Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / octavia-tempest-plugin / 028d1778d63cef6c06a1a4d6fb518aa82af75b98 / . / octavia_tempest_plugin / tests / test_base.py
blob: 55e4d1bbfe11e98416ae1e35def90050993e843c [file] [log] [blame]
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1# Copyright 2018 Rackspace US Inc. All rights reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15import ipaddress
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]16import os
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]17import random
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]18import re
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]19import shlex
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]20import string
21import subprocess
22import tempfile
23
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]24from cryptography.hazmat.primitives import serialization
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]25from oslo_config import cfg
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]26from oslo_log import log as logging
27from oslo_utils import uuidutils
28from tempest import config
29from tempest.lib.common.utils import data_utils
30from tempest.lib.common.utils.linux import remote_client
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]31from tempest.lib import exceptions
32from tempest import test
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]33import tenacity
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]34
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]35from octavia_tempest_plugin.common import cert_utils
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]36from octavia_tempest_plugin.common import constants as const
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]37from octavia_tempest_plugin.tests import RBAC_tests
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]38from octavia_tempest_plugin.tests import validators
39from octavia_tempest_plugin.tests import waiters
40
41CONF = config.CONF
42LOG = logging.getLogger(__name__)
43
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]44
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]45class LoadBalancerBaseTest(validators.ValidatorsMixin,
46 RBAC_tests.RBACTestsMixin, test.BaseTestCase):
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]47 """Base class for load balancer tests."""
48
Gregory Thiemonge3497f6c2021-04-19 21:33:13 +0200[diff] [blame]49 if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
50 credentials = [
51 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
52 ['lb_member', CONF.load_balancer.member_role],
53 ['lb_member2', CONF.load_balancer.member_role]]
Michael Johnson6dac8ff2023-03-09 00:04:37 +0000[diff] [blame]54 elif CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]55 credentials = [
Michael Johnson6dac8ff2023-03-09 00:04:37 +0000[diff] [blame]56 'admin', 'primary',
57 ['lb_admin', CONF.load_balancer.admin_role, 'admin'],
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]58 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
59 ['lb_global_observer', CONF.load_balancer.global_observer_role,
60 'reader'],
61 ['lb_member', CONF.load_balancer.member_role, 'member'],
62 ['lb_member2', CONF.load_balancer.member_role, 'member'],
63 ['lb_member_not_default_member', CONF.load_balancer.member_role]]
64 else:
65 credentials = [
66 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
67 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
68 ['lb_global_observer', CONF.load_balancer.global_observer_role,
69 'reader'],
Michael Johnson9e9f5262023-01-18 17:59:17 +0000[diff] [blame]70 # Note: Some projects are now requiring the 'member' role by
71 # default (nova for example) so make sure our creds have this role
72 ['lb_member', CONF.load_balancer.member_role, 'member'],
73 ['lb_member2', CONF.load_balancer.member_role, 'member']]
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]74
75 # If scope enforcement is enabled, add in the system scope credentials.
76 # The project scope is already handled by the above credentials.
77 if CONF.enforce_scope.octavia:
78 credentials.extend(['system_admin', 'system_reader'])
79
80 # A tuple of credentials that will be allocated by tempest using the
81 # 'credentials' list above. These are used to build RBAC test lists.
82 allocated_creds = []
83 for cred in credentials:
84 if isinstance(cred, list):
85 allocated_creds.append('os_roles_' + cred[0])
86 else:
87 allocated_creds.append('os_' + cred)
88 # Tests shall not mess with the list of allocated credentials
89 allocated_credentials = tuple(allocated_creds)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]90
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]91 webserver1_response = 1
92 webserver2_response = 5
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]93 used_ips = []
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]94
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]95 SRC_PORT_NUMBER_MIN = 32768
96 SRC_PORT_NUMBER_MAX = 61000
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]97 src_port_number = SRC_PORT_NUMBER_MIN
98
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]99 @classmethod
100 def skip_checks(cls):
101 """Check if we should skip all of the children tests."""
102 super(LoadBalancerBaseTest, cls).skip_checks()
103
104 service_list = {
105 'load_balancer': CONF.service_available.load_balancer,
106 }
107
108 live_service_list = {
109 'compute': CONF.service_available.nova,
110 'image': CONF.service_available.glance,
111 'neutron': CONF.service_available.neutron
112 }
113
114 if not CONF.load_balancer.test_with_noop:
115 service_list.update(live_service_list)
116
117 for service, available in service_list.items():
118 if not available:
zhangzs2a6cf672018-11-10 16:13:11 +0800[diff] [blame]119 skip_msg = ("{0} skipped as {1} service is not "
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]120 "available.".format(cls.__name__, service))
121 raise cls.skipException(skip_msg)
122
123 # We must be able to reach our VIP and instances
124 if not (CONF.network.project_networks_reachable
125 or CONF.network.public_network_id):
126 msg = ('Either project_networks_reachable must be "true", or '
127 'public_network_id must be defined.')
128 raise cls.skipException(msg)
129
130 @classmethod
131 def setup_credentials(cls):
132 """Setup test credentials and network resources."""
133 # Do not auto create network resources
134 cls.set_network_resources()
135 super(LoadBalancerBaseTest, cls).setup_credentials()
136
Bas de Bruijne530a88a2022-12-15 11:12:45 -0400[diff] [blame]137 if not CONF.load_balancer.log_user_roles:
138 return
139
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]140 # Log the user roles for this test run
141 role_name_cache = {}
142 for cred in cls.credentials:
143 user_roles = []
144 if isinstance(cred, list):
145 user_name = cred[0]
146 cred_obj = getattr(cls, 'os_roles_' + cred[0])
147 else:
148 user_name = cred
149 cred_obj = getattr(cls, 'os_' + cred)
150 params = {'user.id': cred_obj.credentials.user_id,
151 'project.id': cred_obj.credentials.project_id}
152 roles = cls.os_admin.role_assignments_client.list_role_assignments(
153 **params)['role_assignments']
154 for role in roles:
155 role_id = role['role']['id']
156 try:
157 role_name = role_name_cache[role_id]
158 except KeyError:
159 role_name = cls.os_admin.roles_v3_client.show_role(
160 role_id)['role']['name']
161 role_name_cache[role_id] = role_name
162 user_roles.append([role_name, role['scope']])
163 LOG.info("User %s has roles: %s", user_name, user_roles)
164
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]165 @classmethod
166 def setup_clients(cls):
167 """Setup client aliases."""
168 super(LoadBalancerBaseTest, cls).setup_clients()
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]169 lb_admin_prefix = cls.os_roles_lb_admin.load_balancer_v2
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]170 cls.lb_mem_float_ip_client = cls.os_roles_lb_member.floating_ips_client
171 cls.lb_mem_keypairs_client = cls.os_roles_lb_member.keypairs_client
172 cls.lb_mem_net_client = cls.os_roles_lb_member.networks_client
173 cls.lb_mem_ports_client = cls.os_roles_lb_member.ports_client
174 cls.lb_mem_routers_client = cls.os_roles_lb_member.routers_client
175 cls.lb_mem_SG_client = cls.os_roles_lb_member.security_groups_client
176 cls.lb_mem_SGr_client = (
177 cls.os_roles_lb_member.security_group_rules_client)
178 cls.lb_mem_servers_client = cls.os_roles_lb_member.servers_client
179 cls.lb_mem_subnet_client = cls.os_roles_lb_member.subnets_client
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]180 cls.mem_lb_client = (
181 cls.os_roles_lb_member.load_balancer_v2.LoadbalancerClient())
182 cls.mem_listener_client = (
183 cls.os_roles_lb_member.load_balancer_v2.ListenerClient())
184 cls.mem_pool_client = (
185 cls.os_roles_lb_member.load_balancer_v2.PoolClient())
186 cls.mem_member_client = (
187 cls.os_roles_lb_member.load_balancer_v2.MemberClient())
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]188 cls.mem_healthmonitor_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]189 cls.os_roles_lb_member.load_balancer_v2.HealthMonitorClient())
190 cls.mem_l7policy_client = (
191 cls.os_roles_lb_member.load_balancer_v2.L7PolicyClient())
192 cls.mem_l7rule_client = (
193 cls.os_roles_lb_member.load_balancer_v2.L7RuleClient())
194 cls.lb_admin_amphora_client = lb_admin_prefix.AmphoraClient()
Michael Johnsonaff2e862019-01-11 16:38:00 -0800[diff] [blame]195 cls.lb_admin_flavor_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]196 lb_admin_prefix.FlavorProfileClient())
197 cls.lb_admin_flavor_client = lb_admin_prefix.FlavorClient()
198 cls.mem_flavor_client = (
199 cls.os_roles_lb_member.load_balancer_v2.FlavorClient())
200 cls.mem_provider_client = (
201 cls.os_roles_lb_member.load_balancer_v2.ProviderClient())
Carlos Goncalvesc2e12162019-02-14 23:57:44 +0100[diff] [blame]202 cls.os_admin_servers_client = cls.os_admin.servers_client
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]203 cls.os_admin_routers_client = cls.os_admin.routers_client
204 cls.os_admin_subnetpools_client = cls.os_admin.subnetpools_client
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]205 cls.lb_admin_flavor_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]206 lb_admin_prefix.FlavorCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]207 cls.lb_admin_availability_zone_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]208 lb_admin_prefix.AvailabilityZoneCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]209 cls.lb_admin_availability_zone_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]210 lb_admin_prefix.AvailabilityZoneProfileClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]211 cls.lb_admin_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]212 lb_admin_prefix.AvailabilityZoneClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]213 cls.mem_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]214 cls.os_roles_lb_member.load_balancer_v2.AvailabilityZoneClient())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]215
216 @classmethod
217 def resource_setup(cls):
218 """Setup resources needed by the tests."""
219 super(LoadBalancerBaseTest, cls).resource_setup()
220
221 conf_lb = CONF.load_balancer
222
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]223 cls.api_version = cls.mem_lb_client.get_max_api_version()
224
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]225 if conf_lb.test_subnet_override and not conf_lb.test_network_override:
226 raise exceptions.InvalidConfiguration(
227 "Configuration value test_network_override must be "
228 "specified if test_subnet_override is used.")
229
Michael Johnson6a9236a2020-08-04 23:54:54 +0000[diff] [blame]230 # TODO(johnsom) Remove this
Maciej Józefczykb6df5f82019-12-10 10:12:30 +0000[diff] [blame]231 # Get loadbalancing algorithms supported by provider driver.
232 try:
233 algorithms = const.SUPPORTED_LB_ALGORITHMS[
234 CONF.load_balancer.provider]
235 except KeyError:
236 algorithms = const.SUPPORTED_LB_ALGORITHMS['default']
237 # Set default algorithm as first from the list.
238 cls.lb_algorithm = algorithms[0]
239
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]240 show_subnet = cls.lb_mem_subnet_client.show_subnet
241 if CONF.load_balancer.test_with_noop:
242 cls.lb_member_vip_net = {'id': uuidutils.generate_uuid()}
243 cls.lb_member_vip_subnet = {'id': uuidutils.generate_uuid()}
244 cls.lb_member_1_net = {'id': uuidutils.generate_uuid()}
245 cls.lb_member_1_subnet = {'id': uuidutils.generate_uuid()}
246 cls.lb_member_2_net = {'id': uuidutils.generate_uuid()}
247 cls.lb_member_2_subnet = {'id': uuidutils.generate_uuid()}
248 if CONF.load_balancer.test_with_ipv6:
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]249 cls.lb_member_vip_ipv6_net = {'id': uuidutils.generate_uuid()}
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]250 cls.lb_member_vip_ipv6_subnet = {'id':
251 uuidutils.generate_uuid()}
252 cls.lb_member_1_ipv6_subnet = {'id': uuidutils.generate_uuid()}
253 cls.lb_member_2_ipv6_subnet = {'id': uuidutils.generate_uuid()}
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]254 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]255 return
256 elif CONF.load_balancer.test_network_override:
257 if conf_lb.test_subnet_override:
258 override_subnet = show_subnet(conf_lb.test_subnet_override)
259 else:
260 override_subnet = None
261
262 show_net = cls.lb_mem_net_client.show_network
263 override_network = show_net(conf_lb.test_network_override)
264 override_network = override_network.get('network')
265
266 cls.lb_member_vip_net = override_network
267 cls.lb_member_vip_subnet = override_subnet
268 cls.lb_member_1_net = override_network
269 cls.lb_member_1_subnet = override_subnet
270 cls.lb_member_2_net = override_network
271 cls.lb_member_2_subnet = override_subnet
272
273 if (CONF.load_balancer.test_with_ipv6 and
Michael Polenchuk4beb66b2022-01-18 15:44:56 +0400[diff] [blame]274 conf_lb.test_ipv6_subnet_override):
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]275 override_ipv6_subnet = show_subnet(
Michael Polenchuk4beb66b2022-01-18 15:44:56 +0400[diff] [blame]276 conf_lb.test_ipv6_subnet_override)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]277 cls.lb_member_vip_ipv6_subnet = override_ipv6_subnet
278 cls.lb_member_1_ipv6_subnet = override_ipv6_subnet
279 cls.lb_member_2_ipv6_subnet = override_ipv6_subnet
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]280 cls.lb_member_vip_ipv6_subnet_stateful = False
281 if (override_ipv6_subnet[0]['ipv6_address_mode'] ==
282 'dhcpv6-stateful'):
283 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]284 else:
285 cls.lb_member_vip_ipv6_subnet = None
286 cls.lb_member_1_ipv6_subnet = None
287 cls.lb_member_2_ipv6_subnet = None
288 else:
289 cls._create_networks()
290
291 LOG.debug('Octavia Setup: lb_member_vip_net = {}'.format(
292 cls.lb_member_vip_net[const.ID]))
293 if cls.lb_member_vip_subnet:
294 LOG.debug('Octavia Setup: lb_member_vip_subnet = {}'.format(
295 cls.lb_member_vip_subnet[const.ID]))
296 LOG.debug('Octavia Setup: lb_member_1_net = {}'.format(
297 cls.lb_member_1_net[const.ID]))
298 if cls.lb_member_1_subnet:
299 LOG.debug('Octavia Setup: lb_member_1_subnet = {}'.format(
300 cls.lb_member_1_subnet[const.ID]))
301 LOG.debug('Octavia Setup: lb_member_2_net = {}'.format(
302 cls.lb_member_2_net[const.ID]))
303 if cls.lb_member_2_subnet:
304 LOG.debug('Octavia Setup: lb_member_2_subnet = {}'.format(
305 cls.lb_member_2_subnet[const.ID]))
Michael Johnson124ba8b2018-08-30 16:06:05 -0700[diff] [blame]306 if CONF.load_balancer.test_with_ipv6:
307 if cls.lb_member_vip_ipv6_subnet:
308 LOG.debug('Octavia Setup: lb_member_vip_ipv6_subnet = '
309 '{}'.format(cls.lb_member_vip_ipv6_subnet[const.ID]))
310 if cls.lb_member_1_ipv6_subnet:
311 LOG.debug('Octavia Setup: lb_member_1_ipv6_subnet = {}'.format(
312 cls.lb_member_1_ipv6_subnet[const.ID]))
313 if cls.lb_member_2_ipv6_subnet:
314 LOG.debug('Octavia Setup: lb_member_2_ipv6_subnet = {}'.format(
315 cls.lb_member_2_ipv6_subnet[const.ID]))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]316
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]317 @classmethod
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]318 # Neutron can be slow to clean up ports from the subnets/networks.
319 # Retry this delete a few times if we get a "Conflict" error to give
320 # neutron time to fully cleanup the ports.
321 @tenacity.retry(
322 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
323 wait=tenacity.wait_incrementing(
Vasyl Saienko0d5a4f42021-05-12 16:30:26 +0300[diff] [blame]324 const.RETRY_INITIAL_DELAY, const.RETRY_BACKOFF, const.RETRY_MAX),
325 stop=tenacity.stop_after_attempt(const.RETRY_ATTEMPTS))
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]326 def _logging_delete_network(cls, net_id):
327 try:
328 cls.lb_mem_net_client.delete_network(net_id)
329 except Exception:
330 LOG.error('Unable to delete network {}. Active ports:'.format(
331 net_id))
332 LOG.error(cls.lb_mem_ports_client.list_ports())
333 raise
334
335 @classmethod
336 # Neutron can be slow to clean up ports from the subnets/networks.
337 # Retry this delete a few times if we get a "Conflict" error to give
338 # neutron time to fully cleanup the ports.
339 @tenacity.retry(
340 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
341 wait=tenacity.wait_incrementing(
Vasyl Saienko0d5a4f42021-05-12 16:30:26 +0300[diff] [blame]342 const.RETRY_INITIAL_DELAY, const.RETRY_BACKOFF, const.RETRY_MAX),
343 stop=tenacity.stop_after_attempt(const.RETRY_ATTEMPTS))
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]344 def _logging_delete_subnet(cls, subnet_id):
345 try:
346 cls.lb_mem_subnet_client.delete_subnet(subnet_id)
347 except Exception:
348 LOG.error('Unable to delete subnet {}. Active ports:'.format(
349 subnet_id))
350 LOG.error(cls.lb_mem_ports_client.list_ports())
351 raise
352
353 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]354 def _create_networks(cls):
355 """Creates networks, subnets, and routers used in tests.
356
357 The following are expected to be defined and available to the tests:
358 cls.lb_member_vip_net
359 cls.lb_member_vip_subnet
360 cls.lb_member_vip_ipv6_subnet (optional)
361 cls.lb_member_1_net
362 cls.lb_member_1_subnet
363 cls.lb_member_1_ipv6_subnet (optional)
364 cls.lb_member_2_net
365 cls.lb_member_2_subnet
366 cls.lb_member_2_ipv6_subnet (optional)
367 """
368
369 # Create tenant VIP network
370 network_kwargs = {
371 'name': data_utils.rand_name("lb_member_vip_network")}
372 if CONF.network_feature_enabled.port_security:
Andreas Jaeger4215b702020-03-28 20:13:46 +0100[diff] [blame]373 # Note: Allowed Address Pairs requires port security
374 network_kwargs['port_security_enabled'] = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]375 result = cls.lb_mem_net_client.create_network(**network_kwargs)
376 cls.lb_member_vip_net = result['network']
377 LOG.info('lb_member_vip_net: {}'.format(cls.lb_member_vip_net))
378 cls.addClassResourceCleanup(
379 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]380 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]381 cls.lb_mem_net_client.show_network,
382 cls.lb_member_vip_net['id'])
383
384 # Create tenant VIP subnet
385 subnet_kwargs = {
386 'name': data_utils.rand_name("lb_member_vip_subnet"),
387 'network_id': cls.lb_member_vip_net['id'],
388 'cidr': CONF.load_balancer.vip_subnet_cidr,
389 'ip_version': 4}
390 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
391 cls.lb_member_vip_subnet = result['subnet']
392 LOG.info('lb_member_vip_subnet: {}'.format(cls.lb_member_vip_subnet))
393 cls.addClassResourceCleanup(
394 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]395 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]396 cls.lb_mem_subnet_client.show_subnet,
397 cls.lb_member_vip_subnet['id'])
398
399 # Create tenant VIP IPv6 subnet
400 if CONF.load_balancer.test_with_ipv6:
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]401 cls.lb_member_vip_ipv6_subnet_stateful = False
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]402 cls.lb_member_vip_ipv6_subnet_use_subnetpool = False
403 subnet_kwargs = {
404 'name': data_utils.rand_name("lb_member_vip_ipv6_subnet"),
405 'network_id': cls.lb_member_vip_net['id'],
406 'ip_version': 6}
407
408 # Use a CIDR from devstack's default IPv6 subnetpool if it exists,
409 # the subnetpool's cidr is routable from the devstack node
410 # through the default router
411 subnetpool_name = CONF.load_balancer.default_ipv6_subnetpool
412 if subnetpool_name:
413 subnetpool = cls.os_admin_subnetpools_client.list_subnetpools(
414 name=subnetpool_name)['subnetpools']
415 if len(subnetpool) == 1:
416 subnetpool = subnetpool[0]
417 subnet_kwargs['subnetpool_id'] = subnetpool['id']
418 cls.lb_member_vip_ipv6_subnet_use_subnetpool = True
419
420 if 'subnetpool_id' not in subnet_kwargs:
421 subnet_kwargs['cidr'] = (
422 CONF.load_balancer.vip_ipv6_subnet_cidr)
423
424 result = cls.lb_mem_subnet_client.create_subnet(
425 **subnet_kwargs)
426 cls.lb_member_vip_ipv6_net = cls.lb_member_vip_net
427 cls.lb_member_vip_ipv6_subnet = result['subnet']
428 cls.addClassResourceCleanup(
429 waiters.wait_for_not_found,
430 cls._logging_delete_subnet,
431 cls.lb_mem_subnet_client.show_subnet,
432 cls.lb_member_vip_ipv6_subnet['id'])
Carlos Goncalves84af48c2019-07-25 15:51:30 +0200[diff] [blame]433
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]434 LOG.info('lb_member_vip_ipv6_subnet: {}'.format(
435 cls.lb_member_vip_ipv6_subnet))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]436
437 # Create tenant member 1 network
438 network_kwargs = {
439 'name': data_utils.rand_name("lb_member_1_network")}
440 if CONF.network_feature_enabled.port_security:
441 if CONF.load_balancer.enable_security_groups:
442 network_kwargs['port_security_enabled'] = True
443 else:
444 network_kwargs['port_security_enabled'] = False
445 result = cls.lb_mem_net_client.create_network(**network_kwargs)
446 cls.lb_member_1_net = result['network']
447 LOG.info('lb_member_1_net: {}'.format(cls.lb_member_1_net))
448 cls.addClassResourceCleanup(
449 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]450 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]451 cls.lb_mem_net_client.show_network,
452 cls.lb_member_1_net['id'])
453
454 # Create tenant member 1 subnet
455 subnet_kwargs = {
456 'name': data_utils.rand_name("lb_member_1_subnet"),
457 'network_id': cls.lb_member_1_net['id'],
458 'cidr': CONF.load_balancer.member_1_ipv4_subnet_cidr,
459 'ip_version': 4}
460 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
461 cls.lb_member_1_subnet = result['subnet']
462 LOG.info('lb_member_1_subnet: {}'.format(cls.lb_member_1_subnet))
463 cls.addClassResourceCleanup(
464 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]465 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]466 cls.lb_mem_subnet_client.show_subnet,
467 cls.lb_member_1_subnet['id'])
468
469 # Create tenant member 1 ipv6 subnet
470 if CONF.load_balancer.test_with_ipv6:
471 subnet_kwargs = {
472 'name': data_utils.rand_name("lb_member_1_ipv6_subnet"),
473 'network_id': cls.lb_member_1_net['id'],
474 'cidr': CONF.load_balancer.member_1_ipv6_subnet_cidr,
475 'ip_version': 6}
476 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]477 cls.lb_member_1_subnet_prefix = (
478 CONF.load_balancer.member_1_ipv6_subnet_cidr.rpartition('/')[2]
479 )
480 assert(cls.lb_member_1_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]481 cls.lb_member_1_ipv6_subnet = result['subnet']
482 LOG.info('lb_member_1_ipv6_subnet: {}'.format(
483 cls.lb_member_1_ipv6_subnet))
484 cls.addClassResourceCleanup(
485 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]486 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]487 cls.lb_mem_subnet_client.show_subnet,
488 cls.lb_member_1_ipv6_subnet['id'])
489
490 # Create tenant member 2 network
491 network_kwargs = {
492 'name': data_utils.rand_name("lb_member_2_network")}
493 if CONF.network_feature_enabled.port_security:
494 if CONF.load_balancer.enable_security_groups:
495 network_kwargs['port_security_enabled'] = True
496 else:
497 network_kwargs['port_security_enabled'] = False
498 result = cls.lb_mem_net_client.create_network(**network_kwargs)
499 cls.lb_member_2_net = result['network']
500 LOG.info('lb_member_2_net: {}'.format(cls.lb_member_2_net))
501 cls.addClassResourceCleanup(
502 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]503 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]504 cls.lb_mem_net_client.show_network,
505 cls.lb_member_2_net['id'])
506
507 # Create tenant member 2 subnet
508 subnet_kwargs = {
509 'name': data_utils.rand_name("lb_member_2_subnet"),
510 'network_id': cls.lb_member_2_net['id'],
511 'cidr': CONF.load_balancer.member_2_ipv4_subnet_cidr,
512 'ip_version': 4}
513 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
514 cls.lb_member_2_subnet = result['subnet']
515 LOG.info('lb_member_2_subnet: {}'.format(cls.lb_member_2_subnet))
516 cls.addClassResourceCleanup(
517 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]518 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]519 cls.lb_mem_subnet_client.show_subnet,
520 cls.lb_member_2_subnet['id'])
521
522 # Create tenant member 2 ipv6 subnet
523 if CONF.load_balancer.test_with_ipv6:
524 subnet_kwargs = {
525 'name': data_utils.rand_name("lb_member_2_ipv6_subnet"),
526 'network_id': cls.lb_member_2_net['id'],
527 'cidr': CONF.load_balancer.member_2_ipv6_subnet_cidr,
528 'ip_version': 6}
529 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]530 cls.lb_member_2_subnet_prefix = (
531 CONF.load_balancer.member_2_ipv6_subnet_cidr.rpartition('/')[2]
532 )
533 assert(cls.lb_member_2_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]534 cls.lb_member_2_ipv6_subnet = result['subnet']
535 LOG.info('lb_member_2_ipv6_subnet: {}'.format(
536 cls.lb_member_2_ipv6_subnet))
537 cls.addClassResourceCleanup(
538 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]539 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]540 cls.lb_mem_subnet_client.show_subnet,
541 cls.lb_member_2_ipv6_subnet['id'])
542
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]543 @classmethod
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]544 def _setup_lb_network_kwargs(cls, lb_kwargs, ip_version=None,
545 use_fixed_ip=False):
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]546 if not ip_version:
547 ip_version = 6 if CONF.load_balancer.test_with_ipv6 else 4
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]548 if cls.lb_member_vip_subnet or cls.lb_member_vip_ipv6_subnet:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]549 ip_index = data_utils.rand_int_id(start=10, end=100)
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]550 while ip_index in cls.used_ips:
551 ip_index = data_utils.rand_int_id(start=10, end=100)
552 cls.used_ips.append(ip_index)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]553 if ip_version == 4:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]554 subnet_id = cls.lb_member_vip_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]555 if CONF.load_balancer.test_with_noop:
556 lb_vip_address = '198.18.33.33'
557 else:
558 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
559 network = ipaddress.IPv4Network(subnet['subnet']['cidr'])
560 lb_vip_address = str(network[ip_index])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]561 else:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]562 subnet_id = cls.lb_member_vip_ipv6_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]563 if CONF.load_balancer.test_with_noop:
564 lb_vip_address = '2001:db8:33:33:33:33:33:33'
565 else:
566 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
567 network = ipaddress.IPv6Network(subnet['subnet']['cidr'])
568 lb_vip_address = str(network[ip_index])
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]569 # If the subnet is IPv6 slaac or dhcpv6-stateless
570 # neutron does not allow a fixed IP
571 if not cls.lb_member_vip_ipv6_subnet_stateful:
572 use_fixed_ip = False
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]573 lb_kwargs[const.VIP_SUBNET_ID] = subnet_id
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]574 if use_fixed_ip:
575 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]576 if CONF.load_balancer.test_with_noop:
577 lb_kwargs[const.VIP_NETWORK_ID] = (
578 cls.lb_member_vip_net[const.ID])
Carlos Goncalvesbb238552020-01-15 10:10:55 +0000[diff] [blame]579 if ip_version == 6:
580 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]581 else:
582 lb_kwargs[const.VIP_NETWORK_ID] = cls.lb_member_vip_net[const.ID]
583 lb_kwargs[const.VIP_SUBNET_ID] = None
584
Gregory Thiemongeece5ab42020-10-29 08:46:05 +0100[diff] [blame]585 def _validate_listener_protocol(self, protocol, raise_if_unsupported=True):
586 if (protocol == const.SCTP and
587 not self.mem_listener_client.is_version_supported(
588 self.api_version, '2.23')):
589 if raise_if_unsupported:
590 raise self.skipException('SCTP listener protocol '
591 'is only available on Octavia '
592 'API version 2.23 or newer.')
593 return False
594 return True
595
ibumarskovc5063922020-09-03 18:21:29 +0400[diff] [blame]596 @classmethod
597 def check_tf_compatibility(cls, protocol=None, algorithm=None):
598 # TungstenFabric supported protocols and algorithms
Ilya Bumarskov2b406292021-02-03 16:16:42 +0400[diff] [blame]599 tf_protocols = [const.HTTP, const.HTTPS, const.TCP,
ibumarskovc5063922020-09-03 18:21:29 +0400[diff] [blame]600 const.TERMINATED_HTTPS]
601 tf_algorithms = [const.LB_ALGORITHM_ROUND_ROBIN,
602 const.LB_ALGORITHM_LEAST_CONNECTIONS,
603 const.LB_ALGORITHM_SOURCE_IP]
604
605 if algorithm and algorithm not in tf_algorithms:
606 raise cls.skipException(
607 'TungstenFabric does not support {} algorithm.'
608 ''.format(algorithm))
609 if protocol and protocol not in tf_protocols:
610 raise cls.skipException(
611 'TungstenFabric does not support {} protocol.'
612 ''.format(protocol))
613
614 @classmethod
615 def _tf_create_listener(cls, name, proto, port, lb_id):
616 listener_kwargs = {
617 const.NAME: name,
618 const.PROTOCOL: proto,
619 const.PROTOCOL_PORT: port,
620 const.LOADBALANCER_ID: lb_id,
621 }
622 listener = cls.mem_listener_client.create_listener(**listener_kwargs)
623 return listener
624
625 @classmethod
626 def _tf_get_free_port(cls, lb_id):
627 port = 8081
628 lb = cls.mem_lb_client.show_loadbalancer(lb_id)
629 listeners = lb[const.LISTENERS]
630 if not listeners:
631 return port
632 ports = [cls.mem_listener_client.show_listener(x[const.ID])[
633 const.PROTOCOL_PORT] for x in listeners]
634 while port in ports:
635 port = port + 1
636 return port
637
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]638
639class LoadBalancerBaseTestWithCompute(LoadBalancerBaseTest):
640 @classmethod
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]641 def remote_client_args(cls):
642 # In case we're using octavia-tempest-plugin with old tempest releases
643 # (for instance on stable/train) that don't support ssh_key_type, catch
644 # the exception and don't pass any argument
645 args = {}
646 try:
647 args['ssh_key_type'] = CONF.validation.ssh_key_type
648 except cfg.NoSuchOptError:
649 pass
650 return args
651
652 @classmethod
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]653 def resource_setup(cls):
654 super(LoadBalancerBaseTestWithCompute, cls).resource_setup()
655 # If validation is disabled in this cloud, we won't be able to
656 # start the webservers, so don't even boot them.
657 if not CONF.validation.run_validation:
658 return
659
660 # Create a keypair for the webservers
661 keypair_name = data_utils.rand_name('lb_member_keypair')
662 result = cls.lb_mem_keypairs_client.create_keypair(
663 name=keypair_name)
664 cls.lb_member_keypair = result['keypair']
665 LOG.info('lb_member_keypair: {}'.format(cls.lb_member_keypair))
666 cls.addClassResourceCleanup(
667 waiters.wait_for_not_found,
668 cls.lb_mem_keypairs_client.delete_keypair,
669 cls.lb_mem_keypairs_client.show_keypair,
670 keypair_name)
671
672 if (CONF.load_balancer.enable_security_groups and
673 CONF.network_feature_enabled.port_security):
674 # Set up the security group for the webservers
675 SG_name = data_utils.rand_name('lb_member_SG')
676 cls.lb_member_sec_group = (
677 cls.lb_mem_SG_client.create_security_group(
678 name=SG_name)['security_group'])
679 cls.addClassResourceCleanup(
680 waiters.wait_for_not_found,
681 cls.lb_mem_SG_client.delete_security_group,
682 cls.lb_mem_SG_client.show_security_group,
683 cls.lb_member_sec_group['id'])
684
685 # Create a security group rule to allow 80-81 (test webservers)
686 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
687 direction='ingress',
688 security_group_id=cls.lb_member_sec_group['id'],
689 protocol='tcp',
690 ethertype='IPv4',
691 port_range_min=80,
692 port_range_max=81)['security_group_rule']
693 cls.addClassResourceCleanup(
694 waiters.wait_for_not_found,
695 cls.lb_mem_SGr_client.delete_security_group_rule,
696 cls.lb_mem_SGr_client.show_security_group_rule,
697 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]698 # Create a security group rule to allow UDP 80-81 (test webservers)
699 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
700 direction='ingress',
701 security_group_id=cls.lb_member_sec_group['id'],
702 protocol='udp',
703 ethertype='IPv4',
704 port_range_min=80,
705 port_range_max=81)['security_group_rule']
706 cls.addClassResourceCleanup(
707 waiters.wait_for_not_found,
708 cls.lb_mem_SGr_client.delete_security_group_rule,
709 cls.lb_mem_SGr_client.show_security_group_rule,
710 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]711 # Create a security group rule to allow 443 (test webservers)
712 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
713 direction='ingress',
714 security_group_id=cls.lb_member_sec_group['id'],
715 protocol='tcp',
716 ethertype='IPv4',
717 port_range_min=443,
718 port_range_max=443)['security_group_rule']
719 cls.addClassResourceCleanup(
720 waiters.wait_for_not_found,
721 cls.lb_mem_SGr_client.delete_security_group_rule,
722 cls.lb_mem_SGr_client.show_security_group_rule,
723 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]724 # Create a security group rule to allow 9443 (test webservers)
725 # Used in the pool backend encryption client authentication tests
726 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
727 direction='ingress',
728 security_group_id=cls.lb_member_sec_group['id'],
729 protocol='tcp',
730 ethertype='IPv4',
731 port_range_min=9443,
732 port_range_max=9443)['security_group_rule']
733 cls.addClassResourceCleanup(
734 waiters.wait_for_not_found,
735 cls.lb_mem_SGr_client.delete_security_group_rule,
736 cls.lb_mem_SGr_client.show_security_group_rule,
737 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]738 # Create a security group rule to allow UDP 9999 (test webservers)
739 # Port 9999 is used to illustrate health monitor ERRORs on closed
740 # ports.
741 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
742 direction='ingress',
743 security_group_id=cls.lb_member_sec_group['id'],
744 protocol='udp',
745 ethertype='IPv4',
746 port_range_min=9999,
747 port_range_max=9999)['security_group_rule']
748 cls.addClassResourceCleanup(
749 waiters.wait_for_not_found,
750 cls.lb_mem_SGr_client.delete_security_group_rule,
751 cls.lb_mem_SGr_client.show_security_group_rule,
752 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]753 # Create a security group rule to allow 22 (ssh)
754 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
755 direction='ingress',
756 security_group_id=cls.lb_member_sec_group['id'],
757 protocol='tcp',
758 ethertype='IPv4',
759 port_range_min=22,
760 port_range_max=22)['security_group_rule']
761 cls.addClassResourceCleanup(
762 waiters.wait_for_not_found,
763 cls.lb_mem_SGr_client.delete_security_group_rule,
764 cls.lb_mem_SGr_client.show_security_group_rule,
765 SGr['id'])
766 if CONF.load_balancer.test_with_ipv6:
767 # Create a security group rule to allow 80-81 (test webservers)
768 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
769 direction='ingress',
770 security_group_id=cls.lb_member_sec_group['id'],
771 protocol='tcp',
772 ethertype='IPv6',
773 port_range_min=80,
774 port_range_max=81)['security_group_rule']
775 cls.addClassResourceCleanup(
776 waiters.wait_for_not_found,
777 cls.lb_mem_SGr_client.delete_security_group_rule,
778 cls.lb_mem_SGr_client.show_security_group_rule,
779 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]780 # Create a security group rule to allow UDP 80-81 (test
781 # webservers)
782 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
783 direction='ingress',
784 security_group_id=cls.lb_member_sec_group['id'],
785 protocol='udp',
786 ethertype='IPv6',
787 port_range_min=80,
788 port_range_max=81)['security_group_rule']
789 cls.addClassResourceCleanup(
790 waiters.wait_for_not_found,
791 cls.lb_mem_SGr_client.delete_security_group_rule,
792 cls.lb_mem_SGr_client.show_security_group_rule,
793 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]794 # Create a security group rule to allow 443 (test webservers)
795 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
796 direction='ingress',
797 security_group_id=cls.lb_member_sec_group['id'],
798 protocol='tcp',
799 ethertype='IPv6',
800 port_range_min=443,
801 port_range_max=443)['security_group_rule']
802 cls.addClassResourceCleanup(
803 waiters.wait_for_not_found,
804 cls.lb_mem_SGr_client.delete_security_group_rule,
805 cls.lb_mem_SGr_client.show_security_group_rule,
806 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]807 # Create a security group rule to allow 9443 (test webservers)
808 # Used in the pool encryption client authentication tests
809 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
810 direction='ingress',
811 security_group_id=cls.lb_member_sec_group['id'],
812 protocol='tcp',
813 ethertype='IPv6',
814 port_range_min=9443,
815 port_range_max=9443)['security_group_rule']
816 cls.addClassResourceCleanup(
817 waiters.wait_for_not_found,
818 cls.lb_mem_SGr_client.delete_security_group_rule,
819 cls.lb_mem_SGr_client.show_security_group_rule,
820 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]821 # Create a security group rule to allow 22 (ssh)
822 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
823 direction='ingress',
824 security_group_id=cls.lb_member_sec_group['id'],
825 protocol='tcp',
826 ethertype='IPv6',
827 port_range_min=22,
828 port_range_max=22)['security_group_rule']
829 cls.addClassResourceCleanup(
830 waiters.wait_for_not_found,
831 cls.lb_mem_SGr_client.delete_security_group_rule,
832 cls.lb_mem_SGr_client.show_security_group_rule,
833 SGr['id'])
834
835 LOG.info('lb_member_sec_group: {}'.format(cls.lb_member_sec_group))
836
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]837 # Setup backend member reencryption PKI
838 cls._create_backend_reencryption_pki()
839
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]840 # Create webserver 1 instance
841 server_details = cls._create_webserver('lb_member_webserver1',
842 cls.lb_member_1_net)
843
844 cls.lb_member_webserver1 = server_details['server']
845 cls.webserver1_ip = server_details.get('ipv4_address')
846 cls.webserver1_ipv6 = server_details.get('ipv6_address')
847 cls.webserver1_public_ip = server_details['public_ipv4_address']
848
849 LOG.debug('Octavia Setup: lb_member_webserver1 = {}'.format(
850 cls.lb_member_webserver1[const.ID]))
851 LOG.debug('Octavia Setup: webserver1_ip = {}'.format(
852 cls.webserver1_ip))
853 LOG.debug('Octavia Setup: webserver1_ipv6 = {}'.format(
854 cls.webserver1_ipv6))
855 LOG.debug('Octavia Setup: webserver1_public_ip = {}'.format(
856 cls.webserver1_public_ip))
857
858 # Create webserver 2 instance
859 server_details = cls._create_webserver('lb_member_webserver2',
860 cls.lb_member_2_net)
861
862 cls.lb_member_webserver2 = server_details['server']
863 cls.webserver2_ip = server_details.get('ipv4_address')
864 cls.webserver2_ipv6 = server_details.get('ipv6_address')
865 cls.webserver2_public_ip = server_details['public_ipv4_address']
866
867 LOG.debug('Octavia Setup: lb_member_webserver2 = {}'.format(
868 cls.lb_member_webserver2[const.ID]))
869 LOG.debug('Octavia Setup: webserver2_ip = {}'.format(
870 cls.webserver2_ip))
871 LOG.debug('Octavia Setup: webserver2_ipv6 = {}'.format(
872 cls.webserver2_ipv6))
873 LOG.debug('Octavia Setup: webserver2_public_ip = {}'.format(
874 cls.webserver2_public_ip))
875
Ilya Bumarskovcea9b6b2023-03-16 14:12:09 +0400[diff] [blame]876 if (CONF.load_balancer.test_with_ipv6 and not
Gleb Zimin028d1772023-11-22 13:06:14 +0100[diff] [blame^]877 config.is_tungstenfabric_backend_enabled()):
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]878 # Enable the IPv6 nic in webserver 1
879 cls._enable_ipv6_nic_webserver(
880 cls.webserver1_public_ip, cls.lb_member_keypair['private_key'],
881 cls.webserver1_ipv6, cls.lb_member_1_subnet_prefix)
882
883 # Enable the IPv6 nic in webserver 2
884 cls._enable_ipv6_nic_webserver(
885 cls.webserver2_public_ip, cls.lb_member_keypair['private_key'],
886 cls.webserver2_ipv6, cls.lb_member_2_subnet_prefix)
887
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]888 # Set up serving on webserver 1
889 cls._install_start_webserver(cls.webserver1_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]890 cls.lb_member_keypair['private_key'],
891 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]892
893 # Validate webserver 1
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]894 cls._validate_webserver(cls.webserver1_public_ip,
895 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]896
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]897 # Validate udp server 1
898 cls._validate_udp_server(cls.webserver1_public_ip,
899 cls.webserver1_response)
900
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]901 # Set up serving on webserver 2
902 cls._install_start_webserver(cls.webserver2_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]903 cls.lb_member_keypair['private_key'],
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]904 cls.webserver2_response, revoke_cert=True)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]905
906 # Validate webserver 2
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]907 cls._validate_webserver(cls.webserver2_public_ip,
908 cls.webserver2_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]909
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]910 # Validate udp server 2
911 cls._validate_udp_server(cls.webserver2_public_ip,
912 cls.webserver2_response)
913
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]914 @classmethod
915 def _create_networks(cls):
916 super(LoadBalancerBaseTestWithCompute, cls)._create_networks()
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]917 # Create a router for the subnets (required for the floating IP)
918 router_name = data_utils.rand_name("lb_member_router")
919 result = cls.lb_mem_routers_client.create_router(
920 name=router_name, admin_state_up=True,
921 external_gateway_info=dict(
922 network_id=CONF.network.public_network_id))
923 cls.lb_member_router = result['router']
924 LOG.info('lb_member_router: {}'.format(cls.lb_member_router))
925 cls.addClassResourceCleanup(
926 waiters.wait_for_not_found,
927 cls.lb_mem_routers_client.delete_router,
928 cls.lb_mem_routers_client.show_router,
929 cls.lb_member_router['id'])
930
931 # Add VIP subnet to router
932 cls.lb_mem_routers_client.add_router_interface(
933 cls.lb_member_router['id'],
934 subnet_id=cls.lb_member_vip_subnet['id'])
935 cls.addClassResourceCleanup(
936 waiters.wait_for_not_found,
937 cls.lb_mem_routers_client.remove_router_interface,
938 cls.lb_mem_routers_client.remove_router_interface,
939 cls.lb_member_router['id'],
940 subnet_id=cls.lb_member_vip_subnet['id'])
941
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]942 if (CONF.load_balancer.test_with_ipv6 and
943 CONF.load_balancer.default_router and
944 cls.lb_member_vip_ipv6_subnet_use_subnetpool):
945
946 router_name = CONF.load_balancer.default_router
947 # if lb_member_vip_ipv6_subnet uses devstack's subnetpool,
948 # plug the subnet into the default router
949 router = cls.os_admin.routers_client.list_routers(
950 name=router_name)['routers']
951
952 if len(router) == 1:
953 router = router[0]
954
955 # Add IPv6 VIP subnet to router1
956 cls.os_admin_routers_client.add_router_interface(
957 router['id'],
958 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
959 cls.addClassResourceCleanup(
960 waiters.wait_for_not_found,
961 cls.os_admin_routers_client.remove_router_interface,
962 cls.os_admin_routers_client.remove_router_interface,
963 router['id'],
964 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
965
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]966 # Add member subnet 1 to router
967 cls.lb_mem_routers_client.add_router_interface(
968 cls.lb_member_router['id'],
969 subnet_id=cls.lb_member_1_subnet['id'])
970 cls.addClassResourceCleanup(
971 waiters.wait_for_not_found,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]972 cls.lb_mem_routers_client.remove_router_interface,
973 cls.lb_mem_routers_client.remove_router_interface,
974 cls.lb_member_router['id'], subnet_id=cls.lb_member_1_subnet['id'])
975
976 # Add member subnet 2 to router
977 cls.lb_mem_routers_client.add_router_interface(
978 cls.lb_member_router['id'],
979 subnet_id=cls.lb_member_2_subnet['id'])
980 cls.addClassResourceCleanup(
981 waiters.wait_for_not_found,
982 cls.lb_mem_routers_client.remove_router_interface,
983 cls.lb_mem_routers_client.remove_router_interface,
984 cls.lb_member_router['id'], subnet_id=cls.lb_member_2_subnet['id'])
985
986 @classmethod
987 def _create_webserver(cls, name, network):
988 """Creates a webserver with two ports.
989
990 webserver_details dictionary contains:
991 server - The compute server object
992 ipv4_address - The IPv4 address for the server (optional)
993 ipv6_address - The IPv6 address for the server (optional)
994 public_ipv4_address - The publicly accessible IPv4 address for the
995 server, this may be a floating IP (optional)
996
997 :param name: The name of the server to create.
998 :param network: The network to boot the server on.
999 :returns: webserver_details dictionary.
1000 """
1001 server_kwargs = {
1002 'name': data_utils.rand_name(name),
1003 'flavorRef': CONF.compute.flavor_ref,
1004 'imageRef': CONF.compute.image_ref,
1005 'key_name': cls.lb_member_keypair['name']}
1006 if (CONF.load_balancer.enable_security_groups and
1007 CONF.network_feature_enabled.port_security):
1008 server_kwargs['security_groups'] = [
1009 {'name': cls.lb_member_sec_group['name']}]
1010 if not CONF.load_balancer.disable_boot_network:
1011 server_kwargs['networks'] = [{'uuid': network['id']}]
1012
1013 # Replace the name for clouds that have limitations
1014 if CONF.load_balancer.random_server_name_length:
1015 r = random.SystemRandom()
1016 server_kwargs['name'] = "m{}".format("".join(
1017 [r.choice(string.ascii_uppercase + string.digits)
1018 for _ in range(
1019 CONF.load_balancer.random_server_name_length - 1)]
1020 ))
1021 if CONF.load_balancer.availability_zone:
1022 server_kwargs['availability_zone'] = (
1023 CONF.load_balancer.availability_zone)
1024
1025 server = cls.lb_mem_servers_client.create_server(
1026 **server_kwargs)['server']
1027 cls.addClassResourceCleanup(
1028 waiters.wait_for_not_found,
1029 cls.lb_mem_servers_client.delete_server,
1030 cls.lb_mem_servers_client.show_server,
1031 server['id'])
1032 server = waiters.wait_for_status(
1033 cls.lb_mem_servers_client.show_server,
1034 server['id'], 'status', 'ACTIVE',
1035 CONF.load_balancer.build_interval,
1036 CONF.load_balancer.build_timeout,
1037 root_tag='server')
1038 webserver_details = {'server': server}
1039 LOG.info('Created server: {}'.format(server))
1040
1041 addresses = server['addresses']
1042 if CONF.load_balancer.disable_boot_network:
1043 instance_network = addresses.values()[0]
1044 else:
1045 instance_network = addresses[network['name']]
1046 for addr in instance_network:
1047 if addr['version'] == 4:
1048 webserver_details['ipv4_address'] = addr['addr']
1049 if addr['version'] == 6:
1050 webserver_details['ipv6_address'] = addr['addr']
1051
1052 if CONF.validation.connect_method == 'floating':
1053 result = cls.lb_mem_ports_client.list_ports(
1054 network_id=network['id'],
1055 mac_address=instance_network[0]['OS-EXT-IPS-MAC:mac_addr'])
1056 port_id = result['ports'][0]['id']
Gleb Zimin028d1772023-11-22 13:06:14 +0100[diff] [blame^]1057 if config.is_tungstenfabric_backend_enabled():
Ilya Bumarskovcea9b6b2023-03-16 14:12:09 +0400[diff] [blame]1058 port = result['ports'][0]
1059 fixed_ip = None
1060 for ip in port["fixed_ips"]:
1061 if (type(ipaddress.ip_address(ip["ip_address"])) is
1062 ipaddress.IPv4Address):
1063 fixed_ip = ip["ip_address"]
1064 break
1065 assert fixed_ip is not None, (f"Port doesn't have ipv4 "
1066 f"address: {port['fixed_ips']}")
1067 result = cls.lb_mem_float_ip_client.create_floatingip(
1068 floating_network_id=CONF.network.public_network_id,
1069 port_id=port_id,
1070 fixed_ip_address=fixed_ip)
1071 else:
1072 result = cls.lb_mem_float_ip_client.create_floatingip(
1073 floating_network_id=CONF.network.public_network_id,
1074 port_id=port_id)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1075 floating_ip = result['floatingip']
1076 LOG.info('webserver1_floating_ip: {}'.format(floating_ip))
1077 cls.addClassResourceCleanup(
1078 waiters.wait_for_not_found,
1079 cls.lb_mem_float_ip_client.delete_floatingip,
1080 cls.lb_mem_float_ip_client.show_floatingip,
1081 floatingip_id=floating_ip['id'])
1082 webserver_details['public_ipv4_address'] = (
1083 floating_ip['floating_ip_address'])
1084 else:
1085 webserver_details['public_ipv4_address'] = (
1086 instance_network[0]['addr'])
1087
1088 return webserver_details
1089
1090 @classmethod
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1091 def _get_openssh_version(cls):
1092 p = subprocess.Popen(["ssh", "-V"],
1093 stdout=subprocess.PIPE,
1094 stderr=subprocess.PIPE)
1095 output = p.communicate()[1]
1096
1097 try:
1098 m = re.match(r"OpenSSH_(\d+)\.(\d+)", output.decode('utf-8'))
1099 version_maj = int(m.group(1))
1100 version_min = int(m.group(2))
1101 return version_maj, version_min
1102 except Exception:
1103 return None, None
1104
1105 @classmethod
1106 def _need_scp_protocol(cls):
1107 # When using scp >= 8.7, force the use of the SCP protocol,
1108 # the new default (SFTP protocol) doesn't work with
1109 # cirros VMs.
1110 ssh_version = cls._get_openssh_version()
1111 LOG.debug("ssh_version = {}".format(ssh_version))
1112 return (ssh_version[0] > 8 or
1113 (ssh_version[0] == 8 and ssh_version[1] >= 7))
1114
1115 @classmethod
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1116 def _install_start_webserver(cls, ip_address, ssh_key, start_id,
1117 revoke_cert=False):
Michael Johnson27357352020-11-13 13:55:09 -0800[diff] [blame]1118 local_file = CONF.load_balancer.test_server_path
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1119
1120 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1121 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1122 **cls.remote_client_args())
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1123 linux_client.validate_authentication()
1124
1125 with tempfile.NamedTemporaryFile() as key:
1126 key.write(ssh_key.encode('utf-8'))
1127 key.flush()
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1128 ssh_extra_args = (
1129 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1130 if cls._need_scp_protocol():
1131 ssh_extra_args += " -O"
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1132 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1133 "{7} "
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1134 "-o StrictHostKeyChecking=no "
1135 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1136 "-i {2} {3} {4}@{5}:{6}").format(
1137 CONF.load_balancer.scp_connection_timeout,
1138 CONF.load_balancer.scp_connection_attempts,
1139 key.name, local_file, CONF.validation.image_ssh_user,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1140 ip_address, const.TEST_SERVER_BINARY,
1141 ssh_extra_args)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1142 args = shlex.split(cmd)
1143 subprocess_args = {'stdout': subprocess.PIPE,
1144 'stderr': subprocess.STDOUT,
1145 'cwd': None}
1146 proc = subprocess.Popen(args, **subprocess_args)
1147 stdout, stderr = proc.communicate()
1148 if proc.returncode != 0:
1149 raise exceptions.CommandFailed(proc.returncode, cmd,
1150 stdout, stderr)
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1151
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1152 cls._load_member_pki_content(ip_address, key,
1153 revoke_cert=revoke_cert)
1154
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1155 # Enabling memory overcommit allows to run golang static binaries
1156 # compiled with a recent golang toolchain (>=1.11). Those binaries
1157 # allocate a large amount of virtual memory at init time, and this
1158 # allocation fails in tempest's nano flavor (64MB of RAM)
1159 # (golang issue reported in https://github.com/golang/go/issues/28114,
1160 # follow-up: https://github.com/golang/go/issues/28081)
1161 # TODO(gthiemonge): Remove this call when golang issue is resolved.
1162 linux_client.exec_command('sudo sh -c "echo 1 > '
1163 '/proc/sys/vm/overcommit_memory"')
1164
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1165 # The initial process also supports HTTPS and HTTPS with client auth
1166 linux_client.exec_command(
1167 'sudo screen -d -m {0} -port 80 -id {1} -https_port 443 -cert {2} '
1168 '-key {3} -https_client_auth_port 9443 -client_ca {4}'.format(
1169 const.TEST_SERVER_BINARY, start_id, const.TEST_SERVER_CERT,
1170 const.TEST_SERVER_KEY, const.TEST_SERVER_CLIENT_CA))
1171
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1172 linux_client.exec_command('sudo screen -d -m {0} -port 81 '
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1173 '-id {1}'.format(const.TEST_SERVER_BINARY,
1174 start_id + 1))
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1175
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1176 # Cirros does not configure the assigned IPv6 address by default
1177 # so enable it manually like tempest does here:
1178 # tempest/scenario/test_netowrk_v6.py turn_nic6_on()
1179 @classmethod
1180 def _enable_ipv6_nic_webserver(cls, ip_address, ssh_key,
1181 ipv6_address, ipv6_prefix):
1182 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1183 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1184 **cls.remote_client_args())
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1185 linux_client.validate_authentication()
1186
1187 linux_client.exec_command('sudo ip address add {0}/{1} dev '
1188 'eth0'.format(ipv6_address, ipv6_prefix))
1189
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1190 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1191 def _validate_webserver(cls, ip_address, start_id):
1192 URL = 'http://{0}'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1193 cls.validate_URL_response(URL, expected_body=str(start_id))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1194 URL = 'http://{0}:81'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1195 cls.validate_URL_response(URL, expected_body=str(start_id + 1))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1196
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1197 @classmethod
1198 def _validate_udp_server(cls, ip_address, start_id):
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1199 res = cls.make_udp_request(ip_address, 80)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1200 if res != str(start_id):
1201 raise Exception("Response from test server doesn't match the "
1202 "expected value ({0} != {1}).".format(
1203 res, str(start_id)))
1204
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1205 res = cls.make_udp_request(ip_address, 81)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1206 if res != str(start_id + 1):
1207 raise Exception("Response from test server doesn't match the "
1208 "expected value ({0} != {1}).".format(
1209 res, str(start_id + 1)))
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1210
1211 @classmethod
1212 def _create_backend_reencryption_pki(cls):
1213 # Create a CA self-signed cert and key for the member test servers
1214 cls.member_ca_cert, cls.member_ca_key = (
1215 cert_utils.generate_ca_cert_and_key())
1216
1217 LOG.debug('Member CA Cert: %s', cls.member_ca_cert.public_bytes(
1218 serialization.Encoding.PEM))
1219 LOG.debug('Member CA private Key: %s', cls.member_ca_key.private_bytes(
1220 encoding=serialization.Encoding.PEM,
1221 format=serialization.PrivateFormat.TraditionalOpenSSL,
1222 encryption_algorithm=serialization.NoEncryption()))
1223 LOG.debug('Member CA public Key: %s',
1224 cls.member_ca_key.public_key().public_bytes(
1225 encoding=serialization.Encoding.PEM,
1226 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1227
1228 # Create the member client authentication CA
1229 cls.member_client_ca_cert, member_client_ca_key = (
1230 cert_utils.generate_ca_cert_and_key())
1231
1232 # Create client cert and key
1233 cls.member_client_cn = uuidutils.generate_uuid()
1234 cls.member_client_cert, cls.member_client_key = (
1235 cert_utils.generate_client_cert_and_key(
1236 cls.member_client_ca_cert, member_client_ca_key,
1237 cls.member_client_cn))
1238 # Note: We are not revoking a client cert here as we don't need to
1239 # test the backend web server CRL checking.
1240
1241 @classmethod
1242 def _load_member_pki_content(cls, ip_address, ssh_key, revoke_cert=False):
1243 # Create webserver certificate and key
1244 cert, key = cert_utils.generate_server_cert_and_key(
1245 cls.member_ca_cert, cls.member_ca_key, ip_address)
1246
1247 LOG.debug('%s Cert: %s', ip_address, cert.public_bytes(
1248 serialization.Encoding.PEM))
1249 LOG.debug('%s private Key: %s', ip_address, key.private_bytes(
1250 encoding=serialization.Encoding.PEM,
1251 format=serialization.PrivateFormat.TraditionalOpenSSL,
1252 encryption_algorithm=serialization.NoEncryption()))
1253 public_key = key.public_key()
1254 LOG.debug('%s public Key: %s', ip_address, public_key.public_bytes(
1255 encoding=serialization.Encoding.PEM,
1256 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1257
1258 # Create a CRL with a revoked certificate
1259 if revoke_cert:
1260 # Create a CRL with webserver 2 revoked
1261 cls.member_crl = cert_utils.generate_certificate_revocation_list(
1262 cls.member_ca_cert, cls.member_ca_key, cert)
1263
1264 # Load the certificate, key, and client CA certificate into the
1265 # test server.
1266 with tempfile.TemporaryDirectory() as tmpdir:
1267 os.umask(0)
1268 files_to_send = []
1269 cert_filename = os.path.join(tmpdir, const.CERT_PEM)
1270 files_to_send.append(cert_filename)
1271 with open(os.open(cert_filename, os.O_CREAT | os.O_WRONLY,
1272 0o700), 'w') as fh:
1273 fh.write(cert.public_bytes(
1274 serialization.Encoding.PEM).decode('utf-8'))
1275 fh.flush()
1276 key_filename = os.path.join(tmpdir, const.KEY_PEM)
1277 files_to_send.append(key_filename)
1278 with open(os.open(key_filename, os.O_CREAT | os.O_WRONLY,
1279 0o700), 'w') as fh:
1280 fh.write(key.private_bytes(
1281 encoding=serialization.Encoding.PEM,
1282 format=serialization.PrivateFormat.TraditionalOpenSSL,
1283 encryption_algorithm=serialization.NoEncryption()).decode(
1284 'utf-8'))
1285 fh.flush()
1286 client_ca_filename = os.path.join(tmpdir, const.CLIENT_CA_PEM)
1287 files_to_send.append(client_ca_filename)
1288 with open(os.open(client_ca_filename, os.O_CREAT | os.O_WRONLY,
1289 0o700), 'w') as fh:
1290 fh.write(cls.member_client_ca_cert.public_bytes(
1291 serialization.Encoding.PEM).decode('utf-8'))
1292 fh.flush()
1293
1294 # For security, we don't want to use a shell that can glob
1295 # the file names, so iterate over them.
1296 subprocess_args = {'stdout': subprocess.PIPE,
1297 'stderr': subprocess.STDOUT,
1298 'cwd': None}
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1299 ssh_extra_args = (
1300 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1301 if cls._need_scp_protocol():
1302 ssh_extra_args += " -O"
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1303 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1304 "{9} "
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1305 "-o StrictHostKeyChecking=no "
1306 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1307 "-i {2} {3} {4} {5} {6}@{7}:{8}").format(
1308 CONF.load_balancer.scp_connection_timeout,
1309 CONF.load_balancer.scp_connection_attempts,
1310 ssh_key.name, cert_filename, key_filename, client_ca_filename,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1311 CONF.validation.image_ssh_user, ip_address, const.DEV_SHM_PATH,
1312 ssh_extra_args)
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1313 args = shlex.split(cmd)
1314 proc = subprocess.Popen(args, **subprocess_args)
1315 stdout, stderr = proc.communicate()
1316 if proc.returncode != 0:
1317 raise exceptions.CommandFailed(proc.returncode, cmd,
1318 stdout, stderr)