Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / octavia-tempest-plugin / 9a4914929e4c54f143b59b1f71c7cad13729bbde / . / octavia_tempest_plugin / tests / test_base.py
blob: e3364a6bbbf429362803af84b81320db076dabb1 [file] [log] [blame]
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1# Copyright 2018 Rackspace US Inc. All rights reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15import ipaddress
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]16import os
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]17import random
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]18import re
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]19import shlex
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]20import string
21import subprocess
22import tempfile
23
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]24from cryptography.hazmat.primitives import serialization
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]25from oslo_config import cfg
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]26from oslo_log import log as logging
27from oslo_utils import uuidutils
28from tempest import config
29from tempest.lib.common.utils import data_utils
30from tempest.lib.common.utils.linux import remote_client
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]31from tempest.lib import exceptions
32from tempest import test
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]33import tenacity
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]34
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]35from octavia_tempest_plugin.common import cert_utils
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]36from octavia_tempest_plugin.common import constants as const
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]37from octavia_tempest_plugin.tests import RBAC_tests
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]38from octavia_tempest_plugin.tests import validators
39from octavia_tempest_plugin.tests import waiters
40
41CONF = config.CONF
42LOG = logging.getLogger(__name__)
43
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]44RETRY_ATTEMPTS = 15
45RETRY_INITIAL_DELAY = 1
46RETRY_BACKOFF = 1
47RETRY_MAX = 5
48
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]49
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]50class LoadBalancerBaseTest(validators.ValidatorsMixin,
51 RBAC_tests.RBACTestsMixin, test.BaseTestCase):
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]52 """Base class for load balancer tests."""
53
Gregory Thiemonge3497f6c2021-04-19 21:33:13 +0200[diff] [blame]54 if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
55 credentials = [
56 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
57 ['lb_member', CONF.load_balancer.member_role],
58 ['lb_member2', CONF.load_balancer.member_role]]
Michael Johnson6dac8ff2023-03-09 00:04:37 +0000[diff] [blame]59 elif CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]60 credentials = [
Michael Johnson6dac8ff2023-03-09 00:04:37 +0000[diff] [blame]61 'admin', 'primary',
62 ['lb_admin', CONF.load_balancer.admin_role, 'admin'],
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]63 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
64 ['lb_global_observer', CONF.load_balancer.global_observer_role,
65 'reader'],
66 ['lb_member', CONF.load_balancer.member_role, 'member'],
67 ['lb_member2', CONF.load_balancer.member_role, 'member'],
68 ['lb_member_not_default_member', CONF.load_balancer.member_role]]
69 else:
70 credentials = [
71 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
72 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
73 ['lb_global_observer', CONF.load_balancer.global_observer_role,
74 'reader'],
Michael Johnson9e9f5262023-01-18 17:59:17 +0000[diff] [blame]75 # Note: Some projects are now requiring the 'member' role by
76 # default (nova for example) so make sure our creds have this role
77 ['lb_member', CONF.load_balancer.member_role, 'member'],
78 ['lb_member2', CONF.load_balancer.member_role, 'member']]
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]79
80 # If scope enforcement is enabled, add in the system scope credentials.
81 # The project scope is already handled by the above credentials.
82 if CONF.enforce_scope.octavia:
83 credentials.extend(['system_admin', 'system_reader'])
84
85 # A tuple of credentials that will be allocated by tempest using the
86 # 'credentials' list above. These are used to build RBAC test lists.
87 allocated_creds = []
88 for cred in credentials:
89 if isinstance(cred, list):
90 allocated_creds.append('os_roles_' + cred[0])
91 else:
92 allocated_creds.append('os_' + cred)
93 # Tests shall not mess with the list of allocated credentials
94 allocated_credentials = tuple(allocated_creds)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]95
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]96 webserver1_response = 1
97 webserver2_response = 5
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]98 used_ips = []
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]99
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]100 SRC_PORT_NUMBER_MIN = 32768
101 SRC_PORT_NUMBER_MAX = 61000
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]102 src_port_number = SRC_PORT_NUMBER_MIN
103
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]104 @classmethod
105 def skip_checks(cls):
106 """Check if we should skip all of the children tests."""
107 super(LoadBalancerBaseTest, cls).skip_checks()
108
109 service_list = {
110 'load_balancer': CONF.service_available.load_balancer,
111 }
112
113 live_service_list = {
114 'compute': CONF.service_available.nova,
115 'image': CONF.service_available.glance,
116 'neutron': CONF.service_available.neutron
117 }
118
119 if not CONF.load_balancer.test_with_noop:
120 service_list.update(live_service_list)
121
122 for service, available in service_list.items():
123 if not available:
zhangzs2a6cf672018-11-10 16:13:11 +0800[diff] [blame]124 skip_msg = ("{0} skipped as {1} service is not "
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]125 "available.".format(cls.__name__, service))
126 raise cls.skipException(skip_msg)
127
128 # We must be able to reach our VIP and instances
129 if not (CONF.network.project_networks_reachable
130 or CONF.network.public_network_id):
131 msg = ('Either project_networks_reachable must be "true", or '
132 'public_network_id must be defined.')
133 raise cls.skipException(msg)
134
135 @classmethod
136 def setup_credentials(cls):
137 """Setup test credentials and network resources."""
138 # Do not auto create network resources
139 cls.set_network_resources()
140 super(LoadBalancerBaseTest, cls).setup_credentials()
141
Bas de Bruijne530a88a2022-12-15 11:12:45 -0400[diff] [blame]142 if not CONF.load_balancer.log_user_roles:
143 return
144
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]145 # Log the user roles for this test run
146 role_name_cache = {}
147 for cred in cls.credentials:
148 user_roles = []
149 if isinstance(cred, list):
150 user_name = cred[0]
151 cred_obj = getattr(cls, 'os_roles_' + cred[0])
152 else:
153 user_name = cred
154 cred_obj = getattr(cls, 'os_' + cred)
155 params = {'user.id': cred_obj.credentials.user_id,
156 'project.id': cred_obj.credentials.project_id}
157 roles = cls.os_admin.role_assignments_client.list_role_assignments(
158 **params)['role_assignments']
159 for role in roles:
160 role_id = role['role']['id']
161 try:
162 role_name = role_name_cache[role_id]
163 except KeyError:
164 role_name = cls.os_admin.roles_v3_client.show_role(
165 role_id)['role']['name']
166 role_name_cache[role_id] = role_name
167 user_roles.append([role_name, role['scope']])
168 LOG.info("User %s has roles: %s", user_name, user_roles)
169
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]170 @classmethod
171 def setup_clients(cls):
172 """Setup client aliases."""
173 super(LoadBalancerBaseTest, cls).setup_clients()
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]174 lb_admin_prefix = cls.os_roles_lb_admin.load_balancer_v2
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]175 cls.lb_mem_float_ip_client = cls.os_roles_lb_member.floating_ips_client
176 cls.lb_mem_keypairs_client = cls.os_roles_lb_member.keypairs_client
177 cls.lb_mem_net_client = cls.os_roles_lb_member.networks_client
178 cls.lb_mem_ports_client = cls.os_roles_lb_member.ports_client
179 cls.lb_mem_routers_client = cls.os_roles_lb_member.routers_client
180 cls.lb_mem_SG_client = cls.os_roles_lb_member.security_groups_client
181 cls.lb_mem_SGr_client = (
182 cls.os_roles_lb_member.security_group_rules_client)
183 cls.lb_mem_servers_client = cls.os_roles_lb_member.servers_client
184 cls.lb_mem_subnet_client = cls.os_roles_lb_member.subnets_client
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]185 cls.mem_lb_client = (
186 cls.os_roles_lb_member.load_balancer_v2.LoadbalancerClient())
187 cls.mem_listener_client = (
188 cls.os_roles_lb_member.load_balancer_v2.ListenerClient())
189 cls.mem_pool_client = (
190 cls.os_roles_lb_member.load_balancer_v2.PoolClient())
191 cls.mem_member_client = (
192 cls.os_roles_lb_member.load_balancer_v2.MemberClient())
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]193 cls.mem_healthmonitor_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]194 cls.os_roles_lb_member.load_balancer_v2.HealthMonitorClient())
195 cls.mem_l7policy_client = (
196 cls.os_roles_lb_member.load_balancer_v2.L7PolicyClient())
197 cls.mem_l7rule_client = (
198 cls.os_roles_lb_member.load_balancer_v2.L7RuleClient())
199 cls.lb_admin_amphora_client = lb_admin_prefix.AmphoraClient()
Michael Johnsonaff2e862019-01-11 16:38:00 -0800[diff] [blame]200 cls.lb_admin_flavor_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]201 lb_admin_prefix.FlavorProfileClient())
202 cls.lb_admin_flavor_client = lb_admin_prefix.FlavorClient()
203 cls.mem_flavor_client = (
204 cls.os_roles_lb_member.load_balancer_v2.FlavorClient())
205 cls.mem_provider_client = (
206 cls.os_roles_lb_member.load_balancer_v2.ProviderClient())
Carlos Goncalvesc2e12162019-02-14 23:57:44 +0100[diff] [blame]207 cls.os_admin_servers_client = cls.os_admin.servers_client
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]208 cls.os_admin_routers_client = cls.os_admin.routers_client
209 cls.os_admin_subnetpools_client = cls.os_admin.subnetpools_client
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]210 cls.lb_admin_flavor_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]211 lb_admin_prefix.FlavorCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]212 cls.lb_admin_availability_zone_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]213 lb_admin_prefix.AvailabilityZoneCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]214 cls.lb_admin_availability_zone_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]215 lb_admin_prefix.AvailabilityZoneProfileClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]216 cls.lb_admin_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]217 lb_admin_prefix.AvailabilityZoneClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]218 cls.mem_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]219 cls.os_roles_lb_member.load_balancer_v2.AvailabilityZoneClient())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]220
221 @classmethod
222 def resource_setup(cls):
223 """Setup resources needed by the tests."""
224 super(LoadBalancerBaseTest, cls).resource_setup()
225
226 conf_lb = CONF.load_balancer
227
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]228 cls.api_version = cls.mem_lb_client.get_max_api_version()
229
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]230 if conf_lb.test_subnet_override and not conf_lb.test_network_override:
231 raise exceptions.InvalidConfiguration(
232 "Configuration value test_network_override must be "
233 "specified if test_subnet_override is used.")
234
Michael Johnson6a9236a2020-08-04 23:54:54 +0000[diff] [blame]235 # TODO(johnsom) Remove this
Maciej Józefczykb6df5f82019-12-10 10:12:30 +0000[diff] [blame]236 # Get loadbalancing algorithms supported by provider driver.
237 try:
238 algorithms = const.SUPPORTED_LB_ALGORITHMS[
239 CONF.load_balancer.provider]
240 except KeyError:
241 algorithms = const.SUPPORTED_LB_ALGORITHMS['default']
242 # Set default algorithm as first from the list.
243 cls.lb_algorithm = algorithms[0]
244
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]245 show_subnet = cls.lb_mem_subnet_client.show_subnet
246 if CONF.load_balancer.test_with_noop:
247 cls.lb_member_vip_net = {'id': uuidutils.generate_uuid()}
248 cls.lb_member_vip_subnet = {'id': uuidutils.generate_uuid()}
249 cls.lb_member_1_net = {'id': uuidutils.generate_uuid()}
250 cls.lb_member_1_subnet = {'id': uuidutils.generate_uuid()}
251 cls.lb_member_2_net = {'id': uuidutils.generate_uuid()}
252 cls.lb_member_2_subnet = {'id': uuidutils.generate_uuid()}
253 if CONF.load_balancer.test_with_ipv6:
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]254 cls.lb_member_vip_ipv6_net = {'id': uuidutils.generate_uuid()}
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]255 cls.lb_member_vip_ipv6_subnet = {'id':
256 uuidutils.generate_uuid()}
257 cls.lb_member_1_ipv6_subnet = {'id': uuidutils.generate_uuid()}
258 cls.lb_member_2_ipv6_subnet = {'id': uuidutils.generate_uuid()}
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]259 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]260 return
261 elif CONF.load_balancer.test_network_override:
262 if conf_lb.test_subnet_override:
263 override_subnet = show_subnet(conf_lb.test_subnet_override)
264 else:
265 override_subnet = None
266
267 show_net = cls.lb_mem_net_client.show_network
268 override_network = show_net(conf_lb.test_network_override)
269 override_network = override_network.get('network')
270
271 cls.lb_member_vip_net = override_network
272 cls.lb_member_vip_subnet = override_subnet
273 cls.lb_member_1_net = override_network
274 cls.lb_member_1_subnet = override_subnet
275 cls.lb_member_2_net = override_network
276 cls.lb_member_2_subnet = override_subnet
277
278 if (CONF.load_balancer.test_with_ipv6 and
Michael Polenchuk4beb66b2022-01-18 15:44:56 +0400[diff] [blame]279 conf_lb.test_ipv6_subnet_override):
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]280 override_ipv6_subnet = show_subnet(
Michael Polenchuk4beb66b2022-01-18 15:44:56 +0400[diff] [blame]281 conf_lb.test_ipv6_subnet_override)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]282 cls.lb_member_vip_ipv6_subnet = override_ipv6_subnet
283 cls.lb_member_1_ipv6_subnet = override_ipv6_subnet
284 cls.lb_member_2_ipv6_subnet = override_ipv6_subnet
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]285 cls.lb_member_vip_ipv6_subnet_stateful = False
286 if (override_ipv6_subnet[0]['ipv6_address_mode'] ==
287 'dhcpv6-stateful'):
288 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]289 else:
290 cls.lb_member_vip_ipv6_subnet = None
291 cls.lb_member_1_ipv6_subnet = None
292 cls.lb_member_2_ipv6_subnet = None
293 else:
294 cls._create_networks()
295
296 LOG.debug('Octavia Setup: lb_member_vip_net = {}'.format(
297 cls.lb_member_vip_net[const.ID]))
298 if cls.lb_member_vip_subnet:
299 LOG.debug('Octavia Setup: lb_member_vip_subnet = {}'.format(
300 cls.lb_member_vip_subnet[const.ID]))
301 LOG.debug('Octavia Setup: lb_member_1_net = {}'.format(
302 cls.lb_member_1_net[const.ID]))
303 if cls.lb_member_1_subnet:
304 LOG.debug('Octavia Setup: lb_member_1_subnet = {}'.format(
305 cls.lb_member_1_subnet[const.ID]))
306 LOG.debug('Octavia Setup: lb_member_2_net = {}'.format(
307 cls.lb_member_2_net[const.ID]))
308 if cls.lb_member_2_subnet:
309 LOG.debug('Octavia Setup: lb_member_2_subnet = {}'.format(
310 cls.lb_member_2_subnet[const.ID]))
Michael Johnson124ba8b2018-08-30 16:06:05 -0700[diff] [blame]311 if CONF.load_balancer.test_with_ipv6:
312 if cls.lb_member_vip_ipv6_subnet:
313 LOG.debug('Octavia Setup: lb_member_vip_ipv6_subnet = '
314 '{}'.format(cls.lb_member_vip_ipv6_subnet[const.ID]))
315 if cls.lb_member_1_ipv6_subnet:
316 LOG.debug('Octavia Setup: lb_member_1_ipv6_subnet = {}'.format(
317 cls.lb_member_1_ipv6_subnet[const.ID]))
318 if cls.lb_member_2_ipv6_subnet:
319 LOG.debug('Octavia Setup: lb_member_2_ipv6_subnet = {}'.format(
320 cls.lb_member_2_ipv6_subnet[const.ID]))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]321
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]322 @classmethod
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]323 # Neutron can be slow to clean up ports from the subnets/networks.
324 # Retry this delete a few times if we get a "Conflict" error to give
325 # neutron time to fully cleanup the ports.
326 @tenacity.retry(
327 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
328 wait=tenacity.wait_incrementing(
329 RETRY_INITIAL_DELAY, RETRY_BACKOFF, RETRY_MAX),
330 stop=tenacity.stop_after_attempt(RETRY_ATTEMPTS))
331 def _logging_delete_network(cls, net_id):
332 try:
333 cls.lb_mem_net_client.delete_network(net_id)
334 except Exception:
335 LOG.error('Unable to delete network {}. Active ports:'.format(
336 net_id))
337 LOG.error(cls.lb_mem_ports_client.list_ports())
338 raise
339
340 @classmethod
341 # Neutron can be slow to clean up ports from the subnets/networks.
342 # Retry this delete a few times if we get a "Conflict" error to give
343 # neutron time to fully cleanup the ports.
344 @tenacity.retry(
345 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
346 wait=tenacity.wait_incrementing(
347 RETRY_INITIAL_DELAY, RETRY_BACKOFF, RETRY_MAX),
348 stop=tenacity.stop_after_attempt(RETRY_ATTEMPTS))
349 def _logging_delete_subnet(cls, subnet_id):
350 try:
351 cls.lb_mem_subnet_client.delete_subnet(subnet_id)
352 except Exception:
353 LOG.error('Unable to delete subnet {}. Active ports:'.format(
354 subnet_id))
355 LOG.error(cls.lb_mem_ports_client.list_ports())
356 raise
357
358 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]359 def _create_networks(cls):
360 """Creates networks, subnets, and routers used in tests.
361
362 The following are expected to be defined and available to the tests:
363 cls.lb_member_vip_net
364 cls.lb_member_vip_subnet
365 cls.lb_member_vip_ipv6_subnet (optional)
366 cls.lb_member_1_net
367 cls.lb_member_1_subnet
368 cls.lb_member_1_ipv6_subnet (optional)
369 cls.lb_member_2_net
370 cls.lb_member_2_subnet
371 cls.lb_member_2_ipv6_subnet (optional)
372 """
373
374 # Create tenant VIP network
375 network_kwargs = {
376 'name': data_utils.rand_name("lb_member_vip_network")}
377 if CONF.network_feature_enabled.port_security:
Andreas Jaeger4215b702020-03-28 20:13:46 +0100[diff] [blame]378 # Note: Allowed Address Pairs requires port security
379 network_kwargs['port_security_enabled'] = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]380 result = cls.lb_mem_net_client.create_network(**network_kwargs)
381 cls.lb_member_vip_net = result['network']
382 LOG.info('lb_member_vip_net: {}'.format(cls.lb_member_vip_net))
383 cls.addClassResourceCleanup(
384 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]385 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]386 cls.lb_mem_net_client.show_network,
387 cls.lb_member_vip_net['id'])
388
389 # Create tenant VIP subnet
390 subnet_kwargs = {
391 'name': data_utils.rand_name("lb_member_vip_subnet"),
392 'network_id': cls.lb_member_vip_net['id'],
393 'cidr': CONF.load_balancer.vip_subnet_cidr,
394 'ip_version': 4}
395 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
396 cls.lb_member_vip_subnet = result['subnet']
397 LOG.info('lb_member_vip_subnet: {}'.format(cls.lb_member_vip_subnet))
398 cls.addClassResourceCleanup(
399 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]400 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]401 cls.lb_mem_subnet_client.show_subnet,
402 cls.lb_member_vip_subnet['id'])
403
404 # Create tenant VIP IPv6 subnet
405 if CONF.load_balancer.test_with_ipv6:
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]406 cls.lb_member_vip_ipv6_subnet_stateful = False
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]407 cls.lb_member_vip_ipv6_subnet_use_subnetpool = False
408 subnet_kwargs = {
409 'name': data_utils.rand_name("lb_member_vip_ipv6_subnet"),
410 'network_id': cls.lb_member_vip_net['id'],
411 'ip_version': 6}
412
413 # Use a CIDR from devstack's default IPv6 subnetpool if it exists,
414 # the subnetpool's cidr is routable from the devstack node
415 # through the default router
416 subnetpool_name = CONF.load_balancer.default_ipv6_subnetpool
417 if subnetpool_name:
418 subnetpool = cls.os_admin_subnetpools_client.list_subnetpools(
419 name=subnetpool_name)['subnetpools']
420 if len(subnetpool) == 1:
421 subnetpool = subnetpool[0]
422 subnet_kwargs['subnetpool_id'] = subnetpool['id']
423 cls.lb_member_vip_ipv6_subnet_use_subnetpool = True
424
425 if 'subnetpool_id' not in subnet_kwargs:
426 subnet_kwargs['cidr'] = (
427 CONF.load_balancer.vip_ipv6_subnet_cidr)
428
429 result = cls.lb_mem_subnet_client.create_subnet(
430 **subnet_kwargs)
431 cls.lb_member_vip_ipv6_net = cls.lb_member_vip_net
432 cls.lb_member_vip_ipv6_subnet = result['subnet']
433 cls.addClassResourceCleanup(
434 waiters.wait_for_not_found,
435 cls._logging_delete_subnet,
436 cls.lb_mem_subnet_client.show_subnet,
437 cls.lb_member_vip_ipv6_subnet['id'])
Carlos Goncalves84af48c2019-07-25 15:51:30 +0200[diff] [blame]438
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]439 LOG.info('lb_member_vip_ipv6_subnet: {}'.format(
440 cls.lb_member_vip_ipv6_subnet))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]441
442 # Create tenant member 1 network
443 network_kwargs = {
444 'name': data_utils.rand_name("lb_member_1_network")}
445 if CONF.network_feature_enabled.port_security:
446 if CONF.load_balancer.enable_security_groups:
447 network_kwargs['port_security_enabled'] = True
448 else:
449 network_kwargs['port_security_enabled'] = False
450 result = cls.lb_mem_net_client.create_network(**network_kwargs)
451 cls.lb_member_1_net = result['network']
452 LOG.info('lb_member_1_net: {}'.format(cls.lb_member_1_net))
453 cls.addClassResourceCleanup(
454 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]455 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]456 cls.lb_mem_net_client.show_network,
457 cls.lb_member_1_net['id'])
458
459 # Create tenant member 1 subnet
460 subnet_kwargs = {
461 'name': data_utils.rand_name("lb_member_1_subnet"),
462 'network_id': cls.lb_member_1_net['id'],
463 'cidr': CONF.load_balancer.member_1_ipv4_subnet_cidr,
464 'ip_version': 4}
465 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
466 cls.lb_member_1_subnet = result['subnet']
467 LOG.info('lb_member_1_subnet: {}'.format(cls.lb_member_1_subnet))
468 cls.addClassResourceCleanup(
469 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]470 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]471 cls.lb_mem_subnet_client.show_subnet,
472 cls.lb_member_1_subnet['id'])
473
474 # Create tenant member 1 ipv6 subnet
475 if CONF.load_balancer.test_with_ipv6:
476 subnet_kwargs = {
477 'name': data_utils.rand_name("lb_member_1_ipv6_subnet"),
478 'network_id': cls.lb_member_1_net['id'],
479 'cidr': CONF.load_balancer.member_1_ipv6_subnet_cidr,
480 'ip_version': 6}
481 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]482 cls.lb_member_1_subnet_prefix = (
483 CONF.load_balancer.member_1_ipv6_subnet_cidr.rpartition('/')[2]
484 )
485 assert(cls.lb_member_1_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]486 cls.lb_member_1_ipv6_subnet = result['subnet']
487 LOG.info('lb_member_1_ipv6_subnet: {}'.format(
488 cls.lb_member_1_ipv6_subnet))
489 cls.addClassResourceCleanup(
490 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]491 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]492 cls.lb_mem_subnet_client.show_subnet,
493 cls.lb_member_1_ipv6_subnet['id'])
494
495 # Create tenant member 2 network
496 network_kwargs = {
497 'name': data_utils.rand_name("lb_member_2_network")}
498 if CONF.network_feature_enabled.port_security:
499 if CONF.load_balancer.enable_security_groups:
500 network_kwargs['port_security_enabled'] = True
501 else:
502 network_kwargs['port_security_enabled'] = False
503 result = cls.lb_mem_net_client.create_network(**network_kwargs)
504 cls.lb_member_2_net = result['network']
505 LOG.info('lb_member_2_net: {}'.format(cls.lb_member_2_net))
506 cls.addClassResourceCleanup(
507 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]508 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]509 cls.lb_mem_net_client.show_network,
510 cls.lb_member_2_net['id'])
511
512 # Create tenant member 2 subnet
513 subnet_kwargs = {
514 'name': data_utils.rand_name("lb_member_2_subnet"),
515 'network_id': cls.lb_member_2_net['id'],
516 'cidr': CONF.load_balancer.member_2_ipv4_subnet_cidr,
517 'ip_version': 4}
518 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
519 cls.lb_member_2_subnet = result['subnet']
520 LOG.info('lb_member_2_subnet: {}'.format(cls.lb_member_2_subnet))
521 cls.addClassResourceCleanup(
522 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]523 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]524 cls.lb_mem_subnet_client.show_subnet,
525 cls.lb_member_2_subnet['id'])
526
527 # Create tenant member 2 ipv6 subnet
528 if CONF.load_balancer.test_with_ipv6:
529 subnet_kwargs = {
530 'name': data_utils.rand_name("lb_member_2_ipv6_subnet"),
531 'network_id': cls.lb_member_2_net['id'],
532 'cidr': CONF.load_balancer.member_2_ipv6_subnet_cidr,
533 'ip_version': 6}
534 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]535 cls.lb_member_2_subnet_prefix = (
536 CONF.load_balancer.member_2_ipv6_subnet_cidr.rpartition('/')[2]
537 )
538 assert(cls.lb_member_2_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]539 cls.lb_member_2_ipv6_subnet = result['subnet']
540 LOG.info('lb_member_2_ipv6_subnet: {}'.format(
541 cls.lb_member_2_ipv6_subnet))
542 cls.addClassResourceCleanup(
543 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]544 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]545 cls.lb_mem_subnet_client.show_subnet,
546 cls.lb_member_2_ipv6_subnet['id'])
547
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]548 @classmethod
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]549 def _setup_lb_network_kwargs(cls, lb_kwargs, ip_version=None,
550 use_fixed_ip=False):
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]551 if not ip_version:
552 ip_version = 6 if CONF.load_balancer.test_with_ipv6 else 4
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]553 if cls.lb_member_vip_subnet or cls.lb_member_vip_ipv6_subnet:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]554 ip_index = data_utils.rand_int_id(start=10, end=100)
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]555 while ip_index in cls.used_ips:
556 ip_index = data_utils.rand_int_id(start=10, end=100)
557 cls.used_ips.append(ip_index)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]558 if ip_version == 4:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]559 subnet_id = cls.lb_member_vip_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]560 if CONF.load_balancer.test_with_noop:
561 lb_vip_address = '198.18.33.33'
562 else:
563 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
564 network = ipaddress.IPv4Network(subnet['subnet']['cidr'])
565 lb_vip_address = str(network[ip_index])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]566 else:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]567 subnet_id = cls.lb_member_vip_ipv6_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]568 if CONF.load_balancer.test_with_noop:
569 lb_vip_address = '2001:db8:33:33:33:33:33:33'
570 else:
571 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
572 network = ipaddress.IPv6Network(subnet['subnet']['cidr'])
573 lb_vip_address = str(network[ip_index])
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]574 # If the subnet is IPv6 slaac or dhcpv6-stateless
575 # neutron does not allow a fixed IP
576 if not cls.lb_member_vip_ipv6_subnet_stateful:
577 use_fixed_ip = False
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]578 lb_kwargs[const.VIP_SUBNET_ID] = subnet_id
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]579 if use_fixed_ip:
580 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]581 if CONF.load_balancer.test_with_noop:
582 lb_kwargs[const.VIP_NETWORK_ID] = (
583 cls.lb_member_vip_net[const.ID])
Carlos Goncalvesbb238552020-01-15 10:10:55 +0000[diff] [blame]584 if ip_version == 6:
585 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]586 else:
587 lb_kwargs[const.VIP_NETWORK_ID] = cls.lb_member_vip_net[const.ID]
588 lb_kwargs[const.VIP_SUBNET_ID] = None
589
Gregory Thiemongeece5ab42020-10-29 08:46:05 +0100[diff] [blame]590 def _validate_listener_protocol(self, protocol, raise_if_unsupported=True):
591 if (protocol == const.SCTP and
592 not self.mem_listener_client.is_version_supported(
593 self.api_version, '2.23')):
594 if raise_if_unsupported:
595 raise self.skipException('SCTP listener protocol '
596 'is only available on Octavia '
597 'API version 2.23 or newer.')
598 return False
599 return True
600
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]601
602class LoadBalancerBaseTestWithCompute(LoadBalancerBaseTest):
603 @classmethod
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]604 def remote_client_args(cls):
605 # In case we're using octavia-tempest-plugin with old tempest releases
606 # (for instance on stable/train) that don't support ssh_key_type, catch
607 # the exception and don't pass any argument
608 args = {}
609 try:
610 args['ssh_key_type'] = CONF.validation.ssh_key_type
611 except cfg.NoSuchOptError:
612 pass
613 return args
614
615 @classmethod
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]616 def resource_setup(cls):
617 super(LoadBalancerBaseTestWithCompute, cls).resource_setup()
618 # If validation is disabled in this cloud, we won't be able to
619 # start the webservers, so don't even boot them.
620 if not CONF.validation.run_validation:
621 return
622
623 # Create a keypair for the webservers
624 keypair_name = data_utils.rand_name('lb_member_keypair')
625 result = cls.lb_mem_keypairs_client.create_keypair(
626 name=keypair_name)
627 cls.lb_member_keypair = result['keypair']
628 LOG.info('lb_member_keypair: {}'.format(cls.lb_member_keypair))
629 cls.addClassResourceCleanup(
630 waiters.wait_for_not_found,
631 cls.lb_mem_keypairs_client.delete_keypair,
632 cls.lb_mem_keypairs_client.show_keypair,
633 keypair_name)
634
635 if (CONF.load_balancer.enable_security_groups and
636 CONF.network_feature_enabled.port_security):
637 # Set up the security group for the webservers
638 SG_name = data_utils.rand_name('lb_member_SG')
639 cls.lb_member_sec_group = (
640 cls.lb_mem_SG_client.create_security_group(
641 name=SG_name)['security_group'])
642 cls.addClassResourceCleanup(
643 waiters.wait_for_not_found,
644 cls.lb_mem_SG_client.delete_security_group,
645 cls.lb_mem_SG_client.show_security_group,
646 cls.lb_member_sec_group['id'])
647
648 # Create a security group rule to allow 80-81 (test webservers)
649 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
650 direction='ingress',
651 security_group_id=cls.lb_member_sec_group['id'],
652 protocol='tcp',
653 ethertype='IPv4',
654 port_range_min=80,
655 port_range_max=81)['security_group_rule']
656 cls.addClassResourceCleanup(
657 waiters.wait_for_not_found,
658 cls.lb_mem_SGr_client.delete_security_group_rule,
659 cls.lb_mem_SGr_client.show_security_group_rule,
660 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]661 # Create a security group rule to allow UDP 80-81 (test webservers)
662 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
663 direction='ingress',
664 security_group_id=cls.lb_member_sec_group['id'],
665 protocol='udp',
666 ethertype='IPv4',
667 port_range_min=80,
668 port_range_max=81)['security_group_rule']
669 cls.addClassResourceCleanup(
670 waiters.wait_for_not_found,
671 cls.lb_mem_SGr_client.delete_security_group_rule,
672 cls.lb_mem_SGr_client.show_security_group_rule,
673 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]674 # Create a security group rule to allow 443 (test webservers)
675 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
676 direction='ingress',
677 security_group_id=cls.lb_member_sec_group['id'],
678 protocol='tcp',
679 ethertype='IPv4',
680 port_range_min=443,
681 port_range_max=443)['security_group_rule']
682 cls.addClassResourceCleanup(
683 waiters.wait_for_not_found,
684 cls.lb_mem_SGr_client.delete_security_group_rule,
685 cls.lb_mem_SGr_client.show_security_group_rule,
686 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]687 # Create a security group rule to allow 9443 (test webservers)
688 # Used in the pool backend encryption client authentication tests
689 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
690 direction='ingress',
691 security_group_id=cls.lb_member_sec_group['id'],
692 protocol='tcp',
693 ethertype='IPv4',
694 port_range_min=9443,
695 port_range_max=9443)['security_group_rule']
696 cls.addClassResourceCleanup(
697 waiters.wait_for_not_found,
698 cls.lb_mem_SGr_client.delete_security_group_rule,
699 cls.lb_mem_SGr_client.show_security_group_rule,
700 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]701 # Create a security group rule to allow UDP 9999 (test webservers)
702 # Port 9999 is used to illustrate health monitor ERRORs on closed
703 # ports.
704 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
705 direction='ingress',
706 security_group_id=cls.lb_member_sec_group['id'],
707 protocol='udp',
708 ethertype='IPv4',
709 port_range_min=9999,
710 port_range_max=9999)['security_group_rule']
711 cls.addClassResourceCleanup(
712 waiters.wait_for_not_found,
713 cls.lb_mem_SGr_client.delete_security_group_rule,
714 cls.lb_mem_SGr_client.show_security_group_rule,
715 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]716 # Create a security group rule to allow 22 (ssh)
717 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
718 direction='ingress',
719 security_group_id=cls.lb_member_sec_group['id'],
720 protocol='tcp',
721 ethertype='IPv4',
722 port_range_min=22,
723 port_range_max=22)['security_group_rule']
724 cls.addClassResourceCleanup(
725 waiters.wait_for_not_found,
726 cls.lb_mem_SGr_client.delete_security_group_rule,
727 cls.lb_mem_SGr_client.show_security_group_rule,
728 SGr['id'])
729 if CONF.load_balancer.test_with_ipv6:
730 # Create a security group rule to allow 80-81 (test webservers)
731 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
732 direction='ingress',
733 security_group_id=cls.lb_member_sec_group['id'],
734 protocol='tcp',
735 ethertype='IPv6',
736 port_range_min=80,
737 port_range_max=81)['security_group_rule']
738 cls.addClassResourceCleanup(
739 waiters.wait_for_not_found,
740 cls.lb_mem_SGr_client.delete_security_group_rule,
741 cls.lb_mem_SGr_client.show_security_group_rule,
742 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]743 # Create a security group rule to allow UDP 80-81 (test
744 # webservers)
745 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
746 direction='ingress',
747 security_group_id=cls.lb_member_sec_group['id'],
748 protocol='udp',
749 ethertype='IPv6',
750 port_range_min=80,
751 port_range_max=81)['security_group_rule']
752 cls.addClassResourceCleanup(
753 waiters.wait_for_not_found,
754 cls.lb_mem_SGr_client.delete_security_group_rule,
755 cls.lb_mem_SGr_client.show_security_group_rule,
756 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]757 # Create a security group rule to allow 443 (test webservers)
758 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
759 direction='ingress',
760 security_group_id=cls.lb_member_sec_group['id'],
761 protocol='tcp',
762 ethertype='IPv6',
763 port_range_min=443,
764 port_range_max=443)['security_group_rule']
765 cls.addClassResourceCleanup(
766 waiters.wait_for_not_found,
767 cls.lb_mem_SGr_client.delete_security_group_rule,
768 cls.lb_mem_SGr_client.show_security_group_rule,
769 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]770 # Create a security group rule to allow 9443 (test webservers)
771 # Used in the pool encryption client authentication tests
772 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
773 direction='ingress',
774 security_group_id=cls.lb_member_sec_group['id'],
775 protocol='tcp',
776 ethertype='IPv6',
777 port_range_min=9443,
778 port_range_max=9443)['security_group_rule']
779 cls.addClassResourceCleanup(
780 waiters.wait_for_not_found,
781 cls.lb_mem_SGr_client.delete_security_group_rule,
782 cls.lb_mem_SGr_client.show_security_group_rule,
783 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]784 # Create a security group rule to allow 22 (ssh)
785 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
786 direction='ingress',
787 security_group_id=cls.lb_member_sec_group['id'],
788 protocol='tcp',
789 ethertype='IPv6',
790 port_range_min=22,
791 port_range_max=22)['security_group_rule']
792 cls.addClassResourceCleanup(
793 waiters.wait_for_not_found,
794 cls.lb_mem_SGr_client.delete_security_group_rule,
795 cls.lb_mem_SGr_client.show_security_group_rule,
796 SGr['id'])
797
798 LOG.info('lb_member_sec_group: {}'.format(cls.lb_member_sec_group))
799
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]800 # Setup backend member reencryption PKI
801 cls._create_backend_reencryption_pki()
802
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]803 # Create webserver 1 instance
804 server_details = cls._create_webserver('lb_member_webserver1',
805 cls.lb_member_1_net)
806
807 cls.lb_member_webserver1 = server_details['server']
808 cls.webserver1_ip = server_details.get('ipv4_address')
809 cls.webserver1_ipv6 = server_details.get('ipv6_address')
810 cls.webserver1_public_ip = server_details['public_ipv4_address']
811
812 LOG.debug('Octavia Setup: lb_member_webserver1 = {}'.format(
813 cls.lb_member_webserver1[const.ID]))
814 LOG.debug('Octavia Setup: webserver1_ip = {}'.format(
815 cls.webserver1_ip))
816 LOG.debug('Octavia Setup: webserver1_ipv6 = {}'.format(
817 cls.webserver1_ipv6))
818 LOG.debug('Octavia Setup: webserver1_public_ip = {}'.format(
819 cls.webserver1_public_ip))
820
821 # Create webserver 2 instance
822 server_details = cls._create_webserver('lb_member_webserver2',
823 cls.lb_member_2_net)
824
825 cls.lb_member_webserver2 = server_details['server']
826 cls.webserver2_ip = server_details.get('ipv4_address')
827 cls.webserver2_ipv6 = server_details.get('ipv6_address')
828 cls.webserver2_public_ip = server_details['public_ipv4_address']
829
830 LOG.debug('Octavia Setup: lb_member_webserver2 = {}'.format(
831 cls.lb_member_webserver2[const.ID]))
832 LOG.debug('Octavia Setup: webserver2_ip = {}'.format(
833 cls.webserver2_ip))
834 LOG.debug('Octavia Setup: webserver2_ipv6 = {}'.format(
835 cls.webserver2_ipv6))
836 LOG.debug('Octavia Setup: webserver2_public_ip = {}'.format(
837 cls.webserver2_public_ip))
838
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]839 if CONF.load_balancer.test_with_ipv6:
840 # Enable the IPv6 nic in webserver 1
841 cls._enable_ipv6_nic_webserver(
842 cls.webserver1_public_ip, cls.lb_member_keypair['private_key'],
843 cls.webserver1_ipv6, cls.lb_member_1_subnet_prefix)
844
845 # Enable the IPv6 nic in webserver 2
846 cls._enable_ipv6_nic_webserver(
847 cls.webserver2_public_ip, cls.lb_member_keypair['private_key'],
848 cls.webserver2_ipv6, cls.lb_member_2_subnet_prefix)
849
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]850 # Set up serving on webserver 1
851 cls._install_start_webserver(cls.webserver1_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]852 cls.lb_member_keypair['private_key'],
853 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]854
855 # Validate webserver 1
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]856 cls._validate_webserver(cls.webserver1_public_ip,
857 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]858
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]859 # Validate udp server 1
860 cls._validate_udp_server(cls.webserver1_public_ip,
861 cls.webserver1_response)
862
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]863 # Set up serving on webserver 2
864 cls._install_start_webserver(cls.webserver2_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]865 cls.lb_member_keypair['private_key'],
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]866 cls.webserver2_response, revoke_cert=True)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]867
868 # Validate webserver 2
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]869 cls._validate_webserver(cls.webserver2_public_ip,
870 cls.webserver2_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]871
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]872 # Validate udp server 2
873 cls._validate_udp_server(cls.webserver2_public_ip,
874 cls.webserver2_response)
875
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]876 @classmethod
877 def _create_networks(cls):
878 super(LoadBalancerBaseTestWithCompute, cls)._create_networks()
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]879 # Create a router for the subnets (required for the floating IP)
880 router_name = data_utils.rand_name("lb_member_router")
881 result = cls.lb_mem_routers_client.create_router(
882 name=router_name, admin_state_up=True,
883 external_gateway_info=dict(
884 network_id=CONF.network.public_network_id))
885 cls.lb_member_router = result['router']
886 LOG.info('lb_member_router: {}'.format(cls.lb_member_router))
887 cls.addClassResourceCleanup(
888 waiters.wait_for_not_found,
889 cls.lb_mem_routers_client.delete_router,
890 cls.lb_mem_routers_client.show_router,
891 cls.lb_member_router['id'])
892
893 # Add VIP subnet to router
894 cls.lb_mem_routers_client.add_router_interface(
895 cls.lb_member_router['id'],
896 subnet_id=cls.lb_member_vip_subnet['id'])
897 cls.addClassResourceCleanup(
898 waiters.wait_for_not_found,
899 cls.lb_mem_routers_client.remove_router_interface,
900 cls.lb_mem_routers_client.remove_router_interface,
901 cls.lb_member_router['id'],
902 subnet_id=cls.lb_member_vip_subnet['id'])
903
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]904 if (CONF.load_balancer.test_with_ipv6 and
905 CONF.load_balancer.default_router and
906 cls.lb_member_vip_ipv6_subnet_use_subnetpool):
907
908 router_name = CONF.load_balancer.default_router
909 # if lb_member_vip_ipv6_subnet uses devstack's subnetpool,
910 # plug the subnet into the default router
911 router = cls.os_admin.routers_client.list_routers(
912 name=router_name)['routers']
913
914 if len(router) == 1:
915 router = router[0]
916
917 # Add IPv6 VIP subnet to router1
918 cls.os_admin_routers_client.add_router_interface(
919 router['id'],
920 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
921 cls.addClassResourceCleanup(
922 waiters.wait_for_not_found,
923 cls.os_admin_routers_client.remove_router_interface,
924 cls.os_admin_routers_client.remove_router_interface,
925 router['id'],
926 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
927
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]928 # Add member subnet 1 to router
929 cls.lb_mem_routers_client.add_router_interface(
930 cls.lb_member_router['id'],
931 subnet_id=cls.lb_member_1_subnet['id'])
932 cls.addClassResourceCleanup(
933 waiters.wait_for_not_found,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]934 cls.lb_mem_routers_client.remove_router_interface,
935 cls.lb_mem_routers_client.remove_router_interface,
936 cls.lb_member_router['id'], subnet_id=cls.lb_member_1_subnet['id'])
937
938 # Add member subnet 2 to router
939 cls.lb_mem_routers_client.add_router_interface(
940 cls.lb_member_router['id'],
941 subnet_id=cls.lb_member_2_subnet['id'])
942 cls.addClassResourceCleanup(
943 waiters.wait_for_not_found,
944 cls.lb_mem_routers_client.remove_router_interface,
945 cls.lb_mem_routers_client.remove_router_interface,
946 cls.lb_member_router['id'], subnet_id=cls.lb_member_2_subnet['id'])
947
948 @classmethod
949 def _create_webserver(cls, name, network):
950 """Creates a webserver with two ports.
951
952 webserver_details dictionary contains:
953 server - The compute server object
954 ipv4_address - The IPv4 address for the server (optional)
955 ipv6_address - The IPv6 address for the server (optional)
956 public_ipv4_address - The publicly accessible IPv4 address for the
957 server, this may be a floating IP (optional)
958
959 :param name: The name of the server to create.
960 :param network: The network to boot the server on.
961 :returns: webserver_details dictionary.
962 """
963 server_kwargs = {
964 'name': data_utils.rand_name(name),
965 'flavorRef': CONF.compute.flavor_ref,
966 'imageRef': CONF.compute.image_ref,
967 'key_name': cls.lb_member_keypair['name']}
968 if (CONF.load_balancer.enable_security_groups and
969 CONF.network_feature_enabled.port_security):
970 server_kwargs['security_groups'] = [
971 {'name': cls.lb_member_sec_group['name']}]
972 if not CONF.load_balancer.disable_boot_network:
973 server_kwargs['networks'] = [{'uuid': network['id']}]
974
975 # Replace the name for clouds that have limitations
976 if CONF.load_balancer.random_server_name_length:
977 r = random.SystemRandom()
978 server_kwargs['name'] = "m{}".format("".join(
979 [r.choice(string.ascii_uppercase + string.digits)
980 for _ in range(
981 CONF.load_balancer.random_server_name_length - 1)]
982 ))
983 if CONF.load_balancer.availability_zone:
984 server_kwargs['availability_zone'] = (
985 CONF.load_balancer.availability_zone)
986
987 server = cls.lb_mem_servers_client.create_server(
988 **server_kwargs)['server']
989 cls.addClassResourceCleanup(
990 waiters.wait_for_not_found,
991 cls.lb_mem_servers_client.delete_server,
992 cls.lb_mem_servers_client.show_server,
993 server['id'])
994 server = waiters.wait_for_status(
995 cls.lb_mem_servers_client.show_server,
996 server['id'], 'status', 'ACTIVE',
997 CONF.load_balancer.build_interval,
998 CONF.load_balancer.build_timeout,
999 root_tag='server')
1000 webserver_details = {'server': server}
1001 LOG.info('Created server: {}'.format(server))
1002
1003 addresses = server['addresses']
1004 if CONF.load_balancer.disable_boot_network:
1005 instance_network = addresses.values()[0]
1006 else:
1007 instance_network = addresses[network['name']]
1008 for addr in instance_network:
1009 if addr['version'] == 4:
1010 webserver_details['ipv4_address'] = addr['addr']
1011 if addr['version'] == 6:
1012 webserver_details['ipv6_address'] = addr['addr']
1013
1014 if CONF.validation.connect_method == 'floating':
1015 result = cls.lb_mem_ports_client.list_ports(
1016 network_id=network['id'],
1017 mac_address=instance_network[0]['OS-EXT-IPS-MAC:mac_addr'])
1018 port_id = result['ports'][0]['id']
1019 result = cls.lb_mem_float_ip_client.create_floatingip(
1020 floating_network_id=CONF.network.public_network_id,
1021 port_id=port_id)
1022 floating_ip = result['floatingip']
1023 LOG.info('webserver1_floating_ip: {}'.format(floating_ip))
1024 cls.addClassResourceCleanup(
1025 waiters.wait_for_not_found,
1026 cls.lb_mem_float_ip_client.delete_floatingip,
1027 cls.lb_mem_float_ip_client.show_floatingip,
1028 floatingip_id=floating_ip['id'])
1029 webserver_details['public_ipv4_address'] = (
1030 floating_ip['floating_ip_address'])
1031 else:
1032 webserver_details['public_ipv4_address'] = (
1033 instance_network[0]['addr'])
1034
1035 return webserver_details
1036
1037 @classmethod
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1038 def _get_openssh_version(cls):
1039 p = subprocess.Popen(["ssh", "-V"],
1040 stdout=subprocess.PIPE,
1041 stderr=subprocess.PIPE)
1042 output = p.communicate()[1]
1043
1044 try:
1045 m = re.match(r"OpenSSH_(\d+)\.(\d+)", output.decode('utf-8'))
1046 version_maj = int(m.group(1))
1047 version_min = int(m.group(2))
1048 return version_maj, version_min
1049 except Exception:
1050 return None, None
1051
1052 @classmethod
1053 def _need_scp_protocol(cls):
1054 # When using scp >= 8.7, force the use of the SCP protocol,
1055 # the new default (SFTP protocol) doesn't work with
1056 # cirros VMs.
1057 ssh_version = cls._get_openssh_version()
1058 LOG.debug("ssh_version = {}".format(ssh_version))
1059 return (ssh_version[0] > 8 or
1060 (ssh_version[0] == 8 and ssh_version[1] >= 7))
1061
1062 @classmethod
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1063 def _install_start_webserver(cls, ip_address, ssh_key, start_id,
1064 revoke_cert=False):
Michael Johnson27357352020-11-13 13:55:09 -0800[diff] [blame]1065 local_file = CONF.load_balancer.test_server_path
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1066
1067 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1068 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1069 **cls.remote_client_args())
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1070 linux_client.validate_authentication()
1071
1072 with tempfile.NamedTemporaryFile() as key:
1073 key.write(ssh_key.encode('utf-8'))
1074 key.flush()
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1075 ssh_extra_args = (
1076 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1077 if cls._need_scp_protocol():
1078 ssh_extra_args += " -O"
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1079 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1080 "{7} "
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1081 "-o StrictHostKeyChecking=no "
1082 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1083 "-i {2} {3} {4}@{5}:{6}").format(
1084 CONF.load_balancer.scp_connection_timeout,
1085 CONF.load_balancer.scp_connection_attempts,
1086 key.name, local_file, CONF.validation.image_ssh_user,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1087 ip_address, const.TEST_SERVER_BINARY,
1088 ssh_extra_args)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1089 args = shlex.split(cmd)
1090 subprocess_args = {'stdout': subprocess.PIPE,
1091 'stderr': subprocess.STDOUT,
1092 'cwd': None}
1093 proc = subprocess.Popen(args, **subprocess_args)
1094 stdout, stderr = proc.communicate()
1095 if proc.returncode != 0:
1096 raise exceptions.CommandFailed(proc.returncode, cmd,
1097 stdout, stderr)
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1098
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1099 cls._load_member_pki_content(ip_address, key,
1100 revoke_cert=revoke_cert)
1101
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1102 # Enabling memory overcommit allows to run golang static binaries
1103 # compiled with a recent golang toolchain (>=1.11). Those binaries
1104 # allocate a large amount of virtual memory at init time, and this
1105 # allocation fails in tempest's nano flavor (64MB of RAM)
1106 # (golang issue reported in https://github.com/golang/go/issues/28114,
1107 # follow-up: https://github.com/golang/go/issues/28081)
1108 # TODO(gthiemonge): Remove this call when golang issue is resolved.
1109 linux_client.exec_command('sudo sh -c "echo 1 > '
1110 '/proc/sys/vm/overcommit_memory"')
1111
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1112 # The initial process also supports HTTPS and HTTPS with client auth
1113 linux_client.exec_command(
1114 'sudo screen -d -m {0} -port 80 -id {1} -https_port 443 -cert {2} '
1115 '-key {3} -https_client_auth_port 9443 -client_ca {4}'.format(
1116 const.TEST_SERVER_BINARY, start_id, const.TEST_SERVER_CERT,
1117 const.TEST_SERVER_KEY, const.TEST_SERVER_CLIENT_CA))
1118
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1119 linux_client.exec_command('sudo screen -d -m {0} -port 81 '
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1120 '-id {1}'.format(const.TEST_SERVER_BINARY,
1121 start_id + 1))
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1122
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1123 # Cirros does not configure the assigned IPv6 address by default
1124 # so enable it manually like tempest does here:
1125 # tempest/scenario/test_netowrk_v6.py turn_nic6_on()
1126 @classmethod
1127 def _enable_ipv6_nic_webserver(cls, ip_address, ssh_key,
1128 ipv6_address, ipv6_prefix):
1129 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1130 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1131 **cls.remote_client_args())
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1132 linux_client.validate_authentication()
1133
1134 linux_client.exec_command('sudo ip address add {0}/{1} dev '
1135 'eth0'.format(ipv6_address, ipv6_prefix))
1136
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1137 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1138 def _validate_webserver(cls, ip_address, start_id):
1139 URL = 'http://{0}'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1140 cls.validate_URL_response(URL, expected_body=str(start_id))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1141 URL = 'http://{0}:81'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1142 cls.validate_URL_response(URL, expected_body=str(start_id + 1))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1143
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1144 @classmethod
1145 def _validate_udp_server(cls, ip_address, start_id):
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1146 res = cls.make_udp_request(ip_address, 80)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1147 if res != str(start_id):
1148 raise Exception("Response from test server doesn't match the "
1149 "expected value ({0} != {1}).".format(
1150 res, str(start_id)))
1151
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1152 res = cls.make_udp_request(ip_address, 81)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1153 if res != str(start_id + 1):
1154 raise Exception("Response from test server doesn't match the "
1155 "expected value ({0} != {1}).".format(
1156 res, str(start_id + 1)))
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1157
1158 @classmethod
1159 def _create_backend_reencryption_pki(cls):
1160 # Create a CA self-signed cert and key for the member test servers
1161 cls.member_ca_cert, cls.member_ca_key = (
1162 cert_utils.generate_ca_cert_and_key())
1163
1164 LOG.debug('Member CA Cert: %s', cls.member_ca_cert.public_bytes(
1165 serialization.Encoding.PEM))
1166 LOG.debug('Member CA private Key: %s', cls.member_ca_key.private_bytes(
1167 encoding=serialization.Encoding.PEM,
1168 format=serialization.PrivateFormat.TraditionalOpenSSL,
1169 encryption_algorithm=serialization.NoEncryption()))
1170 LOG.debug('Member CA public Key: %s',
1171 cls.member_ca_key.public_key().public_bytes(
1172 encoding=serialization.Encoding.PEM,
1173 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1174
1175 # Create the member client authentication CA
1176 cls.member_client_ca_cert, member_client_ca_key = (
1177 cert_utils.generate_ca_cert_and_key())
1178
1179 # Create client cert and key
1180 cls.member_client_cn = uuidutils.generate_uuid()
1181 cls.member_client_cert, cls.member_client_key = (
1182 cert_utils.generate_client_cert_and_key(
1183 cls.member_client_ca_cert, member_client_ca_key,
1184 cls.member_client_cn))
1185 # Note: We are not revoking a client cert here as we don't need to
1186 # test the backend web server CRL checking.
1187
1188 @classmethod
1189 def _load_member_pki_content(cls, ip_address, ssh_key, revoke_cert=False):
1190 # Create webserver certificate and key
1191 cert, key = cert_utils.generate_server_cert_and_key(
1192 cls.member_ca_cert, cls.member_ca_key, ip_address)
1193
1194 LOG.debug('%s Cert: %s', ip_address, cert.public_bytes(
1195 serialization.Encoding.PEM))
1196 LOG.debug('%s private Key: %s', ip_address, key.private_bytes(
1197 encoding=serialization.Encoding.PEM,
1198 format=serialization.PrivateFormat.TraditionalOpenSSL,
1199 encryption_algorithm=serialization.NoEncryption()))
1200 public_key = key.public_key()
1201 LOG.debug('%s public Key: %s', ip_address, public_key.public_bytes(
1202 encoding=serialization.Encoding.PEM,
1203 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1204
1205 # Create a CRL with a revoked certificate
1206 if revoke_cert:
1207 # Create a CRL with webserver 2 revoked
1208 cls.member_crl = cert_utils.generate_certificate_revocation_list(
1209 cls.member_ca_cert, cls.member_ca_key, cert)
1210
1211 # Load the certificate, key, and client CA certificate into the
1212 # test server.
1213 with tempfile.TemporaryDirectory() as tmpdir:
1214 os.umask(0)
1215 files_to_send = []
1216 cert_filename = os.path.join(tmpdir, const.CERT_PEM)
1217 files_to_send.append(cert_filename)
1218 with open(os.open(cert_filename, os.O_CREAT | os.O_WRONLY,
1219 0o700), 'w') as fh:
1220 fh.write(cert.public_bytes(
1221 serialization.Encoding.PEM).decode('utf-8'))
1222 fh.flush()
1223 key_filename = os.path.join(tmpdir, const.KEY_PEM)
1224 files_to_send.append(key_filename)
1225 with open(os.open(key_filename, os.O_CREAT | os.O_WRONLY,
1226 0o700), 'w') as fh:
1227 fh.write(key.private_bytes(
1228 encoding=serialization.Encoding.PEM,
1229 format=serialization.PrivateFormat.TraditionalOpenSSL,
1230 encryption_algorithm=serialization.NoEncryption()).decode(
1231 'utf-8'))
1232 fh.flush()
1233 client_ca_filename = os.path.join(tmpdir, const.CLIENT_CA_PEM)
1234 files_to_send.append(client_ca_filename)
1235 with open(os.open(client_ca_filename, os.O_CREAT | os.O_WRONLY,
1236 0o700), 'w') as fh:
1237 fh.write(cls.member_client_ca_cert.public_bytes(
1238 serialization.Encoding.PEM).decode('utf-8'))
1239 fh.flush()
1240
1241 # For security, we don't want to use a shell that can glob
1242 # the file names, so iterate over them.
1243 subprocess_args = {'stdout': subprocess.PIPE,
1244 'stderr': subprocess.STDOUT,
1245 'cwd': None}
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1246 ssh_extra_args = (
1247 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1248 if cls._need_scp_protocol():
1249 ssh_extra_args += " -O"
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1250 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1251 "{9} "
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1252 "-o StrictHostKeyChecking=no "
1253 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1254 "-i {2} {3} {4} {5} {6}@{7}:{8}").format(
1255 CONF.load_balancer.scp_connection_timeout,
1256 CONF.load_balancer.scp_connection_attempts,
1257 ssh_key.name, cert_filename, key_filename, client_ca_filename,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1258 CONF.validation.image_ssh_user, ip_address, const.DEV_SHM_PATH,
1259 ssh_extra_args)
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1260 args = shlex.split(cmd)
1261 proc = subprocess.Popen(args, **subprocess_args)
1262 stdout, stderr = proc.communicate()
1263 if proc.returncode != 0:
1264 raise exceptions.CommandFailed(proc.returncode, cmd,
1265 stdout, stderr)