Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / octavia-tempest-plugin / 7a5d9fb7a3434ff68835ca3a1821156f270073e3 / . / octavia_tempest_plugin / tests / test_base.py
blob: 4955cb315c01712e755b1d205ec072ce8ccf2e0c [file] [log] [blame]
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1# Copyright 2018 Rackspace US Inc. All rights reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15import ipaddress
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]16import os
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]17import random
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]18import re
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]19import shlex
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]20import string
21import subprocess
22import tempfile
23
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]24from cryptography.hazmat.primitives import serialization
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]25from oslo_config import cfg
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]26from oslo_log import log as logging
27from oslo_utils import uuidutils
28from tempest import config
29from tempest.lib.common.utils import data_utils
30from tempest.lib.common.utils.linux import remote_client
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]31from tempest.lib import exceptions
32from tempest import test
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]33import tenacity
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]34
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]35from octavia_tempest_plugin.common import cert_utils
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]36from octavia_tempest_plugin.common import constants as const
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]37from octavia_tempest_plugin.tests import RBAC_tests
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]38from octavia_tempest_plugin.tests import validators
39from octavia_tempest_plugin.tests import waiters
40
41CONF = config.CONF
42LOG = logging.getLogger(__name__)
43
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]44
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]45class LoadBalancerBaseTest(validators.ValidatorsMixin,
46 RBAC_tests.RBACTestsMixin, test.BaseTestCase):
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]47 """Base class for load balancer tests."""
48
Gregory Thiemonge3497f6c2021-04-19 21:33:13 +0200[diff] [blame]49 if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
50 credentials = [
51 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
52 ['lb_member', CONF.load_balancer.member_role],
53 ['lb_member2', CONF.load_balancer.member_role]]
54 elif CONF.load_balancer.enforce_new_defaults:
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]55 credentials = [
56 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
57 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
58 ['lb_global_observer', CONF.load_balancer.global_observer_role,
59 'reader'],
60 ['lb_member', CONF.load_balancer.member_role, 'member'],
61 ['lb_member2', CONF.load_balancer.member_role, 'member'],
62 ['lb_member_not_default_member', CONF.load_balancer.member_role]]
63 else:
64 credentials = [
65 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
66 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
67 ['lb_global_observer', CONF.load_balancer.global_observer_role,
68 'reader'],
Michael Johnson9e9f5262023-01-18 17:59:17 +0000[diff] [blame]69 # Note: Some projects are now requiring the 'member' role by
70 # default (nova for example) so make sure our creds have this role
71 ['lb_member', CONF.load_balancer.member_role, 'member'],
72 ['lb_member2', CONF.load_balancer.member_role, 'member']]
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]73
74 # If scope enforcement is enabled, add in the system scope credentials.
75 # The project scope is already handled by the above credentials.
76 if CONF.enforce_scope.octavia:
77 credentials.extend(['system_admin', 'system_reader'])
78
79 # A tuple of credentials that will be allocated by tempest using the
80 # 'credentials' list above. These are used to build RBAC test lists.
81 allocated_creds = []
82 for cred in credentials:
83 if isinstance(cred, list):
84 allocated_creds.append('os_roles_' + cred[0])
85 else:
86 allocated_creds.append('os_' + cred)
87 # Tests shall not mess with the list of allocated credentials
88 allocated_credentials = tuple(allocated_creds)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]89
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]90 webserver1_response = 1
91 webserver2_response = 5
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]92 used_ips = []
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]93
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]94 SRC_PORT_NUMBER_MIN = 32768
95 SRC_PORT_NUMBER_MAX = 61000
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]96 src_port_number = SRC_PORT_NUMBER_MIN
97
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]98 @classmethod
99 def skip_checks(cls):
100 """Check if we should skip all of the children tests."""
101 super(LoadBalancerBaseTest, cls).skip_checks()
102
103 service_list = {
104 'load_balancer': CONF.service_available.load_balancer,
105 }
106
107 live_service_list = {
108 'compute': CONF.service_available.nova,
109 'image': CONF.service_available.glance,
110 'neutron': CONF.service_available.neutron
111 }
112
113 if not CONF.load_balancer.test_with_noop:
114 service_list.update(live_service_list)
115
116 for service, available in service_list.items():
117 if not available:
zhangzs2a6cf672018-11-10 16:13:11 +0800[diff] [blame]118 skip_msg = ("{0} skipped as {1} service is not "
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]119 "available.".format(cls.__name__, service))
120 raise cls.skipException(skip_msg)
121
122 # We must be able to reach our VIP and instances
123 if not (CONF.network.project_networks_reachable
124 or CONF.network.public_network_id):
125 msg = ('Either project_networks_reachable must be "true", or '
126 'public_network_id must be defined.')
127 raise cls.skipException(msg)
128
129 @classmethod
130 def setup_credentials(cls):
131 """Setup test credentials and network resources."""
132 # Do not auto create network resources
133 cls.set_network_resources()
134 super(LoadBalancerBaseTest, cls).setup_credentials()
135
Bas de Bruijne530a88a2022-12-15 11:12:45 -0400[diff] [blame]136 if not CONF.load_balancer.log_user_roles:
137 return
138
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]139 # Log the user roles for this test run
140 role_name_cache = {}
141 for cred in cls.credentials:
142 user_roles = []
143 if isinstance(cred, list):
144 user_name = cred[0]
145 cred_obj = getattr(cls, 'os_roles_' + cred[0])
146 else:
147 user_name = cred
148 cred_obj = getattr(cls, 'os_' + cred)
149 params = {'user.id': cred_obj.credentials.user_id,
150 'project.id': cred_obj.credentials.project_id}
151 roles = cls.os_admin.role_assignments_client.list_role_assignments(
152 **params)['role_assignments']
153 for role in roles:
154 role_id = role['role']['id']
155 try:
156 role_name = role_name_cache[role_id]
157 except KeyError:
158 role_name = cls.os_admin.roles_v3_client.show_role(
159 role_id)['role']['name']
160 role_name_cache[role_id] = role_name
161 user_roles.append([role_name, role['scope']])
162 LOG.info("User %s has roles: %s", user_name, user_roles)
163
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]164 @classmethod
165 def setup_clients(cls):
166 """Setup client aliases."""
167 super(LoadBalancerBaseTest, cls).setup_clients()
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]168 lb_admin_prefix = cls.os_roles_lb_admin.load_balancer_v2
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]169 cls.lb_mem_float_ip_client = cls.os_roles_lb_member.floating_ips_client
170 cls.lb_mem_keypairs_client = cls.os_roles_lb_member.keypairs_client
171 cls.lb_mem_net_client = cls.os_roles_lb_member.networks_client
172 cls.lb_mem_ports_client = cls.os_roles_lb_member.ports_client
173 cls.lb_mem_routers_client = cls.os_roles_lb_member.routers_client
174 cls.lb_mem_SG_client = cls.os_roles_lb_member.security_groups_client
175 cls.lb_mem_SGr_client = (
176 cls.os_roles_lb_member.security_group_rules_client)
177 cls.lb_mem_servers_client = cls.os_roles_lb_member.servers_client
178 cls.lb_mem_subnet_client = cls.os_roles_lb_member.subnets_client
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]179 cls.mem_lb_client = (
180 cls.os_roles_lb_member.load_balancer_v2.LoadbalancerClient())
181 cls.mem_listener_client = (
182 cls.os_roles_lb_member.load_balancer_v2.ListenerClient())
183 cls.mem_pool_client = (
184 cls.os_roles_lb_member.load_balancer_v2.PoolClient())
185 cls.mem_member_client = (
186 cls.os_roles_lb_member.load_balancer_v2.MemberClient())
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]187 cls.mem_healthmonitor_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]188 cls.os_roles_lb_member.load_balancer_v2.HealthMonitorClient())
189 cls.mem_l7policy_client = (
190 cls.os_roles_lb_member.load_balancer_v2.L7PolicyClient())
191 cls.mem_l7rule_client = (
192 cls.os_roles_lb_member.load_balancer_v2.L7RuleClient())
193 cls.lb_admin_amphora_client = lb_admin_prefix.AmphoraClient()
Michael Johnsonaff2e862019-01-11 16:38:00 -0800[diff] [blame]194 cls.lb_admin_flavor_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]195 lb_admin_prefix.FlavorProfileClient())
196 cls.lb_admin_flavor_client = lb_admin_prefix.FlavorClient()
197 cls.mem_flavor_client = (
198 cls.os_roles_lb_member.load_balancer_v2.FlavorClient())
199 cls.mem_provider_client = (
200 cls.os_roles_lb_member.load_balancer_v2.ProviderClient())
Carlos Goncalvesc2e12162019-02-14 23:57:44 +0100[diff] [blame]201 cls.os_admin_servers_client = cls.os_admin.servers_client
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]202 cls.os_admin_routers_client = cls.os_admin.routers_client
203 cls.os_admin_subnetpools_client = cls.os_admin.subnetpools_client
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]204 cls.lb_admin_flavor_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]205 lb_admin_prefix.FlavorCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]206 cls.lb_admin_availability_zone_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]207 lb_admin_prefix.AvailabilityZoneCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]208 cls.lb_admin_availability_zone_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]209 lb_admin_prefix.AvailabilityZoneProfileClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]210 cls.lb_admin_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]211 lb_admin_prefix.AvailabilityZoneClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]212 cls.mem_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]213 cls.os_roles_lb_member.load_balancer_v2.AvailabilityZoneClient())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]214
215 @classmethod
216 def resource_setup(cls):
217 """Setup resources needed by the tests."""
218 super(LoadBalancerBaseTest, cls).resource_setup()
219
220 conf_lb = CONF.load_balancer
221
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]222 cls.api_version = cls.mem_lb_client.get_max_api_version()
223
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]224 if conf_lb.test_subnet_override and not conf_lb.test_network_override:
225 raise exceptions.InvalidConfiguration(
226 "Configuration value test_network_override must be "
227 "specified if test_subnet_override is used.")
228
Michael Johnson6a9236a2020-08-04 23:54:54 +0000[diff] [blame]229 # TODO(johnsom) Remove this
Maciej Józefczykb6df5f82019-12-10 10:12:30 +0000[diff] [blame]230 # Get loadbalancing algorithms supported by provider driver.
231 try:
232 algorithms = const.SUPPORTED_LB_ALGORITHMS[
233 CONF.load_balancer.provider]
234 except KeyError:
235 algorithms = const.SUPPORTED_LB_ALGORITHMS['default']
236 # Set default algorithm as first from the list.
237 cls.lb_algorithm = algorithms[0]
238
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]239 show_subnet = cls.lb_mem_subnet_client.show_subnet
240 if CONF.load_balancer.test_with_noop:
241 cls.lb_member_vip_net = {'id': uuidutils.generate_uuid()}
242 cls.lb_member_vip_subnet = {'id': uuidutils.generate_uuid()}
243 cls.lb_member_1_net = {'id': uuidutils.generate_uuid()}
244 cls.lb_member_1_subnet = {'id': uuidutils.generate_uuid()}
245 cls.lb_member_2_net = {'id': uuidutils.generate_uuid()}
246 cls.lb_member_2_subnet = {'id': uuidutils.generate_uuid()}
247 if CONF.load_balancer.test_with_ipv6:
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]248 cls.lb_member_vip_ipv6_net = {'id': uuidutils.generate_uuid()}
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]249 cls.lb_member_vip_ipv6_subnet = {'id':
250 uuidutils.generate_uuid()}
251 cls.lb_member_1_ipv6_subnet = {'id': uuidutils.generate_uuid()}
252 cls.lb_member_2_ipv6_subnet = {'id': uuidutils.generate_uuid()}
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]253 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]254 return
255 elif CONF.load_balancer.test_network_override:
256 if conf_lb.test_subnet_override:
257 override_subnet = show_subnet(conf_lb.test_subnet_override)
258 else:
259 override_subnet = None
260
261 show_net = cls.lb_mem_net_client.show_network
262 override_network = show_net(conf_lb.test_network_override)
263 override_network = override_network.get('network')
264
265 cls.lb_member_vip_net = override_network
266 cls.lb_member_vip_subnet = override_subnet
267 cls.lb_member_1_net = override_network
268 cls.lb_member_1_subnet = override_subnet
269 cls.lb_member_2_net = override_network
270 cls.lb_member_2_subnet = override_subnet
271
272 if (CONF.load_balancer.test_with_ipv6 and
273 conf_lb.test_IPv6_subnet_override):
274 override_ipv6_subnet = show_subnet(
275 conf_lb.test_IPv6_subnet_override)
276 cls.lb_member_vip_ipv6_subnet = override_ipv6_subnet
277 cls.lb_member_1_ipv6_subnet = override_ipv6_subnet
278 cls.lb_member_2_ipv6_subnet = override_ipv6_subnet
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]279 cls.lb_member_vip_ipv6_subnet_stateful = False
280 if (override_ipv6_subnet[0]['ipv6_address_mode'] ==
281 'dhcpv6-stateful'):
282 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]283 else:
284 cls.lb_member_vip_ipv6_subnet = None
285 cls.lb_member_1_ipv6_subnet = None
286 cls.lb_member_2_ipv6_subnet = None
287 else:
288 cls._create_networks()
289
290 LOG.debug('Octavia Setup: lb_member_vip_net = {}'.format(
291 cls.lb_member_vip_net[const.ID]))
292 if cls.lb_member_vip_subnet:
293 LOG.debug('Octavia Setup: lb_member_vip_subnet = {}'.format(
294 cls.lb_member_vip_subnet[const.ID]))
295 LOG.debug('Octavia Setup: lb_member_1_net = {}'.format(
296 cls.lb_member_1_net[const.ID]))
297 if cls.lb_member_1_subnet:
298 LOG.debug('Octavia Setup: lb_member_1_subnet = {}'.format(
299 cls.lb_member_1_subnet[const.ID]))
300 LOG.debug('Octavia Setup: lb_member_2_net = {}'.format(
301 cls.lb_member_2_net[const.ID]))
302 if cls.lb_member_2_subnet:
303 LOG.debug('Octavia Setup: lb_member_2_subnet = {}'.format(
304 cls.lb_member_2_subnet[const.ID]))
Michael Johnson124ba8b2018-08-30 16:06:05 -0700[diff] [blame]305 if CONF.load_balancer.test_with_ipv6:
306 if cls.lb_member_vip_ipv6_subnet:
307 LOG.debug('Octavia Setup: lb_member_vip_ipv6_subnet = '
308 '{}'.format(cls.lb_member_vip_ipv6_subnet[const.ID]))
309 if cls.lb_member_1_ipv6_subnet:
310 LOG.debug('Octavia Setup: lb_member_1_ipv6_subnet = {}'.format(
311 cls.lb_member_1_ipv6_subnet[const.ID]))
312 if cls.lb_member_2_ipv6_subnet:
313 LOG.debug('Octavia Setup: lb_member_2_ipv6_subnet = {}'.format(
314 cls.lb_member_2_ipv6_subnet[const.ID]))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]315
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]316 @classmethod
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]317 # Neutron can be slow to clean up ports from the subnets/networks.
318 # Retry this delete a few times if we get a "Conflict" error to give
319 # neutron time to fully cleanup the ports.
320 @tenacity.retry(
321 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
322 wait=tenacity.wait_incrementing(
Vasyl Saienko7a5d9fb2021-05-12 16:30:26 +0300[diff] [blame^]323 const.RETRY_INITIAL_DELAY, const.RETRY_BACKOFF, const.RETRY_MAX),
324 stop=tenacity.stop_after_attempt(const.RETRY_ATTEMPTS))
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]325 def _logging_delete_network(cls, net_id):
326 try:
327 cls.lb_mem_net_client.delete_network(net_id)
328 except Exception:
329 LOG.error('Unable to delete network {}. Active ports:'.format(
330 net_id))
331 LOG.error(cls.lb_mem_ports_client.list_ports())
332 raise
333
334 @classmethod
335 # Neutron can be slow to clean up ports from the subnets/networks.
336 # Retry this delete a few times if we get a "Conflict" error to give
337 # neutron time to fully cleanup the ports.
338 @tenacity.retry(
339 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
340 wait=tenacity.wait_incrementing(
Vasyl Saienko7a5d9fb2021-05-12 16:30:26 +0300[diff] [blame^]341 const.RETRY_INITIAL_DELAY, const.RETRY_BACKOFF, const.RETRY_MAX),
342 stop=tenacity.stop_after_attempt(const.RETRY_ATTEMPTS))
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]343 def _logging_delete_subnet(cls, subnet_id):
344 try:
345 cls.lb_mem_subnet_client.delete_subnet(subnet_id)
346 except Exception:
347 LOG.error('Unable to delete subnet {}. Active ports:'.format(
348 subnet_id))
349 LOG.error(cls.lb_mem_ports_client.list_ports())
350 raise
351
352 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]353 def _create_networks(cls):
354 """Creates networks, subnets, and routers used in tests.
355
356 The following are expected to be defined and available to the tests:
357 cls.lb_member_vip_net
358 cls.lb_member_vip_subnet
359 cls.lb_member_vip_ipv6_subnet (optional)
360 cls.lb_member_1_net
361 cls.lb_member_1_subnet
362 cls.lb_member_1_ipv6_subnet (optional)
363 cls.lb_member_2_net
364 cls.lb_member_2_subnet
365 cls.lb_member_2_ipv6_subnet (optional)
366 """
367
368 # Create tenant VIP network
369 network_kwargs = {
370 'name': data_utils.rand_name("lb_member_vip_network")}
371 if CONF.network_feature_enabled.port_security:
Andreas Jaeger4215b702020-03-28 20:13:46 +0100[diff] [blame]372 # Note: Allowed Address Pairs requires port security
373 network_kwargs['port_security_enabled'] = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]374 result = cls.lb_mem_net_client.create_network(**network_kwargs)
375 cls.lb_member_vip_net = result['network']
376 LOG.info('lb_member_vip_net: {}'.format(cls.lb_member_vip_net))
377 cls.addClassResourceCleanup(
378 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]379 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]380 cls.lb_mem_net_client.show_network,
381 cls.lb_member_vip_net['id'])
382
383 # Create tenant VIP subnet
384 subnet_kwargs = {
385 'name': data_utils.rand_name("lb_member_vip_subnet"),
386 'network_id': cls.lb_member_vip_net['id'],
387 'cidr': CONF.load_balancer.vip_subnet_cidr,
388 'ip_version': 4}
389 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
390 cls.lb_member_vip_subnet = result['subnet']
391 LOG.info('lb_member_vip_subnet: {}'.format(cls.lb_member_vip_subnet))
392 cls.addClassResourceCleanup(
393 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]394 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]395 cls.lb_mem_subnet_client.show_subnet,
396 cls.lb_member_vip_subnet['id'])
397
398 # Create tenant VIP IPv6 subnet
399 if CONF.load_balancer.test_with_ipv6:
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]400 cls.lb_member_vip_ipv6_subnet_stateful = False
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]401 cls.lb_member_vip_ipv6_subnet_use_subnetpool = False
402 subnet_kwargs = {
403 'name': data_utils.rand_name("lb_member_vip_ipv6_subnet"),
404 'network_id': cls.lb_member_vip_net['id'],
405 'ip_version': 6}
406
407 # Use a CIDR from devstack's default IPv6 subnetpool if it exists,
408 # the subnetpool's cidr is routable from the devstack node
409 # through the default router
410 subnetpool_name = CONF.load_balancer.default_ipv6_subnetpool
411 if subnetpool_name:
412 subnetpool = cls.os_admin_subnetpools_client.list_subnetpools(
413 name=subnetpool_name)['subnetpools']
414 if len(subnetpool) == 1:
415 subnetpool = subnetpool[0]
416 subnet_kwargs['subnetpool_id'] = subnetpool['id']
417 cls.lb_member_vip_ipv6_subnet_use_subnetpool = True
418
419 if 'subnetpool_id' not in subnet_kwargs:
420 subnet_kwargs['cidr'] = (
421 CONF.load_balancer.vip_ipv6_subnet_cidr)
422
423 result = cls.lb_mem_subnet_client.create_subnet(
424 **subnet_kwargs)
425 cls.lb_member_vip_ipv6_net = cls.lb_member_vip_net
426 cls.lb_member_vip_ipv6_subnet = result['subnet']
427 cls.addClassResourceCleanup(
428 waiters.wait_for_not_found,
429 cls._logging_delete_subnet,
430 cls.lb_mem_subnet_client.show_subnet,
431 cls.lb_member_vip_ipv6_subnet['id'])
Carlos Goncalves84af48c2019-07-25 15:51:30 +0200[diff] [blame]432
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]433 LOG.info('lb_member_vip_ipv6_subnet: {}'.format(
434 cls.lb_member_vip_ipv6_subnet))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]435
436 # Create tenant member 1 network
437 network_kwargs = {
438 'name': data_utils.rand_name("lb_member_1_network")}
439 if CONF.network_feature_enabled.port_security:
440 if CONF.load_balancer.enable_security_groups:
441 network_kwargs['port_security_enabled'] = True
442 else:
443 network_kwargs['port_security_enabled'] = False
444 result = cls.lb_mem_net_client.create_network(**network_kwargs)
445 cls.lb_member_1_net = result['network']
446 LOG.info('lb_member_1_net: {}'.format(cls.lb_member_1_net))
447 cls.addClassResourceCleanup(
448 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]449 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]450 cls.lb_mem_net_client.show_network,
451 cls.lb_member_1_net['id'])
452
453 # Create tenant member 1 subnet
454 subnet_kwargs = {
455 'name': data_utils.rand_name("lb_member_1_subnet"),
456 'network_id': cls.lb_member_1_net['id'],
457 'cidr': CONF.load_balancer.member_1_ipv4_subnet_cidr,
458 'ip_version': 4}
459 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
460 cls.lb_member_1_subnet = result['subnet']
461 LOG.info('lb_member_1_subnet: {}'.format(cls.lb_member_1_subnet))
462 cls.addClassResourceCleanup(
463 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]464 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]465 cls.lb_mem_subnet_client.show_subnet,
466 cls.lb_member_1_subnet['id'])
467
468 # Create tenant member 1 ipv6 subnet
469 if CONF.load_balancer.test_with_ipv6:
470 subnet_kwargs = {
471 'name': data_utils.rand_name("lb_member_1_ipv6_subnet"),
472 'network_id': cls.lb_member_1_net['id'],
473 'cidr': CONF.load_balancer.member_1_ipv6_subnet_cidr,
474 'ip_version': 6}
475 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]476 cls.lb_member_1_subnet_prefix = (
477 CONF.load_balancer.member_1_ipv6_subnet_cidr.rpartition('/')[2]
478 )
479 assert(cls.lb_member_1_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]480 cls.lb_member_1_ipv6_subnet = result['subnet']
481 LOG.info('lb_member_1_ipv6_subnet: {}'.format(
482 cls.lb_member_1_ipv6_subnet))
483 cls.addClassResourceCleanup(
484 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]485 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]486 cls.lb_mem_subnet_client.show_subnet,
487 cls.lb_member_1_ipv6_subnet['id'])
488
489 # Create tenant member 2 network
490 network_kwargs = {
491 'name': data_utils.rand_name("lb_member_2_network")}
492 if CONF.network_feature_enabled.port_security:
493 if CONF.load_balancer.enable_security_groups:
494 network_kwargs['port_security_enabled'] = True
495 else:
496 network_kwargs['port_security_enabled'] = False
497 result = cls.lb_mem_net_client.create_network(**network_kwargs)
498 cls.lb_member_2_net = result['network']
499 LOG.info('lb_member_2_net: {}'.format(cls.lb_member_2_net))
500 cls.addClassResourceCleanup(
501 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]502 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]503 cls.lb_mem_net_client.show_network,
504 cls.lb_member_2_net['id'])
505
506 # Create tenant member 2 subnet
507 subnet_kwargs = {
508 'name': data_utils.rand_name("lb_member_2_subnet"),
509 'network_id': cls.lb_member_2_net['id'],
510 'cidr': CONF.load_balancer.member_2_ipv4_subnet_cidr,
511 'ip_version': 4}
512 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
513 cls.lb_member_2_subnet = result['subnet']
514 LOG.info('lb_member_2_subnet: {}'.format(cls.lb_member_2_subnet))
515 cls.addClassResourceCleanup(
516 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]517 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]518 cls.lb_mem_subnet_client.show_subnet,
519 cls.lb_member_2_subnet['id'])
520
521 # Create tenant member 2 ipv6 subnet
522 if CONF.load_balancer.test_with_ipv6:
523 subnet_kwargs = {
524 'name': data_utils.rand_name("lb_member_2_ipv6_subnet"),
525 'network_id': cls.lb_member_2_net['id'],
526 'cidr': CONF.load_balancer.member_2_ipv6_subnet_cidr,
527 'ip_version': 6}
528 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]529 cls.lb_member_2_subnet_prefix = (
530 CONF.load_balancer.member_2_ipv6_subnet_cidr.rpartition('/')[2]
531 )
532 assert(cls.lb_member_2_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]533 cls.lb_member_2_ipv6_subnet = result['subnet']
534 LOG.info('lb_member_2_ipv6_subnet: {}'.format(
535 cls.lb_member_2_ipv6_subnet))
536 cls.addClassResourceCleanup(
537 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]538 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]539 cls.lb_mem_subnet_client.show_subnet,
540 cls.lb_member_2_ipv6_subnet['id'])
541
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]542 @classmethod
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]543 def _setup_lb_network_kwargs(cls, lb_kwargs, ip_version=None,
544 use_fixed_ip=False):
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]545 if not ip_version:
546 ip_version = 6 if CONF.load_balancer.test_with_ipv6 else 4
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]547 if cls.lb_member_vip_subnet or cls.lb_member_vip_ipv6_subnet:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]548 ip_index = data_utils.rand_int_id(start=10, end=100)
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]549 while ip_index in cls.used_ips:
550 ip_index = data_utils.rand_int_id(start=10, end=100)
551 cls.used_ips.append(ip_index)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]552 if ip_version == 4:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]553 subnet_id = cls.lb_member_vip_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]554 if CONF.load_balancer.test_with_noop:
555 lb_vip_address = '198.18.33.33'
556 else:
557 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
558 network = ipaddress.IPv4Network(subnet['subnet']['cidr'])
559 lb_vip_address = str(network[ip_index])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]560 else:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]561 subnet_id = cls.lb_member_vip_ipv6_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]562 if CONF.load_balancer.test_with_noop:
563 lb_vip_address = '2001:db8:33:33:33:33:33:33'
564 else:
565 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
566 network = ipaddress.IPv6Network(subnet['subnet']['cidr'])
567 lb_vip_address = str(network[ip_index])
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]568 # If the subnet is IPv6 slaac or dhcpv6-stateless
569 # neutron does not allow a fixed IP
570 if not cls.lb_member_vip_ipv6_subnet_stateful:
571 use_fixed_ip = False
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]572 lb_kwargs[const.VIP_SUBNET_ID] = subnet_id
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]573 if use_fixed_ip:
574 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]575 if CONF.load_balancer.test_with_noop:
576 lb_kwargs[const.VIP_NETWORK_ID] = (
577 cls.lb_member_vip_net[const.ID])
Carlos Goncalvesbb238552020-01-15 10:10:55 +0000[diff] [blame]578 if ip_version == 6:
579 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]580 else:
581 lb_kwargs[const.VIP_NETWORK_ID] = cls.lb_member_vip_net[const.ID]
582 lb_kwargs[const.VIP_SUBNET_ID] = None
583
ibumarskovba79d2c2020-09-03 18:21:29 +0400[diff] [blame]584 @classmethod
585 def check_tf_compatibility(cls, protocol=None, algorithm=None):
586 # TungstenFabric supported protocols and algorithms
Ilya Bumarskov61889822021-02-03 16:16:42 +0400[diff] [blame]587 tf_protocols = [const.HTTP, const.HTTPS, const.TCP,
ibumarskovba79d2c2020-09-03 18:21:29 +0400[diff] [blame]588 const.TERMINATED_HTTPS]
589 tf_algorithms = [const.LB_ALGORITHM_ROUND_ROBIN,
590 const.LB_ALGORITHM_LEAST_CONNECTIONS,
591 const.LB_ALGORITHM_SOURCE_IP]
592
593 if algorithm and algorithm not in tf_algorithms:
594 raise cls.skipException(
595 'TungstenFabric does not support {} algorithm.'
596 ''.format(algorithm))
597 if protocol and protocol not in tf_protocols:
598 raise cls.skipException(
599 'TungstenFabric does not support {} protocol.'
600 ''.format(protocol))
601
602 @classmethod
603 def _tf_create_listener(cls, name, proto, port, lb_id):
604 listener_kwargs = {
605 const.NAME: name,
606 const.PROTOCOL: proto,
607 const.PROTOCOL_PORT: port,
608 const.LOADBALANCER_ID: lb_id,
609 }
610 listener = cls.mem_listener_client.create_listener(**listener_kwargs)
611 return listener
612
613 @classmethod
614 def _tf_get_free_port(cls, lb_id):
615 port = 8081
616 lb = cls.mem_lb_client.show_loadbalancer(lb_id)
617 listeners = lb[const.LISTENERS]
618 if not listeners:
619 return port
620 ports = [cls.mem_listener_client.show_listener(x[const.ID])[
621 const.PROTOCOL_PORT] for x in listeners]
622 while port in ports:
623 port = port + 1
624 return port
625
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]626
627class LoadBalancerBaseTestWithCompute(LoadBalancerBaseTest):
628 @classmethod
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]629 def remote_client_args(cls):
630 # In case we're using octavia-tempest-plugin with old tempest releases
631 # (for instance on stable/train) that don't support ssh_key_type, catch
632 # the exception and don't pass any argument
633 args = {}
634 try:
635 args['ssh_key_type'] = CONF.validation.ssh_key_type
636 except cfg.NoSuchOptError:
637 pass
638 return args
639
640 @classmethod
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]641 def resource_setup(cls):
642 super(LoadBalancerBaseTestWithCompute, cls).resource_setup()
643 # If validation is disabled in this cloud, we won't be able to
644 # start the webservers, so don't even boot them.
645 if not CONF.validation.run_validation:
646 return
647
648 # Create a keypair for the webservers
649 keypair_name = data_utils.rand_name('lb_member_keypair')
650 result = cls.lb_mem_keypairs_client.create_keypair(
651 name=keypair_name)
652 cls.lb_member_keypair = result['keypair']
653 LOG.info('lb_member_keypair: {}'.format(cls.lb_member_keypair))
654 cls.addClassResourceCleanup(
655 waiters.wait_for_not_found,
656 cls.lb_mem_keypairs_client.delete_keypair,
657 cls.lb_mem_keypairs_client.show_keypair,
658 keypair_name)
659
660 if (CONF.load_balancer.enable_security_groups and
661 CONF.network_feature_enabled.port_security):
662 # Set up the security group for the webservers
663 SG_name = data_utils.rand_name('lb_member_SG')
664 cls.lb_member_sec_group = (
665 cls.lb_mem_SG_client.create_security_group(
666 name=SG_name)['security_group'])
667 cls.addClassResourceCleanup(
668 waiters.wait_for_not_found,
669 cls.lb_mem_SG_client.delete_security_group,
670 cls.lb_mem_SG_client.show_security_group,
671 cls.lb_member_sec_group['id'])
672
673 # Create a security group rule to allow 80-81 (test webservers)
674 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
675 direction='ingress',
676 security_group_id=cls.lb_member_sec_group['id'],
677 protocol='tcp',
678 ethertype='IPv4',
679 port_range_min=80,
680 port_range_max=81)['security_group_rule']
681 cls.addClassResourceCleanup(
682 waiters.wait_for_not_found,
683 cls.lb_mem_SGr_client.delete_security_group_rule,
684 cls.lb_mem_SGr_client.show_security_group_rule,
685 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]686 # Create a security group rule to allow UDP 80-81 (test webservers)
687 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
688 direction='ingress',
689 security_group_id=cls.lb_member_sec_group['id'],
690 protocol='udp',
691 ethertype='IPv4',
692 port_range_min=80,
693 port_range_max=81)['security_group_rule']
694 cls.addClassResourceCleanup(
695 waiters.wait_for_not_found,
696 cls.lb_mem_SGr_client.delete_security_group_rule,
697 cls.lb_mem_SGr_client.show_security_group_rule,
698 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]699 # Create a security group rule to allow 443 (test webservers)
700 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
701 direction='ingress',
702 security_group_id=cls.lb_member_sec_group['id'],
703 protocol='tcp',
704 ethertype='IPv4',
705 port_range_min=443,
706 port_range_max=443)['security_group_rule']
707 cls.addClassResourceCleanup(
708 waiters.wait_for_not_found,
709 cls.lb_mem_SGr_client.delete_security_group_rule,
710 cls.lb_mem_SGr_client.show_security_group_rule,
711 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]712 # Create a security group rule to allow 9443 (test webservers)
713 # Used in the pool backend encryption client authentication tests
714 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
715 direction='ingress',
716 security_group_id=cls.lb_member_sec_group['id'],
717 protocol='tcp',
718 ethertype='IPv4',
719 port_range_min=9443,
720 port_range_max=9443)['security_group_rule']
721 cls.addClassResourceCleanup(
722 waiters.wait_for_not_found,
723 cls.lb_mem_SGr_client.delete_security_group_rule,
724 cls.lb_mem_SGr_client.show_security_group_rule,
725 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]726 # Create a security group rule to allow UDP 9999 (test webservers)
727 # Port 9999 is used to illustrate health monitor ERRORs on closed
728 # ports.
729 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
730 direction='ingress',
731 security_group_id=cls.lb_member_sec_group['id'],
732 protocol='udp',
733 ethertype='IPv4',
734 port_range_min=9999,
735 port_range_max=9999)['security_group_rule']
736 cls.addClassResourceCleanup(
737 waiters.wait_for_not_found,
738 cls.lb_mem_SGr_client.delete_security_group_rule,
739 cls.lb_mem_SGr_client.show_security_group_rule,
740 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]741 # Create a security group rule to allow 22 (ssh)
742 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
743 direction='ingress',
744 security_group_id=cls.lb_member_sec_group['id'],
745 protocol='tcp',
746 ethertype='IPv4',
747 port_range_min=22,
748 port_range_max=22)['security_group_rule']
749 cls.addClassResourceCleanup(
750 waiters.wait_for_not_found,
751 cls.lb_mem_SGr_client.delete_security_group_rule,
752 cls.lb_mem_SGr_client.show_security_group_rule,
753 SGr['id'])
754 if CONF.load_balancer.test_with_ipv6:
755 # Create a security group rule to allow 80-81 (test webservers)
756 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
757 direction='ingress',
758 security_group_id=cls.lb_member_sec_group['id'],
759 protocol='tcp',
760 ethertype='IPv6',
761 port_range_min=80,
762 port_range_max=81)['security_group_rule']
763 cls.addClassResourceCleanup(
764 waiters.wait_for_not_found,
765 cls.lb_mem_SGr_client.delete_security_group_rule,
766 cls.lb_mem_SGr_client.show_security_group_rule,
767 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]768 # Create a security group rule to allow UDP 80-81 (test
769 # webservers)
770 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
771 direction='ingress',
772 security_group_id=cls.lb_member_sec_group['id'],
773 protocol='udp',
774 ethertype='IPv6',
775 port_range_min=80,
776 port_range_max=81)['security_group_rule']
777 cls.addClassResourceCleanup(
778 waiters.wait_for_not_found,
779 cls.lb_mem_SGr_client.delete_security_group_rule,
780 cls.lb_mem_SGr_client.show_security_group_rule,
781 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]782 # Create a security group rule to allow 443 (test webservers)
783 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
784 direction='ingress',
785 security_group_id=cls.lb_member_sec_group['id'],
786 protocol='tcp',
787 ethertype='IPv6',
788 port_range_min=443,
789 port_range_max=443)['security_group_rule']
790 cls.addClassResourceCleanup(
791 waiters.wait_for_not_found,
792 cls.lb_mem_SGr_client.delete_security_group_rule,
793 cls.lb_mem_SGr_client.show_security_group_rule,
794 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]795 # Create a security group rule to allow 9443 (test webservers)
796 # Used in the pool encryption client authentication tests
797 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
798 direction='ingress',
799 security_group_id=cls.lb_member_sec_group['id'],
800 protocol='tcp',
801 ethertype='IPv6',
802 port_range_min=9443,
803 port_range_max=9443)['security_group_rule']
804 cls.addClassResourceCleanup(
805 waiters.wait_for_not_found,
806 cls.lb_mem_SGr_client.delete_security_group_rule,
807 cls.lb_mem_SGr_client.show_security_group_rule,
808 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]809 # Create a security group rule to allow 22 (ssh)
810 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
811 direction='ingress',
812 security_group_id=cls.lb_member_sec_group['id'],
813 protocol='tcp',
814 ethertype='IPv6',
815 port_range_min=22,
816 port_range_max=22)['security_group_rule']
817 cls.addClassResourceCleanup(
818 waiters.wait_for_not_found,
819 cls.lb_mem_SGr_client.delete_security_group_rule,
820 cls.lb_mem_SGr_client.show_security_group_rule,
821 SGr['id'])
822
823 LOG.info('lb_member_sec_group: {}'.format(cls.lb_member_sec_group))
824
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]825 # Setup backend member reencryption PKI
826 cls._create_backend_reencryption_pki()
827
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]828 # Create webserver 1 instance
829 server_details = cls._create_webserver('lb_member_webserver1',
830 cls.lb_member_1_net)
831
832 cls.lb_member_webserver1 = server_details['server']
833 cls.webserver1_ip = server_details.get('ipv4_address')
834 cls.webserver1_ipv6 = server_details.get('ipv6_address')
835 cls.webserver1_public_ip = server_details['public_ipv4_address']
836
837 LOG.debug('Octavia Setup: lb_member_webserver1 = {}'.format(
838 cls.lb_member_webserver1[const.ID]))
839 LOG.debug('Octavia Setup: webserver1_ip = {}'.format(
840 cls.webserver1_ip))
841 LOG.debug('Octavia Setup: webserver1_ipv6 = {}'.format(
842 cls.webserver1_ipv6))
843 LOG.debug('Octavia Setup: webserver1_public_ip = {}'.format(
844 cls.webserver1_public_ip))
845
846 # Create webserver 2 instance
847 server_details = cls._create_webserver('lb_member_webserver2',
848 cls.lb_member_2_net)
849
850 cls.lb_member_webserver2 = server_details['server']
851 cls.webserver2_ip = server_details.get('ipv4_address')
852 cls.webserver2_ipv6 = server_details.get('ipv6_address')
853 cls.webserver2_public_ip = server_details['public_ipv4_address']
854
855 LOG.debug('Octavia Setup: lb_member_webserver2 = {}'.format(
856 cls.lb_member_webserver2[const.ID]))
857 LOG.debug('Octavia Setup: webserver2_ip = {}'.format(
858 cls.webserver2_ip))
859 LOG.debug('Octavia Setup: webserver2_ipv6 = {}'.format(
860 cls.webserver2_ipv6))
861 LOG.debug('Octavia Setup: webserver2_public_ip = {}'.format(
862 cls.webserver2_public_ip))
863
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]864 if CONF.load_balancer.test_with_ipv6:
865 # Enable the IPv6 nic in webserver 1
866 cls._enable_ipv6_nic_webserver(
867 cls.webserver1_public_ip, cls.lb_member_keypair['private_key'],
868 cls.webserver1_ipv6, cls.lb_member_1_subnet_prefix)
869
870 # Enable the IPv6 nic in webserver 2
871 cls._enable_ipv6_nic_webserver(
872 cls.webserver2_public_ip, cls.lb_member_keypair['private_key'],
873 cls.webserver2_ipv6, cls.lb_member_2_subnet_prefix)
874
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]875 # Set up serving on webserver 1
876 cls._install_start_webserver(cls.webserver1_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]877 cls.lb_member_keypair['private_key'],
878 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]879
880 # Validate webserver 1
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]881 cls._validate_webserver(cls.webserver1_public_ip,
882 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]883
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]884 # Validate udp server 1
885 cls._validate_udp_server(cls.webserver1_public_ip,
886 cls.webserver1_response)
887
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]888 # Set up serving on webserver 2
889 cls._install_start_webserver(cls.webserver2_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]890 cls.lb_member_keypair['private_key'],
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]891 cls.webserver2_response, revoke_cert=True)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]892
893 # Validate webserver 2
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]894 cls._validate_webserver(cls.webserver2_public_ip,
895 cls.webserver2_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]896
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]897 # Validate udp server 2
898 cls._validate_udp_server(cls.webserver2_public_ip,
899 cls.webserver2_response)
900
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]901 @classmethod
902 def _create_networks(cls):
903 super(LoadBalancerBaseTestWithCompute, cls)._create_networks()
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]904 # Create a router for the subnets (required for the floating IP)
905 router_name = data_utils.rand_name("lb_member_router")
906 result = cls.lb_mem_routers_client.create_router(
907 name=router_name, admin_state_up=True,
908 external_gateway_info=dict(
909 network_id=CONF.network.public_network_id))
910 cls.lb_member_router = result['router']
911 LOG.info('lb_member_router: {}'.format(cls.lb_member_router))
912 cls.addClassResourceCleanup(
913 waiters.wait_for_not_found,
914 cls.lb_mem_routers_client.delete_router,
915 cls.lb_mem_routers_client.show_router,
916 cls.lb_member_router['id'])
917
918 # Add VIP subnet to router
919 cls.lb_mem_routers_client.add_router_interface(
920 cls.lb_member_router['id'],
921 subnet_id=cls.lb_member_vip_subnet['id'])
922 cls.addClassResourceCleanup(
923 waiters.wait_for_not_found,
924 cls.lb_mem_routers_client.remove_router_interface,
925 cls.lb_mem_routers_client.remove_router_interface,
926 cls.lb_member_router['id'],
927 subnet_id=cls.lb_member_vip_subnet['id'])
928
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]929 if (CONF.load_balancer.test_with_ipv6 and
930 CONF.load_balancer.default_router and
931 cls.lb_member_vip_ipv6_subnet_use_subnetpool):
932
933 router_name = CONF.load_balancer.default_router
934 # if lb_member_vip_ipv6_subnet uses devstack's subnetpool,
935 # plug the subnet into the default router
936 router = cls.os_admin.routers_client.list_routers(
937 name=router_name)['routers']
938
939 if len(router) == 1:
940 router = router[0]
941
942 # Add IPv6 VIP subnet to router1
943 cls.os_admin_routers_client.add_router_interface(
944 router['id'],
945 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
946 cls.addClassResourceCleanup(
947 waiters.wait_for_not_found,
948 cls.os_admin_routers_client.remove_router_interface,
949 cls.os_admin_routers_client.remove_router_interface,
950 router['id'],
951 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
952
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]953 # Add member subnet 1 to router
954 cls.lb_mem_routers_client.add_router_interface(
955 cls.lb_member_router['id'],
956 subnet_id=cls.lb_member_1_subnet['id'])
957 cls.addClassResourceCleanup(
958 waiters.wait_for_not_found,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]959 cls.lb_mem_routers_client.remove_router_interface,
960 cls.lb_mem_routers_client.remove_router_interface,
961 cls.lb_member_router['id'], subnet_id=cls.lb_member_1_subnet['id'])
962
963 # Add member subnet 2 to router
964 cls.lb_mem_routers_client.add_router_interface(
965 cls.lb_member_router['id'],
966 subnet_id=cls.lb_member_2_subnet['id'])
967 cls.addClassResourceCleanup(
968 waiters.wait_for_not_found,
969 cls.lb_mem_routers_client.remove_router_interface,
970 cls.lb_mem_routers_client.remove_router_interface,
971 cls.lb_member_router['id'], subnet_id=cls.lb_member_2_subnet['id'])
972
973 @classmethod
974 def _create_webserver(cls, name, network):
975 """Creates a webserver with two ports.
976
977 webserver_details dictionary contains:
978 server - The compute server object
979 ipv4_address - The IPv4 address for the server (optional)
980 ipv6_address - The IPv6 address for the server (optional)
981 public_ipv4_address - The publicly accessible IPv4 address for the
982 server, this may be a floating IP (optional)
983
984 :param name: The name of the server to create.
985 :param network: The network to boot the server on.
986 :returns: webserver_details dictionary.
987 """
988 server_kwargs = {
989 'name': data_utils.rand_name(name),
990 'flavorRef': CONF.compute.flavor_ref,
991 'imageRef': CONF.compute.image_ref,
992 'key_name': cls.lb_member_keypair['name']}
993 if (CONF.load_balancer.enable_security_groups and
994 CONF.network_feature_enabled.port_security):
995 server_kwargs['security_groups'] = [
996 {'name': cls.lb_member_sec_group['name']}]
997 if not CONF.load_balancer.disable_boot_network:
998 server_kwargs['networks'] = [{'uuid': network['id']}]
999
1000 # Replace the name for clouds that have limitations
1001 if CONF.load_balancer.random_server_name_length:
1002 r = random.SystemRandom()
1003 server_kwargs['name'] = "m{}".format("".join(
1004 [r.choice(string.ascii_uppercase + string.digits)
1005 for _ in range(
1006 CONF.load_balancer.random_server_name_length - 1)]
1007 ))
1008 if CONF.load_balancer.availability_zone:
1009 server_kwargs['availability_zone'] = (
1010 CONF.load_balancer.availability_zone)
1011
1012 server = cls.lb_mem_servers_client.create_server(
1013 **server_kwargs)['server']
1014 cls.addClassResourceCleanup(
1015 waiters.wait_for_not_found,
1016 cls.lb_mem_servers_client.delete_server,
1017 cls.lb_mem_servers_client.show_server,
1018 server['id'])
1019 server = waiters.wait_for_status(
1020 cls.lb_mem_servers_client.show_server,
1021 server['id'], 'status', 'ACTIVE',
1022 CONF.load_balancer.build_interval,
1023 CONF.load_balancer.build_timeout,
1024 root_tag='server')
1025 webserver_details = {'server': server}
1026 LOG.info('Created server: {}'.format(server))
1027
1028 addresses = server['addresses']
1029 if CONF.load_balancer.disable_boot_network:
1030 instance_network = addresses.values()[0]
1031 else:
1032 instance_network = addresses[network['name']]
1033 for addr in instance_network:
1034 if addr['version'] == 4:
1035 webserver_details['ipv4_address'] = addr['addr']
1036 if addr['version'] == 6:
1037 webserver_details['ipv6_address'] = addr['addr']
1038
1039 if CONF.validation.connect_method == 'floating':
1040 result = cls.lb_mem_ports_client.list_ports(
1041 network_id=network['id'],
1042 mac_address=instance_network[0]['OS-EXT-IPS-MAC:mac_addr'])
1043 port_id = result['ports'][0]['id']
1044 result = cls.lb_mem_float_ip_client.create_floatingip(
1045 floating_network_id=CONF.network.public_network_id,
1046 port_id=port_id)
1047 floating_ip = result['floatingip']
1048 LOG.info('webserver1_floating_ip: {}'.format(floating_ip))
1049 cls.addClassResourceCleanup(
1050 waiters.wait_for_not_found,
1051 cls.lb_mem_float_ip_client.delete_floatingip,
1052 cls.lb_mem_float_ip_client.show_floatingip,
1053 floatingip_id=floating_ip['id'])
1054 webserver_details['public_ipv4_address'] = (
1055 floating_ip['floating_ip_address'])
1056 else:
1057 webserver_details['public_ipv4_address'] = (
1058 instance_network[0]['addr'])
1059
1060 return webserver_details
1061
1062 @classmethod
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1063 def _get_openssh_version(cls):
1064 p = subprocess.Popen(["ssh", "-V"],
1065 stdout=subprocess.PIPE,
1066 stderr=subprocess.PIPE)
1067 output = p.communicate()[1]
1068
1069 try:
1070 m = re.match(r"OpenSSH_(\d+)\.(\d+)", output.decode('utf-8'))
1071 version_maj = int(m.group(1))
1072 version_min = int(m.group(2))
1073 return version_maj, version_min
1074 except Exception:
1075 return None, None
1076
1077 @classmethod
1078 def _need_scp_protocol(cls):
1079 # When using scp >= 8.7, force the use of the SCP protocol,
1080 # the new default (SFTP protocol) doesn't work with
1081 # cirros VMs.
1082 ssh_version = cls._get_openssh_version()
1083 LOG.debug("ssh_version = {}".format(ssh_version))
1084 return (ssh_version[0] > 8 or
1085 (ssh_version[0] == 8 and ssh_version[1] >= 7))
1086
1087 @classmethod
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1088 def _install_start_webserver(cls, ip_address, ssh_key, start_id,
1089 revoke_cert=False):
Michael Johnson27357352020-11-13 13:55:09 -0800[diff] [blame]1090 local_file = CONF.load_balancer.test_server_path
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1091
1092 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1093 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1094 **cls.remote_client_args())
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1095 linux_client.validate_authentication()
1096
1097 with tempfile.NamedTemporaryFile() as key:
1098 key.write(ssh_key.encode('utf-8'))
1099 key.flush()
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1100 ssh_extra_args = (
1101 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1102 if cls._need_scp_protocol():
1103 ssh_extra_args += " -O"
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1104 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1105 "{7} "
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1106 "-o StrictHostKeyChecking=no "
1107 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1108 "-i {2} {3} {4}@{5}:{6}").format(
1109 CONF.load_balancer.scp_connection_timeout,
1110 CONF.load_balancer.scp_connection_attempts,
1111 key.name, local_file, CONF.validation.image_ssh_user,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1112 ip_address, const.TEST_SERVER_BINARY,
1113 ssh_extra_args)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1114 args = shlex.split(cmd)
1115 subprocess_args = {'stdout': subprocess.PIPE,
1116 'stderr': subprocess.STDOUT,
1117 'cwd': None}
1118 proc = subprocess.Popen(args, **subprocess_args)
1119 stdout, stderr = proc.communicate()
1120 if proc.returncode != 0:
1121 raise exceptions.CommandFailed(proc.returncode, cmd,
1122 stdout, stderr)
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1123
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1124 cls._load_member_pki_content(ip_address, key,
1125 revoke_cert=revoke_cert)
1126
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1127 # Enabling memory overcommit allows to run golang static binaries
1128 # compiled with a recent golang toolchain (>=1.11). Those binaries
1129 # allocate a large amount of virtual memory at init time, and this
1130 # allocation fails in tempest's nano flavor (64MB of RAM)
1131 # (golang issue reported in https://github.com/golang/go/issues/28114,
1132 # follow-up: https://github.com/golang/go/issues/28081)
1133 # TODO(gthiemonge): Remove this call when golang issue is resolved.
1134 linux_client.exec_command('sudo sh -c "echo 1 > '
1135 '/proc/sys/vm/overcommit_memory"')
1136
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1137 # The initial process also supports HTTPS and HTTPS with client auth
1138 linux_client.exec_command(
1139 'sudo screen -d -m {0} -port 80 -id {1} -https_port 443 -cert {2} '
1140 '-key {3} -https_client_auth_port 9443 -client_ca {4}'.format(
1141 const.TEST_SERVER_BINARY, start_id, const.TEST_SERVER_CERT,
1142 const.TEST_SERVER_KEY, const.TEST_SERVER_CLIENT_CA))
1143
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1144 linux_client.exec_command('sudo screen -d -m {0} -port 81 '
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1145 '-id {1}'.format(const.TEST_SERVER_BINARY,
1146 start_id + 1))
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1147
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1148 # Cirros does not configure the assigned IPv6 address by default
1149 # so enable it manually like tempest does here:
1150 # tempest/scenario/test_netowrk_v6.py turn_nic6_on()
1151 @classmethod
1152 def _enable_ipv6_nic_webserver(cls, ip_address, ssh_key,
1153 ipv6_address, ipv6_prefix):
1154 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1155 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1156 **cls.remote_client_args())
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1157 linux_client.validate_authentication()
1158
1159 linux_client.exec_command('sudo ip address add {0}/{1} dev '
1160 'eth0'.format(ipv6_address, ipv6_prefix))
1161
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1162 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1163 def _validate_webserver(cls, ip_address, start_id):
1164 URL = 'http://{0}'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1165 cls.validate_URL_response(URL, expected_body=str(start_id))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1166 URL = 'http://{0}:81'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1167 cls.validate_URL_response(URL, expected_body=str(start_id + 1))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1168
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1169 @classmethod
1170 def _validate_udp_server(cls, ip_address, start_id):
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1171 res = cls.make_udp_request(ip_address, 80)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1172 if res != str(start_id):
1173 raise Exception("Response from test server doesn't match the "
1174 "expected value ({0} != {1}).".format(
1175 res, str(start_id)))
1176
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1177 res = cls.make_udp_request(ip_address, 81)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1178 if res != str(start_id + 1):
1179 raise Exception("Response from test server doesn't match the "
1180 "expected value ({0} != {1}).".format(
1181 res, str(start_id + 1)))
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1182
1183 @classmethod
1184 def _create_backend_reencryption_pki(cls):
1185 # Create a CA self-signed cert and key for the member test servers
1186 cls.member_ca_cert, cls.member_ca_key = (
1187 cert_utils.generate_ca_cert_and_key())
1188
1189 LOG.debug('Member CA Cert: %s', cls.member_ca_cert.public_bytes(
1190 serialization.Encoding.PEM))
1191 LOG.debug('Member CA private Key: %s', cls.member_ca_key.private_bytes(
1192 encoding=serialization.Encoding.PEM,
1193 format=serialization.PrivateFormat.TraditionalOpenSSL,
1194 encryption_algorithm=serialization.NoEncryption()))
1195 LOG.debug('Member CA public Key: %s',
1196 cls.member_ca_key.public_key().public_bytes(
1197 encoding=serialization.Encoding.PEM,
1198 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1199
1200 # Create the member client authentication CA
1201 cls.member_client_ca_cert, member_client_ca_key = (
1202 cert_utils.generate_ca_cert_and_key())
1203
1204 # Create client cert and key
1205 cls.member_client_cn = uuidutils.generate_uuid()
1206 cls.member_client_cert, cls.member_client_key = (
1207 cert_utils.generate_client_cert_and_key(
1208 cls.member_client_ca_cert, member_client_ca_key,
1209 cls.member_client_cn))
1210 # Note: We are not revoking a client cert here as we don't need to
1211 # test the backend web server CRL checking.
1212
1213 @classmethod
1214 def _load_member_pki_content(cls, ip_address, ssh_key, revoke_cert=False):
1215 # Create webserver certificate and key
1216 cert, key = cert_utils.generate_server_cert_and_key(
1217 cls.member_ca_cert, cls.member_ca_key, ip_address)
1218
1219 LOG.debug('%s Cert: %s', ip_address, cert.public_bytes(
1220 serialization.Encoding.PEM))
1221 LOG.debug('%s private Key: %s', ip_address, key.private_bytes(
1222 encoding=serialization.Encoding.PEM,
1223 format=serialization.PrivateFormat.TraditionalOpenSSL,
1224 encryption_algorithm=serialization.NoEncryption()))
1225 public_key = key.public_key()
1226 LOG.debug('%s public Key: %s', ip_address, public_key.public_bytes(
1227 encoding=serialization.Encoding.PEM,
1228 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1229
1230 # Create a CRL with a revoked certificate
1231 if revoke_cert:
1232 # Create a CRL with webserver 2 revoked
1233 cls.member_crl = cert_utils.generate_certificate_revocation_list(
1234 cls.member_ca_cert, cls.member_ca_key, cert)
1235
1236 # Load the certificate, key, and client CA certificate into the
1237 # test server.
1238 with tempfile.TemporaryDirectory() as tmpdir:
1239 os.umask(0)
1240 files_to_send = []
1241 cert_filename = os.path.join(tmpdir, const.CERT_PEM)
1242 files_to_send.append(cert_filename)
1243 with open(os.open(cert_filename, os.O_CREAT | os.O_WRONLY,
1244 0o700), 'w') as fh:
1245 fh.write(cert.public_bytes(
1246 serialization.Encoding.PEM).decode('utf-8'))
1247 fh.flush()
1248 key_filename = os.path.join(tmpdir, const.KEY_PEM)
1249 files_to_send.append(key_filename)
1250 with open(os.open(key_filename, os.O_CREAT | os.O_WRONLY,
1251 0o700), 'w') as fh:
1252 fh.write(key.private_bytes(
1253 encoding=serialization.Encoding.PEM,
1254 format=serialization.PrivateFormat.TraditionalOpenSSL,
1255 encryption_algorithm=serialization.NoEncryption()).decode(
1256 'utf-8'))
1257 fh.flush()
1258 client_ca_filename = os.path.join(tmpdir, const.CLIENT_CA_PEM)
1259 files_to_send.append(client_ca_filename)
1260 with open(os.open(client_ca_filename, os.O_CREAT | os.O_WRONLY,
1261 0o700), 'w') as fh:
1262 fh.write(cls.member_client_ca_cert.public_bytes(
1263 serialization.Encoding.PEM).decode('utf-8'))
1264 fh.flush()
1265
1266 # For security, we don't want to use a shell that can glob
1267 # the file names, so iterate over them.
1268 subprocess_args = {'stdout': subprocess.PIPE,
1269 'stderr': subprocess.STDOUT,
1270 'cwd': None}
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1271 ssh_extra_args = (
1272 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1273 if cls._need_scp_protocol():
1274 ssh_extra_args += " -O"
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1275 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1276 "{9} "
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1277 "-o StrictHostKeyChecking=no "
1278 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1279 "-i {2} {3} {4} {5} {6}@{7}:{8}").format(
1280 CONF.load_balancer.scp_connection_timeout,
1281 CONF.load_balancer.scp_connection_attempts,
1282 ssh_key.name, cert_filename, key_filename, client_ca_filename,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1283 CONF.validation.image_ssh_user, ip_address, const.DEV_SHM_PATH,
1284 ssh_extra_args)
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1285 args = shlex.split(cmd)
1286 proc = subprocess.Popen(args, **subprocess_args)
1287 stdout, stderr = proc.communicate()
1288 if proc.returncode != 0:
1289 raise exceptions.CommandFailed(proc.returncode, cmd,
1290 stdout, stderr)