec_group['id'])
# Create a security group rule to allow 80-81 (test webservers)
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='tcp',
ethertype='IPv4',
port_range_min=80,
port_range_max=81)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
# Create a security group rule to allow UDP 80-81 (test webservers)
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='udp',
ethertype='IPv4',
port_range_min=80,
port_range_max=81)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
# Create a security group rule to allow 443 (test webservers)
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='tcp',
ethertype='IPv4',
port_range_min=443,
port_range_max=443)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
# Create a security group rule to allow 9443 (test webservers)
# Used in the pool backend encryption client authentication tests
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='tcp',
ethertype='IPv4',
port_range_min=9443,
port_range_max=9443)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
# Create a security group rule to allow UDP 9999 (test webservers)
# Port 9999 is used to illustrate health monitor ERRORs on closed
# ports.
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='udp',
ethertype='IPv4',
port_range_min=9999,
port_range_max=9999)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
# Create a security group rule to allow 22 (ssh)
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='tcp',
ethertype='IPv4',
port_range_min=22,
port_range_max=22)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
if CONF.load_balancer.test_with_ipv6:
# Create a security group rule to allow 80-81 (test webservers)
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='tcp',
ethertype='IPv6',
port_range_min=80,
port_range_max=81)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
# Create a security group rule to allow UDP 80-81 (test
# webservers)
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='udp',
ethertype='IPv6',
port_range_min=80,
port_range_max=81)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
# Create a security group rule to allow 443 (test webservers)
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='tcp',
ethertype='IPv6',
port_range_min=443,
port_range_max=443)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
# Create a security group rule to allow 9443 (test webservers)
# Used in the pool encryption client authentication tests
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='tcp',
ethertype='IPv6',
port_range_min=9443,
port_range_max=9443)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
# Create a security group rule to allow 22 (ssh)
SGr = cls.lb_mem_SGr_client.create_security_group_rule(
direction='ingress',
security_group_id=cls.lb_member_sec_group['id'],
protocol='tcp',
ethertype='IPv6',
port_range_min=22,
port_range_max=22)['security_group_rule']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_SGr_client.delete_security_group_rule,
cls.lb_mem_SGr_client.show_security_group_rule,
SGr['id'])
LOG.info('lb_member_sec_group: {}'.format(cls.lb_member_sec_group))
# Setup backend member reencryption PKI
cls._create_backend_reencryption_pki()
# Create webserver 1 instance
server_details = cls._create_webserver('lb_member_webserver1',
cls.lb_member_1_net)
cls.lb_member_webserver1 = server_details['server']
cls.webserver1_ip = server_details.get('ipv4_address')
cls.webserver1_ipv6 = server_details.get('ipv6_address')
cls.webserver1_public_ip = server_details['public_ipv4_address']
LOG.debug('Octavia Setup: lb_member_webserver1 = {}'.format(
cls.lb_member_webserver1[const.ID]))
LOG.debug('Octavia Setup: webserver1_ip = {}'.format(
cls.webserver1_ip))
LOG.debug('Octavia Setup: webserver1_ipv6 = {}'.format(
cls.webserver1_ipv6))
LOG.debug('Octavia Setup: webserver1_public_ip = {}'.format(
cls.webserver1_public_ip))
# Create webserver 2 instance
server_details = cls._create_webserver('lb_member_webserver2',
cls.lb_member_2_net)
cls.lb_member_webserver2 = server_details['server']
cls.webserver2_ip = server_details.get('ipv4_address')
cls.webserver2_ipv6 = server_details.get('ipv6_address')
cls.webserver2_public_ip = server_details['public_ipv4_address']
LOG.debug('Octavia Setup: lb_member_webserver2 = {}'.format(
cls.lb_member_webserver2[const.ID]))
LOG.debug('Octavia Setup: webserver2_ip = {}'.format(
cls.webserver2_ip))
LOG.debug('Octavia Setup: webserver2_ipv6 = {}'.format(
cls.webserver2_ipv6))
LOG.debug('Octavia Setup: webserver2_public_ip = {}'.format(
cls.webserver2_public_ip))
if CONF.load_balancer.test_with_ipv6:
# Enable the IPv6 nic in webserver 1
cls._enable_ipv6_nic_webserver(
cls.webserver1_public_ip, cls.lb_member_keypair['private_key'],
cls.webserver1_ipv6, cls.lb_member_1_subnet_prefix)
# Enable the IPv6 nic in webserver 2
cls._enable_ipv6_nic_webserver(
cls.webserver2_public_ip, cls.lb_member_keypair['private_key'],
cls.webserver2_ipv6, cls.lb_member_2_subnet_prefix)
# Set up serving on webserver 1
cls._install_start_webserver(cls.webserver1_public_ip,
cls.lb_member_keypair['private_key'],
cls.webserver1_response)
# Validate webserver 1
cls._validate_webserver(cls.webserver1_public_ip,
cls.webserver1_response)
# Validate udp server 1
cls._validate_udp_server(cls.webserver1_public_ip,
cls.webserver1_response)
# Set up serving on webserver 2
cls._install_start_webserver(cls.webserver2_public_ip,
cls.lb_member_keypair['private_key'],
cls.webserver2_response, revoke_cert=True)
# Validate webserver 2
cls._validate_webserver(cls.webserver2_public_ip,
cls.webserver2_response)
# Validate udp server 2
cls._validate_udp_server(cls.webserver2_public_ip,
cls.webserver2_response)
@classmethod
def _create_networks(cls):
super(LoadBalancerBaseTestWithCompute, cls)._create_networks()
# Create a router for the subnets (required for the floating IP)
router_name = data_utils.rand_name("lb_member_router")
result = cls.lb_mem_routers_client.create_router(
name=router_name, admin_state_up=True,
external_gateway_info=dict(
network_id=CONF.network.public_network_id))
cls.lb_member_router = result['router']
LOG.info('lb_member_router: {}'.format(cls.lb_member_router))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_routers_client.delete_router,
cls.lb_mem_routers_client.show_router,
cls.lb_member_router['id'])
# Add VIP subnet to router
cls.lb_mem_routers_client.add_router_interface(
cls.lb_member_router['id'],
subnet_id=cls.lb_member_vip_subnet['id'])
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_routers_client.remove_router_interface,
cls.lb_mem_routers_client.remove_router_interface,
cls.lb_member_router['id'],
subnet_id=cls.lb_member_vip_subnet['id'])
if (CONF.load_balancer.test_with_ipv6 and
CONF.load_balancer.default_router and
cls.lb_member_vip_ipv6_subnet_use_subnetpool):
router_name = CONF.load_balancer.default_router
# if lb_member_vip_ipv6_subnet uses devstack's subnetpool,
# plug the subnet into the default router
router = cls.os_admin.routers_client.list_routers(
name=router_name)['routers']
if len(router) == 1:
router = router[0]
# Add IPv6 VIP subnet to router1
cls.os_admin_routers_client.add_router_interface(
router['id'],
subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.os_admin_routers_client.remove_router_interface,
cls.os_admin_routers_client.remove_router_interface,
router['id'],
subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
# Add member subnet 1 to router
cls.lb_mem_routers_client.add_router_interface(
cls.lb_member_router['id'],
subnet_id=cls.lb_member_1_subnet['id'])
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_routers_client.remove_router_interface,
cls.lb_mem_routers_client.remove_router_interface,
cls.lb_member_router['id'], subnet_id=cls.lb_member_1_subnet['id'])
# Add member subnet 2 to router
cls.lb_mem_routers_client.add_router_interface(
cls.lb_member_router['id'],
subnet_id=cls.lb_member_2_subnet['id'])
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_routers_client.remove_router_interface,
cls.lb_mem_routers_client.remove_router_interface,
cls.lb_member_router['id'], subnet_id=cls.lb_member_2_subnet['id'])
@classmethod
def _create_webserver(cls, name, network):
"""Creates a webserver with two ports.
webserver_details dictionary contains:
server - The compute server object
ipv4_address - The IPv4 address for the server (optional)
ipv6_address - The IPv6 address for the server (optional)
public_ipv4_address - The publicly accessible IPv4 address for the
server, this may be a floating IP (optional)
:param name: The name of the server to create.
:param network: The network to boot the server on.
:returns: webserver_details dictionary.
"""
server_kwargs = {
'name': data_utils.rand_name(name),
'flavorRef': CONF.compute.flavor_ref,
'imageRef': CONF.compute.image_ref,
'key_name': cls.lb_member_keypair['name']}
if (CONF.load_balancer.enable_security_groups and
CONF.network_feature_enabled.port_security):
server_kwargs['security_groups'] = [
{'name': cls.lb_member_sec_group['name']}]
if not CONF.load_balancer.disable_boot_network:
server_kwargs['networks'] = [{'uuid': network['id']}]
# Replace the name for clouds that have limitations
if CONF.load_balancer.random_server_name_length:
r = random.SystemRandom()
server_kwargs['name'] = "m{}".format("".join(
[r.choice(string.ascii_uppercase + string.digits)
for _ in range(
CONF.load_balancer.random_server_name_length - 1)]
))
if CONF.load_balancer.availability_zone:
server_kwargs['availability_zone'] = (
CONF.load_balancer.availability_zone)
server = cls.lb_mem_servers_client.create_server(
**server_kwargs)['server']
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_servers_client.delete_server,
cls.lb_mem_servers_client.show_server,
server['id'])
server = waiters.wait_for_status(
cls.lb_mem_servers_client.show_server,
server['id'], 'status', 'ACTIVE',
CONF.load_balancer.build_interval,
CONF.load_balancer.build_timeout,
root_tag='server')
webserver_details = {'server': server}
LOG.info('Created server: {}'.format(server))
addresses = server['addresses']
if CONF.load_balancer.disable_boot_network:
instance_network = addresses.values()[0]
else:
instance_network = addresses[network['name']]
for addr in instance_network:
if addr['version'] == 4:
webserver_details['ipv4_address'] = addr['addr']
if addr['version'] == 6:
webserver_details['ipv6_address'] = addr['addr']
if CONF.validation.connect_method == 'floating':
result = cls.lb_mem_ports_client.list_ports(
network_id=network['id'],
mac_address=instance_network[0]['OS-EXT-IPS-MAC:mac_addr'])
port_id = result['ports'][0]['id']
result = cls.lb_mem_float_ip_client.create_floatingip(
floating_network_id=CONF.network.public_network_id,
port_id=port_id)
floating_ip = result['floatingip']
LOG.info('webserver1_floating_ip: {}'.format(floating_ip))
cls.addClassResourceCleanup(
waiters.wait_for_not_found,
cls.lb_mem_float_ip_client.delete_floatingip,
cls.lb_mem_float_ip_client.show_floatingip,
floatingip_id=floating_ip['id'])
webserver_details['public_ipv4_address'] = (
floating_ip['floating_ip_address'])
else:
webserver_details['public_ipv4_address'] = (
instance_network[0]['addr'])
return webserver_details
@classmethod
def _get_openssh_version(cls):
p = subprocess.Popen(["ssh", "-V"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
output = p.communicate()[1]
try:
m = re.match(r"OpenSSH_(\d+)\.(\d+)", output.decode('utf-8'))
version_maj = int(m.group(1))
version_min = int(m.group(2))
return version_maj, version_min
except Exception:
return None, None
@classmethod
def _need_scp_protocol(cls):
# When using scp >= 8.7, force the use of the SCP protocol,
# the new default (SFTP protocol) doesn't work with
# cirros VMs.
ssh_version = cls._get_openssh_version()
LOG.debug("ssh_version = {}".format(ssh_version))
return (ssh_version[0] > 8 or
(ssh_version[0] == 8 and ssh_version[1] >= 7))
@classmethod
def _install_start_webserver(cls, ip_address, ssh_key, start_id,
revoke_cert=False):
local_file = CONF.load_balancer.test_server_path
linux_client = remote_client.RemoteClient(
ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
**cls.remote_client_args())
linux_client.validate_authentication()
with tempfile.NamedTemporaryFile() as key:
key.write(ssh_key.encode('utf-8'))
key.flush()
ssh_extra_args = (
"-o PubkeyAcceptedKeyTypes=+ssh-rsa")
if cls._need_scp_protocol():
ssh_extra_args += " -O"
cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
"{7} "
"-o StrictHostKeyChecking=no "
"-o ConnectTimeout={0} -o ConnectionAttempts={1} "
"-i {2} {3} {4}@{5}:{6}").format(
CONF.load_balancer.scp_connection_timeout,
CONF.load_balancer.scp_connection_attempts,
key.name, local_file, CONF.validation.image_ssh_user,
ip_address, const.TEST_SERVER_BINARY,
ssh_extra_args)
args = shlex.split(cmd)
subprocess_args = {'stdout': subprocess.PIPE,
'stderr': subprocess.STDOUT,
'cwd': None}
proc = subprocess.Popen(args, **subprocess_args)
stdout, stderr = proc.communicate()
if proc.returncode != 0:
raise exceptions.CommandFailed(proc.returncode, cmd,
stdout, stderr)
cls._load_member_pki_content(ip_address, key,
revoke_cert=revoke_cert)
# Enabling memory overcommit allows to run golang static binaries
# compiled with a recent golang toolchain (>=1.11). Those binaries
# allocate a large amount of virtual memory at init time, and this
# allocation fails in tempest's nano flavor (64MB of RAM)
# (golang issue reported in https://github.com/golang/go/issues/28114,
# follow-up: https://github.com/golang/go/issues/28081)
# TODO(gthiemonge): Remove this call when golang issue is resolved.
linux_client.exec_command('sudo sh -c "echo 1 > '
'/proc/sys/vm/overcommit_memory"')
# The initial process also supports HTTPS and HTTPS with client auth
linux_client.exec_command(
'sudo screen -d -m {0} -port 80 -id {1} -https_port 443 -cert {2} '
'-key {3} -https_client_auth_port 9443 -client_ca {4}'.format(
const.TEST_SERVER_BINARY, start_id, const.TEST_SERVER_CERT,
const.TEST_SERVER_KEY, const.TEST_SERVER_CLIENT_CA))
linux_client.exec_command('sudo screen -d -m {0} -port 81 '
'-id {1}'.format(const.TEST_SERVER_BINARY,
start_id + 1))
# Cirros does not configure the assigned IPv6 address by default
# so enable it manually like tempest does here:
# tempest/scenario/test_netowrk_v6.py turn_nic6_on()
@classmethod
def _enable_ipv6_nic_webserver(cls, ip_address, ssh_key,
ipv6_address, ipv6_prefix):
linux_client = remote_client.RemoteClient(
ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
**cls.remote_client_args())
linux_client.validate_authentication()
linux_client.exec_command('sudo ip address add {0}/{1} dev '
'eth0'.format(ipv6_address, ipv6_prefix))
@classmethod
def _validate_webserver(cls, ip_address, start_id):
URL = 'http://{0}'.format(ip_address)
cls.validate_URL_response(URL, expected_body=str(start_id))
URL = 'http://{0}:81'.format(ip_address)
cls.validate_URL_response(URL, expected_body=str(start_id + 1))
@classmethod
def _validate_udp_server(cls, ip_address, start_id):
res = cls.make_udp_request(ip_address, 80)
if res != str(start_id):
raise Exception("Response from test server doesn't match the "
"expected value ({0} != {1}).".format(
res, str(start_id)))
res = cls.make_udp_request(ip_address, 81)
if res != str(start_id + 1):
raise Exception("Response from test server doesn't match the "
"expected value ({0} != {1}).".format(
res, str(start_id + 1)))
@classmethod
def _create_backend_reencryption_pki(cls):
# Create a CA self-signed cert and key for the member test servers
cls.member_ca_cert, cls.member_ca_key = (
cert_utils.generate_ca_cert_and_key())
LOG.debug('Member CA Cert: %s', cls.member_ca_cert.public_bytes(
serialization.Encoding.PEM))
LOG.debug('Member CA private Key: %s', cls.member_ca_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()))
LOG.debug('Member CA public Key: %s',
cls.member_ca_key.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo))
# Create the member client authentication CA
cls.member_client_ca_cert, member_client_ca_key = (
cert_utils.generate_ca_cert_and_key())
# Create client cert and key
cls.member_client_cn = uuidutils.generate_uuid()
cls.member_client_cert, cls.member_client_key = (
cert_utils.generate_client_cert_and_key(
cls.member_client_ca_cert, member_client_ca_key,
cls.member_client_cn))
# Note: We are not revoking a client cert here as we don't need to
# test the backend web server CRL checking.
@classmethod
def _load_member_pki_content(cls, ip_address, ssh_key, revoke_cert=False):
# Create webserver certificate and key
cert, key = cert_utils.generate_server_cert_and_key(
cls.member_ca_cert, cls.member_ca_key, ip_address)
LOG.debug('%s Cert: %s', ip_address, cert.public_bytes(
serialization.Encoding.PEM))
LOG.debug('%s private Key: %s', ip_address, key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()))
public_key = key.public_key()
LOG.debug('%s public Key: %s', ip_address, public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo))
# Create a CRL with a revoked certificate
if revoke_cert:
# Create a CRL with webserver 2 revoked
cls.member_crl = cert_utils.generate_certificate_revocation_list(
cls.member_ca_cert, cls.member_ca_key, cert)
# Load the certificate, key, and client CA certificate into the
# test server.
with tempfile.TemporaryDirectory() as tmpdir:
os.umask(0)
files_to_send = []
cert_filename = os.path.join(tmpdir, const.CERT_PEM)
files_to_send.append(cert_filename)
with open(os.open(cert_filename, os.O_CREAT | os.O_WRONLY,
0o700), 'w') as fh:
fh.write(cert.public_bytes(
serialization.Encoding.PEM).decode('utf-8'))
fh.flush()
key_filename = os.path.join(tmpdir, const.KEY_PEM)
files_to_send.append(key_filename)
with open(os.open(key_filename, os.O_CREAT | os.O_WRONLY,
0o700), 'w') as fh:
fh.write(key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()).decode(
'utf-8'))
fh.flush()
client_ca_filename = os.path.join(tmpdir, const.CLIENT_CA_PEM)
files_to_send.append(client_ca_filename)
with open(os.open(client_ca_filename, os.O_CREAT | os.O_WRONLY,
0o700), 'w') as fh:
fh.write(cls.member_client_ca_cert.public_bytes(
serialization.Encoding.PEM).decode('utf-8'))
fh.flush()
# For security, we don't want to use a shell that can glob
# the file names, so iterate over them.
subprocess_args = {'stdout': subprocess.PIPE,
'stderr': subprocess.STDOUT,
'cwd': None}
ssh_extra_args = (
"-o PubkeyAcceptedKeyTypes=+ssh-rsa")
if cls._need_scp_protocol():
ssh_extra_args += " -O"
cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
"{9} "
"-o StrictHostKeyChecking=no "
"-o ConnectTimeout={0} -o ConnectionAttempts={1} "
"-i {2} {3} {4} {5} {6}@{7}:{8}").format(
CONF.load_balancer.scp_connection_timeout,
CONF.load_balancer.scp_connection_attempts,
ssh_key.name, cert_filename, key_filename, client_ca_filename,
CONF.validation.image_ssh_user, ip_address, const.DEV_SHM_PATH,
ssh_extra_args)
args = shlex.split(cmd)
proc = subprocess.Popen(args, **subprocess_args)
stdout, stderr = proc.communicate()
if proc.returncode != 0:
raise exceptions.CommandFailed(proc.returncode, cmd,
stdout, stderr)