Merge "[Secure RBAC] Add scope enforcement enabled job for master branch"
diff --git a/neutron_tempest_plugin/api/test_security_groups_negative.py b/neutron_tempest_plugin/api/test_security_groups_negative.py
index 7efa70e..224558c 100644
--- a/neutron_tempest_plugin/api/test_security_groups_negative.py
+++ b/neutron_tempest_plugin/api/test_security_groups_negative.py
@@ -189,3 +189,66 @@
def test_sg_creation_with_insufficient_sg_rules_quota(self):
self._set_sg_rules_quota(0)
self.assertRaises(lib_exc.Conflict, self.create_security_group)
+
+
+class NegativeStatelessSecGroupTest(base.BaseNetworkTest):
+
+ required_extensions = ['security-group', 'stateful-security-group']
+
+ @classmethod
+ def resource_setup(cls):
+ super().resource_setup()
+ cls.network = cls.create_network()
+ cls.stateless_sg = cls.create_security_group(stateful=False)
+ cls.stateful_sg = cls.create_security_group(stateful=True)
+
+ @decorators.idempotent_id('9e85ce0d-37b2-4044-88a8-09ae965069ba')
+ def test_create_port_with_stateful_and_stateless_sg(self):
+ self.assertRaises(
+ lib_exc.Conflict,
+ self.create_port,
+ network=self.network,
+ security_groups=[self.stateful_sg['id'], self.stateless_sg['id']])
+
+ def _test_adding_sg_to_port_with_different_type_of_sg(
+ self, initial_sg, updated_sg):
+ port = self.create_port(
+ network=self.network,
+ security_groups=[initial_sg['id']]
+ )
+ self.assertRaises(
+ lib_exc.Conflict,
+ self.update_port,
+ port,
+ security_groups=[initial_sg['id'], updated_sg['id']]
+ )
+
+ @decorators.idempotent_id('63374580-3154-410b-ab31-e98a136094f8')
+ def test_adding_stateful_sg_to_port_with_stateless_sg(self):
+ self._test_adding_sg_to_port_with_different_type_of_sg(
+ self.stateless_sg, self.stateful_sg)
+
+ @decorators.idempotent_id('3854a4c6-4ace-4133-be83-4a2820ede06f')
+ def test_adding_stateless_sg_to_port_with_stateful_sg(self):
+ self._test_adding_sg_to_port_with_different_type_of_sg(
+ self.stateful_sg, self.stateless_sg)
+
+ def _test_update_used_sg(self, security_group):
+ self.create_port(
+ network=self.network,
+ security_groups=[security_group['id']]
+ )
+ self.assertRaises(
+ lib_exc.Conflict,
+ self.client.update_security_group,
+ security_group['id'],
+ stateful=not security_group['stateful']
+ )
+
+ @decorators.idempotent_id('5e1e3053-16dc-4f0b-a327-ff953f527248')
+ def test_update_used_stateless_sg_to_stateful(self):
+ self._test_update_used_sg(self.stateless_sg)
+
+ @decorators.idempotent_id('afe4d777-7a98-44ed-a1dc-588861f6daba')
+ def test_update_used_stateful_sg_to_stateless(self):
+ self._test_update_used_sg(self.stateful_sg)
diff --git a/neutron_tempest_plugin/scenario/test_security_groups.py b/neutron_tempest_plugin/scenario/test_security_groups.py
index 16313a3..2e5b907 100644
--- a/neutron_tempest_plugin/scenario/test_security_groups.py
+++ b/neutron_tempest_plugin/scenario/test_security_groups.py
@@ -166,12 +166,18 @@
servers=servers)
def _test_default_sec_grp_scenarios(self):
+ # Ensure that SG used in tests is stateful or stateless as required
+ default_sg_id = self.os_primary.network_client.list_security_groups()[
+ 'security_groups'][0]['id']
+ self.os_primary.network_client.update_security_group(
+ default_sg_id, stateful=not self.stateless_sg)
+ if self.stateless_sg:
+ self.create_ingress_metadata_secgroup_rule(
+ secgroup_id=default_sg_id)
server_ssh_clients, fips, servers = self.create_vm_testing_sec_grp()
+
# Check ssh connectivity when you add sec group rule, enabling ssh
- self.create_loginable_secgroup_rule(
- self.os_primary.network_client.list_security_groups()[
- 'security_groups'][0]['id']
- )
+ self.create_loginable_secgroup_rule(default_sg_id)
self.check_connectivity(fips[0]['floating_ip_address'],
CONF.validation.image_ssh_user,
self.keypair['private_key'])
@@ -187,6 +193,10 @@
servers=servers)
# Check ICMP connectivity from VM to external network
+ if self.stateless_sg:
+ # NOTE(slaweq): in case of stateless SG explicit ingress rule for
+ # the ICMP replies needs to be added too
+ self.create_pingable_secgroup_rule(default_sg_id)
subnets = self.os_admin.network_client.list_subnets(
network_id=CONF.network.public_network_id)['subnets']
ext_net_ip = None
diff --git a/zuul.d/base-nested-switch.yaml b/zuul.d/base-nested-switch.yaml
index 1237a15..a9f5750 100644
--- a/zuul.d/base-nested-switch.yaml
+++ b/zuul.d/base-nested-switch.yaml
@@ -19,10 +19,11 @@
vars:
devstack_localrc:
LIBVIRT_TYPE: kvm
- LIBVIRT_CPU_MODE: host-passthrough
- CIRROS_VERSION: 0.5.1
- DEFAULT_IMAGE_NAME: cirros-0.5.1-x86_64-disk
- DEFAULT_IMAGE_FILE_NAME: cirros-0.5.1-x86_64-disk.img
+ # cirros 0.6.1 not booting when host-passthrough is used
+ # LIBVIRT_CPU_MODE: host-passthrough
+ CIRROS_VERSION: 0.6.1
+ DEFAULT_IMAGE_NAME: cirros-0.6.1-x86_64-disk
+ DEFAULT_IMAGE_FILE_NAME: cirros-0.6.1-x86_64-disk.img
# Base nested switch job for EM releases
- job:
diff --git a/zuul.d/master_jobs.yaml b/zuul.d/master_jobs.yaml
index d766959..cf13f8c 100644
--- a/zuul.d/master_jobs.yaml
+++ b/zuul.d/master_jobs.yaml
@@ -27,9 +27,9 @@
NETWORK_API_EXTENSIONS: "{{ (network_api_extensions_common + network_api_extensions_tempest) | join(',') }}"
PHYSICAL_NETWORK: public
IMAGE_URLS: https://cloud-images.ubuntu.com/minimal/releases/focal/release/ubuntu-20.04-minimal-cloudimg-amd64.img
- CIRROS_VERSION: 0.5.1
- DEFAULT_IMAGE_NAME: cirros-0.5.1-x86_64-uec
- DEFAULT_IMAGE_FILE_NAME: cirros-0.5.1-x86_64-uec.tar.gz
+ CIRROS_VERSION: 0.6.1
+ DEFAULT_IMAGE_NAME: cirros-0.6.1-x86_64-uec
+ DEFAULT_IMAGE_FILE_NAME: cirros-0.6.1-x86_64-uec.tar.gz
ADVANCED_IMAGE_NAME: ubuntu-20.04-minimal-cloudimg-amd64
ADVANCED_INSTANCE_TYPE: ntp_image_256M
ADVANCED_INSTANCE_USER: ubuntu
@@ -741,9 +741,9 @@
USE_PYTHON3: true
NETWORK_API_EXTENSIONS: "{{ (network_api_extensions_common + network_api_extensions_dvr) | join(',') }}"
PHYSICAL_NETWORK: default
- CIRROS_VERSION: 0.5.1
- DEFAULT_IMAGE_NAME: cirros-0.5.1-x86_64-uec
- DEFAULT_IMAGE_FILE_NAME: cirros-0.5.1-x86_64-uec.tar.gz
+ CIRROS_VERSION: 0.6.1
+ DEFAULT_IMAGE_NAME: cirros-0.6.1-x86_64-uec
+ DEFAULT_IMAGE_FILE_NAME: cirros-0.6.1-x86_64-uec.tar.gz
IMAGE_URLS: https://cloud-images.ubuntu.com/minimal/releases/focal/release/ubuntu-20.04-minimal-cloudimg-amd64.img
ADVANCED_IMAGE_NAME: ubuntu-20.04-minimal-cloudimg-amd64
ADVANCED_INSTANCE_TYPE: ntp_image_256M
@@ -985,6 +985,11 @@
- flow_classifier
- sfc
devstack_localrc:
+ # TODO(slaweq): check why traceroute output is different in Cirros >
+ # 0.6.1 which is causing failures of the networking-sfc jobs
+ CIRROS_VERSION: 0.5.1
+ DEFAULT_IMAGE_NAME: cirros-0.5.1-x86_64-uec
+ DEFAULT_IMAGE_FILE_NAME: cirros-0.5.1-x86_64-uec.tar.gz
Q_AGENT: openvswitch
Q_ML2_TENANT_NETWORK_TYPE: vxlan
Q_ML2_PLUGIN_MECHANISM_DRIVERS: openvswitch
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 1ea3336..5ecb043 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -32,7 +32,6 @@
- neutron-tempest-plugin-scenario-linuxbridge-train
- neutron-tempest-plugin-scenario-openvswitch-train
- neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-train
- - neutron-tempest-plugin-designate-scenario-train
gate:
jobs:
- neutron-tempest-plugin-api-train
diff --git a/zuul.d/train_jobs.yaml b/zuul.d/train_jobs.yaml
index b9a9921..159feb2 100644
--- a/zuul.d/train_jobs.yaml
+++ b/zuul.d/train_jobs.yaml
@@ -239,28 +239,6 @@
network_api_extensions_common: *api_extensions
- job:
- name: neutron-tempest-plugin-designate-scenario-train
- parent: neutron-tempest-plugin-designate-scenario
- nodeset: openstack-single-node-bionic
- override-checkout: stable/train
- required-projects:
- - openstack/neutron
- - name: openstack/neutron-tempest-plugin
- override-checkout: 1.5.0
- - openstack/tempest
- - name: openstack/designate-tempest-plugin
- override-checkout: 0.7.0
- vars:
- network_api_extensions_common: *api_extensions
- devstack_localrc:
- # NOTE(bcafarel) guestmount binary not available on host OS
- IMAGE_URLS: https://cloud-images.ubuntu.com/releases/bionic/release/ubuntu-18.04-server-cloudimg-amd64.img
- ADVANCED_IMAGE_NAME: ubuntu-18.04-server-cloudimg-amd64
- ADVANCED_INSTANCE_TYPE: ds512M
- ADVANCED_INSTANCE_USER: ubuntu
- CUSTOMIZE_IMAGE: false
-
-- job:
name: neutron-tempest-plugin-sfc-train
parent: neutron-tempest-plugin-sfc
nodeset: openstack-single-node-bionic
diff --git a/zuul.d/ussuri_jobs.yaml b/zuul.d/ussuri_jobs.yaml
index d918182..9701ec9 100644
--- a/zuul.d/ussuri_jobs.yaml
+++ b/zuul.d/ussuri_jobs.yaml
@@ -145,8 +145,14 @@
(^tempest.api.compute.servers.test_multiple_create)"
network_api_extensions: *api_extensions
network_available_features: *available_features
- devstack_localrc:
+ devstack_localrc: &localrc_scenarios_common
NETWORK_API_EXTENSIONS: "{{ network_api_extensions | join(',') }}"
+ # NOTE(bcafarel) guestmount binary not available on host OS
+ IMAGE_URLS: https://cloud-images.ubuntu.com/releases/bionic/release/ubuntu-18.04-server-cloudimg-amd64.img
+ ADVANCED_IMAGE_NAME: ubuntu-18.04-server-cloudimg-amd64
+ ADVANCED_INSTANCE_TYPE: ds512M
+ ADVANCED_INSTANCE_USER: ubuntu
+ CUSTOMIZE_IMAGE: false
devstack_local_conf:
post-config:
$NEUTRON_L3_CONF:
@@ -174,8 +180,7 @@
(^tempest.api.compute.servers.test_multiple_create)"
network_api_extensions: *api_extensions
network_available_features: *available_features
- devstack_localrc:
- NETWORK_API_EXTENSIONS: "{{ network_api_extensions | join(',') }}"
+ devstack_localrc: *localrc_scenarios_common
devstack_local_conf:
post-config:
$NEUTRON_L3_CONF:
@@ -202,8 +207,7 @@
(^tempest.api.compute.servers.test_multiple_create)"
network_api_extensions: *api_extensions
network_available_features: *available_features
- devstack_localrc:
- NETWORK_API_EXTENSIONS: "{{ network_api_extensions | join(',') }}"
+ devstack_localrc: *localrc_scenarios_common
devstack_local_conf:
post-config:
$NEUTRON_L3_CONF:
diff --git a/zuul.d/victoria_jobs.yaml b/zuul.d/victoria_jobs.yaml
index d585f9e..a79261d 100644
--- a/zuul.d/victoria_jobs.yaml
+++ b/zuul.d/victoria_jobs.yaml
@@ -134,7 +134,6 @@
- job:
name: neutron-tempest-plugin-scenario-openvswitch-victoria
parent: neutron-tempest-plugin-openvswitch
- nodeset: openstack-single-node-focal
override-checkout: stable/victoria
required-projects: *required-projects-victoria
vars:
@@ -163,7 +162,6 @@
- job:
name: neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-victoria
parent: neutron-tempest-plugin-openvswitch-iptables_hybrid
- nodeset: openstack-single-node-focal
override-checkout: stable/victoria
required-projects: *required-projects-victoria
vars:
@@ -192,7 +190,6 @@
- job:
name: neutron-tempest-plugin-scenario-linuxbridge-victoria
parent: neutron-tempest-plugin-linuxbridge
- nodeset: openstack-single-node-focal
override-checkout: stable/victoria
required-projects: *required-projects-victoria
vars:
@@ -221,7 +218,6 @@
- job:
name: neutron-tempest-plugin-scenario-ovn-victoria
parent: neutron-tempest-plugin-ovn
- nodeset: openstack-single-node-focal
override-checkout: stable/victoria
required-projects: *required-projects-victoria
vars:
@@ -256,7 +252,6 @@
- job:
name: neutron-tempest-plugin-designate-scenario-victoria
parent: neutron-tempest-plugin-designate-scenario
- nodeset: openstack-single-node-focal
override-checkout: stable/victoria
required-projects:
- openstack/neutron
diff --git a/zuul.d/wallaby_jobs.yaml b/zuul.d/wallaby_jobs.yaml
index 2d73856..9fce55b 100644
--- a/zuul.d/wallaby_jobs.yaml
+++ b/zuul.d/wallaby_jobs.yaml
@@ -98,7 +98,6 @@
- job:
name: neutron-tempest-plugin-scenario-openvswitch-wallaby
parent: neutron-tempest-plugin-openvswitch
- nodeset: openstack-single-node-focal
override-checkout: stable/wallaby
required-projects: *required-projects-wallaby
vars:
@@ -119,7 +118,6 @@
- job:
name: neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-wallaby
parent: neutron-tempest-plugin-openvswitch-iptables_hybrid
- nodeset: openstack-single-node-focal
override-checkout: stable/wallaby
required-projects: *required-projects-wallaby
vars:
@@ -129,6 +127,13 @@
(^tempest.api.compute.servers.test_multiple_create)"
network_api_extensions: *api_extensions
network_available_features: *available_features
+ # TODO(slaweq): remove trunks subport_connectivity test from blacklist
+ # when bug https://bugs.launchpad.net/neutron/+bug/1838760 will be fixed
+ # TODO(akatz): remove established tcp session verification test when the
+ # bug https://bugzilla.redhat.com/show_bug.cgi?id=1965036 will be fixed
+ tempest_exclude_regex: "\
+ (^neutron_tempest_plugin.scenario.test_trunk.TrunkTest.test_subport_connectivity)|\
+ (^neutron_tempest_plugin.scenario.test_security_groups.NetworkSecGroupTest.test_established_tcp_session_after_re_attachinging_sg)"
devstack_localrc:
NETWORK_API_EXTENSIONS: "{{ network_api_extensions | join(',') }}"
devstack_local_conf:
@@ -140,7 +145,6 @@
- job:
name: neutron-tempest-plugin-scenario-linuxbridge-wallaby
parent: neutron-tempest-plugin-linuxbridge
- nodeset: openstack-single-node-focal
override-checkout: stable/wallaby
required-projects: *required-projects-wallaby
vars:
@@ -161,7 +165,6 @@
- job:
name: neutron-tempest-plugin-scenario-ovn-wallaby
parent: neutron-tempest-plugin-ovn
- nodeset: openstack-single-node-focal
override-checkout: stable/wallaby
required-projects: *required-projects-wallaby
vars:
@@ -190,7 +193,6 @@
- job:
name: neutron-tempest-plugin-designate-scenario-wallaby
parent: neutron-tempest-plugin-designate-scenario
- nodeset: openstack-single-node-focal
override-checkout: stable/wallaby
required-projects:
- openstack/neutron
diff --git a/zuul.d/xena_jobs.yaml b/zuul.d/xena_jobs.yaml
index 4afdd77..595b4d8 100644
--- a/zuul.d/xena_jobs.yaml
+++ b/zuul.d/xena_jobs.yaml
@@ -95,7 +95,6 @@
- job:
name: neutron-tempest-plugin-scenario-openvswitch-xena
parent: neutron-tempest-plugin-openvswitch
- nodeset: openstack-single-node-focal
override-checkout: stable/xena
vars:
tempest_test_regex: "\
@@ -115,7 +114,6 @@
- job:
name: neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-xena
parent: neutron-tempest-plugin-openvswitch-iptables_hybrid
- nodeset: openstack-single-node-focal
override-checkout: stable/xena
vars:
tempest_test_regex: "\
@@ -135,7 +133,6 @@
- job:
name: neutron-tempest-plugin-scenario-linuxbridge-xena
parent: neutron-tempest-plugin-linuxbridge
- nodeset: openstack-single-node-focal
override-checkout: stable/xena
vars:
tempest_test_regex: "\
@@ -155,7 +152,6 @@
- job:
name: neutron-tempest-plugin-scenario-ovn-xena
parent: neutron-tempest-plugin-ovn
- nodeset: openstack-single-node-focal
override-checkout: stable/xena
vars:
tempest_test_regex: "\
@@ -182,7 +178,6 @@
- job:
name: neutron-tempest-plugin-designate-scenario-xena
parent: neutron-tempest-plugin-designate-scenario
- nodeset: openstack-single-node-focal
override-checkout: stable/xena
vars:
network_api_extensions_common: *api_extensions
diff --git a/zuul.d/yoga_jobs.yaml b/zuul.d/yoga_jobs.yaml
index 9eaa4c2..d47fc93 100644
--- a/zuul.d/yoga_jobs.yaml
+++ b/zuul.d/yoga_jobs.yaml
@@ -97,7 +97,6 @@
- job:
name: neutron-tempest-plugin-scenario-openvswitch-yoga
parent: neutron-tempest-plugin-openvswitch
- nodeset: openstack-single-node-focal
override-checkout: stable/yoga
vars:
tempest_test_regex: "\
@@ -117,7 +116,6 @@
- job:
name: neutron-tempest-plugin-scenario-openvswitch-iptables_hybrid-yoga
parent: neutron-tempest-plugin-openvswitch-iptables_hybrid
- nodeset: openstack-single-node-focal
override-checkout: stable/yoga
vars:
tempest_test_regex: "\
@@ -137,7 +135,6 @@
- job:
name: neutron-tempest-plugin-scenario-linuxbridge-yoga
parent: neutron-tempest-plugin-linuxbridge
- nodeset: openstack-single-node-focal
override-checkout: stable/yoga
vars:
tempest_test_regex: "\
@@ -157,7 +154,6 @@
- job:
name: neutron-tempest-plugin-scenario-ovn-yoga
parent: neutron-tempest-plugin-ovn
- nodeset: openstack-single-node-focal
override-checkout: stable/yoga
vars:
tempest_test_regex: "\
@@ -186,7 +182,6 @@
- job:
name: neutron-tempest-plugin-designate-scenario-yoga
parent: neutron-tempest-plugin-designate-scenario
- nodeset: openstack-single-node-focal
override-checkout: stable/yoga
vars:
network_api_extensions_common: *api_extensions
diff --git a/zuul.d/zed_jobs.yaml b/zuul.d/zed_jobs.yaml
index 38299d5..a11c2c8 100644
--- a/zuul.d/zed_jobs.yaml
+++ b/zuul.d/zed_jobs.yaml
@@ -1,7 +1,6 @@
- job:
name: neutron-tempest-plugin-openvswitch-zed
parent: neutron-tempest-plugin-openvswitch
- nodeset: openstack-single-node-focal
override-checkout: stable/zed
vars:
network_api_extensions_openvswitch:
@@ -107,7 +106,6 @@
- job:
name: neutron-tempest-plugin-openvswitch-iptables_hybrid-zed
parent: neutron-tempest-plugin-openvswitch-iptables_hybrid
- nodeset: openstack-single-node-focal
override-checkout: stable/zed
vars:
network_api_extensions_openvswitch:
@@ -138,7 +136,6 @@
- job:
name: neutron-tempest-plugin-linuxbridge-zed
parent: neutron-tempest-plugin-linuxbridge
- nodeset: openstack-single-node-focal
override-checkout: stable/zed
vars:
network_api_extensions_linuxbridge:
@@ -165,7 +162,6 @@
- job:
name: neutron-tempest-plugin-ovn-zed
parent: neutron-tempest-plugin-ovn
- nodeset: openstack-single-node-focal
override-checkout: stable/zed
vars:
tempest_test_regex: "\
@@ -197,7 +193,6 @@
- job:
name: neutron-tempest-plugin-designate-scenario-zed
parent: neutron-tempest-plugin-designate-scenario
- nodeset: openstack-single-node-focal
override-checkout: stable/zed
vars:
network_api_extensions_common: *api_extensions