Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / octavia-tempest-plugin / b6b075d1f65ac7eb5cebbfe602765866f6148280 / . / octavia_tempest_plugin / tests / test_base.py
blob: c93008e6af9302e8ac60e09f01cfd4494ad2f318 [file] [log] [blame]
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1# Copyright 2018 Rackspace US Inc. All rights reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15import ipaddress
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]16import os
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]17import random
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]18import re
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]19import shlex
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]20import string
21import subprocess
22import tempfile
23
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]24from cryptography.hazmat.primitives import serialization
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]25from oslo_config import cfg
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]26from oslo_log import log as logging
27from oslo_utils import uuidutils
28from tempest import config
29from tempest.lib.common.utils import data_utils
30from tempest.lib.common.utils.linux import remote_client
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]31from tempest.lib import exceptions
32from tempest import test
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]33import tenacity
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]34
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]35from octavia_tempest_plugin.common import cert_utils
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]36from octavia_tempest_plugin.common import constants as const
Ilya Bumarskoveded9c72023-03-16 14:12:09 +0400[diff] [blame]37from octavia_tempest_plugin import config as config_octavia
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]38from octavia_tempest_plugin.tests import RBAC_tests
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]39from octavia_tempest_plugin.tests import validators
40from octavia_tempest_plugin.tests import waiters
41
42CONF = config.CONF
43LOG = logging.getLogger(__name__)
44
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]45
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]46class LoadBalancerBaseTest(validators.ValidatorsMixin,
47 RBAC_tests.RBACTestsMixin, test.BaseTestCase):
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]48 """Base class for load balancer tests."""
49
Gregory Thiemonge3497f6c2021-04-19 21:33:13 +0200[diff] [blame]50 if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
51 credentials = [
52 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
53 ['lb_member', CONF.load_balancer.member_role],
54 ['lb_member2', CONF.load_balancer.member_role]]
55 elif CONF.load_balancer.enforce_new_defaults:
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]56 credentials = [
57 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
58 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
59 ['lb_global_observer', CONF.load_balancer.global_observer_role,
60 'reader'],
61 ['lb_member', CONF.load_balancer.member_role, 'member'],
62 ['lb_member2', CONF.load_balancer.member_role, 'member'],
63 ['lb_member_not_default_member', CONF.load_balancer.member_role]]
64 else:
65 credentials = [
66 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
67 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
68 ['lb_global_observer', CONF.load_balancer.global_observer_role,
69 'reader'],
70 ['lb_member', CONF.load_balancer.member_role],
71 ['lb_member2', CONF.load_balancer.member_role]]
72
73 # If scope enforcement is enabled, add in the system scope credentials.
74 # The project scope is already handled by the above credentials.
75 if CONF.enforce_scope.octavia:
76 credentials.extend(['system_admin', 'system_reader'])
77
78 # A tuple of credentials that will be allocated by tempest using the
79 # 'credentials' list above. These are used to build RBAC test lists.
80 allocated_creds = []
81 for cred in credentials:
82 if isinstance(cred, list):
83 allocated_creds.append('os_roles_' + cred[0])
84 else:
85 allocated_creds.append('os_' + cred)
86 # Tests shall not mess with the list of allocated credentials
87 allocated_credentials = tuple(allocated_creds)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]88
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]89 webserver1_response = 1
90 webserver2_response = 5
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]91 used_ips = []
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]92
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]93 SRC_PORT_NUMBER_MIN = 32768
94 SRC_PORT_NUMBER_MAX = 61000
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]95 src_port_number = SRC_PORT_NUMBER_MIN
96
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]97 @classmethod
98 def skip_checks(cls):
99 """Check if we should skip all of the children tests."""
100 super(LoadBalancerBaseTest, cls).skip_checks()
101
102 service_list = {
103 'load_balancer': CONF.service_available.load_balancer,
104 }
105
106 live_service_list = {
107 'compute': CONF.service_available.nova,
108 'image': CONF.service_available.glance,
109 'neutron': CONF.service_available.neutron
110 }
111
112 if not CONF.load_balancer.test_with_noop:
113 service_list.update(live_service_list)
114
115 for service, available in service_list.items():
116 if not available:
zhangzs2a6cf672018-11-10 16:13:11 +0800[diff] [blame]117 skip_msg = ("{0} skipped as {1} service is not "
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]118 "available.".format(cls.__name__, service))
119 raise cls.skipException(skip_msg)
120
121 # We must be able to reach our VIP and instances
122 if not (CONF.network.project_networks_reachable
123 or CONF.network.public_network_id):
124 msg = ('Either project_networks_reachable must be "true", or '
125 'public_network_id must be defined.')
126 raise cls.skipException(msg)
127
128 @classmethod
129 def setup_credentials(cls):
130 """Setup test credentials and network resources."""
131 # Do not auto create network resources
132 cls.set_network_resources()
133 super(LoadBalancerBaseTest, cls).setup_credentials()
134
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]135 # Log the user roles for this test run
136 role_name_cache = {}
137 for cred in cls.credentials:
138 user_roles = []
139 if isinstance(cred, list):
140 user_name = cred[0]
141 cred_obj = getattr(cls, 'os_roles_' + cred[0])
142 else:
143 user_name = cred
144 cred_obj = getattr(cls, 'os_' + cred)
145 params = {'user.id': cred_obj.credentials.user_id,
146 'project.id': cred_obj.credentials.project_id}
147 roles = cls.os_admin.role_assignments_client.list_role_assignments(
148 **params)['role_assignments']
149 for role in roles:
150 role_id = role['role']['id']
151 try:
152 role_name = role_name_cache[role_id]
153 except KeyError:
154 role_name = cls.os_admin.roles_v3_client.show_role(
155 role_id)['role']['name']
156 role_name_cache[role_id] = role_name
157 user_roles.append([role_name, role['scope']])
158 LOG.info("User %s has roles: %s", user_name, user_roles)
159
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]160 @classmethod
161 def setup_clients(cls):
162 """Setup client aliases."""
163 super(LoadBalancerBaseTest, cls).setup_clients()
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]164 lb_admin_prefix = cls.os_roles_lb_admin.load_balancer_v2
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]165 cls.lb_mem_float_ip_client = cls.os_roles_lb_member.floating_ips_client
166 cls.lb_mem_keypairs_client = cls.os_roles_lb_member.keypairs_client
167 cls.lb_mem_net_client = cls.os_roles_lb_member.networks_client
168 cls.lb_mem_ports_client = cls.os_roles_lb_member.ports_client
169 cls.lb_mem_routers_client = cls.os_roles_lb_member.routers_client
170 cls.lb_mem_SG_client = cls.os_roles_lb_member.security_groups_client
171 cls.lb_mem_SGr_client = (
172 cls.os_roles_lb_member.security_group_rules_client)
173 cls.lb_mem_servers_client = cls.os_roles_lb_member.servers_client
174 cls.lb_mem_subnet_client = cls.os_roles_lb_member.subnets_client
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]175 cls.mem_lb_client = (
176 cls.os_roles_lb_member.load_balancer_v2.LoadbalancerClient())
177 cls.mem_listener_client = (
178 cls.os_roles_lb_member.load_balancer_v2.ListenerClient())
179 cls.mem_pool_client = (
180 cls.os_roles_lb_member.load_balancer_v2.PoolClient())
181 cls.mem_member_client = (
182 cls.os_roles_lb_member.load_balancer_v2.MemberClient())
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]183 cls.mem_healthmonitor_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]184 cls.os_roles_lb_member.load_balancer_v2.HealthMonitorClient())
185 cls.mem_l7policy_client = (
186 cls.os_roles_lb_member.load_balancer_v2.L7PolicyClient())
187 cls.mem_l7rule_client = (
188 cls.os_roles_lb_member.load_balancer_v2.L7RuleClient())
189 cls.lb_admin_amphora_client = lb_admin_prefix.AmphoraClient()
Michael Johnsonaff2e862019-01-11 16:38:00 -0800[diff] [blame]190 cls.lb_admin_flavor_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]191 lb_admin_prefix.FlavorProfileClient())
192 cls.lb_admin_flavor_client = lb_admin_prefix.FlavorClient()
193 cls.mem_flavor_client = (
194 cls.os_roles_lb_member.load_balancer_v2.FlavorClient())
195 cls.mem_provider_client = (
196 cls.os_roles_lb_member.load_balancer_v2.ProviderClient())
Carlos Goncalvesc2e12162019-02-14 23:57:44 +0100[diff] [blame]197 cls.os_admin_servers_client = cls.os_admin.servers_client
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]198 cls.os_admin_routers_client = cls.os_admin.routers_client
199 cls.os_admin_subnetpools_client = cls.os_admin.subnetpools_client
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]200 cls.lb_admin_flavor_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]201 lb_admin_prefix.FlavorCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]202 cls.lb_admin_availability_zone_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]203 lb_admin_prefix.AvailabilityZoneCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]204 cls.lb_admin_availability_zone_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]205 lb_admin_prefix.AvailabilityZoneProfileClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]206 cls.lb_admin_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]207 lb_admin_prefix.AvailabilityZoneClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]208 cls.mem_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]209 cls.os_roles_lb_member.load_balancer_v2.AvailabilityZoneClient())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]210
211 @classmethod
212 def resource_setup(cls):
213 """Setup resources needed by the tests."""
214 super(LoadBalancerBaseTest, cls).resource_setup()
215
216 conf_lb = CONF.load_balancer
217
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]218 cls.api_version = cls.mem_lb_client.get_max_api_version()
219
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]220 if conf_lb.test_subnet_override and not conf_lb.test_network_override:
221 raise exceptions.InvalidConfiguration(
222 "Configuration value test_network_override must be "
223 "specified if test_subnet_override is used.")
224
Michael Johnson6a9236a2020-08-04 23:54:54 +0000[diff] [blame]225 # TODO(johnsom) Remove this
Maciej Józefczykb6df5f82019-12-10 10:12:30 +0000[diff] [blame]226 # Get loadbalancing algorithms supported by provider driver.
227 try:
228 algorithms = const.SUPPORTED_LB_ALGORITHMS[
229 CONF.load_balancer.provider]
230 except KeyError:
231 algorithms = const.SUPPORTED_LB_ALGORITHMS['default']
232 # Set default algorithm as first from the list.
233 cls.lb_algorithm = algorithms[0]
234
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]235 show_subnet = cls.lb_mem_subnet_client.show_subnet
236 if CONF.load_balancer.test_with_noop:
237 cls.lb_member_vip_net = {'id': uuidutils.generate_uuid()}
238 cls.lb_member_vip_subnet = {'id': uuidutils.generate_uuid()}
239 cls.lb_member_1_net = {'id': uuidutils.generate_uuid()}
240 cls.lb_member_1_subnet = {'id': uuidutils.generate_uuid()}
241 cls.lb_member_2_net = {'id': uuidutils.generate_uuid()}
242 cls.lb_member_2_subnet = {'id': uuidutils.generate_uuid()}
243 if CONF.load_balancer.test_with_ipv6:
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]244 cls.lb_member_vip_ipv6_net = {'id': uuidutils.generate_uuid()}
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]245 cls.lb_member_vip_ipv6_subnet = {'id':
246 uuidutils.generate_uuid()}
247 cls.lb_member_1_ipv6_subnet = {'id': uuidutils.generate_uuid()}
248 cls.lb_member_2_ipv6_subnet = {'id': uuidutils.generate_uuid()}
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]249 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]250 return
251 elif CONF.load_balancer.test_network_override:
252 if conf_lb.test_subnet_override:
253 override_subnet = show_subnet(conf_lb.test_subnet_override)
254 else:
255 override_subnet = None
256
257 show_net = cls.lb_mem_net_client.show_network
258 override_network = show_net(conf_lb.test_network_override)
259 override_network = override_network.get('network')
260
261 cls.lb_member_vip_net = override_network
262 cls.lb_member_vip_subnet = override_subnet
263 cls.lb_member_1_net = override_network
264 cls.lb_member_1_subnet = override_subnet
265 cls.lb_member_2_net = override_network
266 cls.lb_member_2_subnet = override_subnet
267
268 if (CONF.load_balancer.test_with_ipv6 and
Michael Polenchukd6d861f2022-01-18 15:44:56 +0400[diff] [blame]269 conf_lb.test_ipv6_subnet_override):
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]270 override_ipv6_subnet = show_subnet(
Michael Polenchukd6d861f2022-01-18 15:44:56 +0400[diff] [blame]271 conf_lb.test_ipv6_subnet_override)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]272 cls.lb_member_vip_ipv6_subnet = override_ipv6_subnet
273 cls.lb_member_1_ipv6_subnet = override_ipv6_subnet
274 cls.lb_member_2_ipv6_subnet = override_ipv6_subnet
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]275 cls.lb_member_vip_ipv6_subnet_stateful = False
276 if (override_ipv6_subnet[0]['ipv6_address_mode'] ==
277 'dhcpv6-stateful'):
278 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]279 else:
280 cls.lb_member_vip_ipv6_subnet = None
281 cls.lb_member_1_ipv6_subnet = None
282 cls.lb_member_2_ipv6_subnet = None
283 else:
284 cls._create_networks()
285
286 LOG.debug('Octavia Setup: lb_member_vip_net = {}'.format(
287 cls.lb_member_vip_net[const.ID]))
288 if cls.lb_member_vip_subnet:
289 LOG.debug('Octavia Setup: lb_member_vip_subnet = {}'.format(
290 cls.lb_member_vip_subnet[const.ID]))
291 LOG.debug('Octavia Setup: lb_member_1_net = {}'.format(
292 cls.lb_member_1_net[const.ID]))
293 if cls.lb_member_1_subnet:
294 LOG.debug('Octavia Setup: lb_member_1_subnet = {}'.format(
295 cls.lb_member_1_subnet[const.ID]))
296 LOG.debug('Octavia Setup: lb_member_2_net = {}'.format(
297 cls.lb_member_2_net[const.ID]))
298 if cls.lb_member_2_subnet:
299 LOG.debug('Octavia Setup: lb_member_2_subnet = {}'.format(
300 cls.lb_member_2_subnet[const.ID]))
Michael Johnson124ba8b2018-08-30 16:06:05 -0700[diff] [blame]301 if CONF.load_balancer.test_with_ipv6:
302 if cls.lb_member_vip_ipv6_subnet:
303 LOG.debug('Octavia Setup: lb_member_vip_ipv6_subnet = '
304 '{}'.format(cls.lb_member_vip_ipv6_subnet[const.ID]))
305 if cls.lb_member_1_ipv6_subnet:
306 LOG.debug('Octavia Setup: lb_member_1_ipv6_subnet = {}'.format(
307 cls.lb_member_1_ipv6_subnet[const.ID]))
308 if cls.lb_member_2_ipv6_subnet:
309 LOG.debug('Octavia Setup: lb_member_2_ipv6_subnet = {}'.format(
310 cls.lb_member_2_ipv6_subnet[const.ID]))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]311
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]312 @classmethod
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]313 # Neutron can be slow to clean up ports from the subnets/networks.
314 # Retry this delete a few times if we get a "Conflict" error to give
315 # neutron time to fully cleanup the ports.
316 @tenacity.retry(
317 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
318 wait=tenacity.wait_incrementing(
Vasyl Saienkoa168ca42021-05-12 16:30:26 +0300[diff] [blame]319 const.RETRY_INITIAL_DELAY, const.RETRY_BACKOFF, const.RETRY_MAX),
320 stop=tenacity.stop_after_attempt(const.RETRY_ATTEMPTS))
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]321 def _logging_delete_network(cls, net_id):
322 try:
323 cls.lb_mem_net_client.delete_network(net_id)
324 except Exception:
325 LOG.error('Unable to delete network {}. Active ports:'.format(
326 net_id))
327 LOG.error(cls.lb_mem_ports_client.list_ports())
328 raise
329
330 @classmethod
331 # Neutron can be slow to clean up ports from the subnets/networks.
332 # Retry this delete a few times if we get a "Conflict" error to give
333 # neutron time to fully cleanup the ports.
334 @tenacity.retry(
335 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
336 wait=tenacity.wait_incrementing(
Vasyl Saienkoa168ca42021-05-12 16:30:26 +0300[diff] [blame]337 const.RETRY_INITIAL_DELAY, const.RETRY_BACKOFF, const.RETRY_MAX),
338 stop=tenacity.stop_after_attempt(const.RETRY_ATTEMPTS))
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]339 def _logging_delete_subnet(cls, subnet_id):
340 try:
341 cls.lb_mem_subnet_client.delete_subnet(subnet_id)
342 except Exception:
343 LOG.error('Unable to delete subnet {}. Active ports:'.format(
344 subnet_id))
345 LOG.error(cls.lb_mem_ports_client.list_ports())
346 raise
347
348 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]349 def _create_networks(cls):
350 """Creates networks, subnets, and routers used in tests.
351
352 The following are expected to be defined and available to the tests:
353 cls.lb_member_vip_net
354 cls.lb_member_vip_subnet
355 cls.lb_member_vip_ipv6_subnet (optional)
356 cls.lb_member_1_net
357 cls.lb_member_1_subnet
358 cls.lb_member_1_ipv6_subnet (optional)
359 cls.lb_member_2_net
360 cls.lb_member_2_subnet
361 cls.lb_member_2_ipv6_subnet (optional)
362 """
363
364 # Create tenant VIP network
365 network_kwargs = {
366 'name': data_utils.rand_name("lb_member_vip_network")}
367 if CONF.network_feature_enabled.port_security:
Andreas Jaeger4215b702020-03-28 20:13:46 +0100[diff] [blame]368 # Note: Allowed Address Pairs requires port security
369 network_kwargs['port_security_enabled'] = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]370 result = cls.lb_mem_net_client.create_network(**network_kwargs)
371 cls.lb_member_vip_net = result['network']
372 LOG.info('lb_member_vip_net: {}'.format(cls.lb_member_vip_net))
373 cls.addClassResourceCleanup(
374 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]375 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]376 cls.lb_mem_net_client.show_network,
377 cls.lb_member_vip_net['id'])
378
379 # Create tenant VIP subnet
380 subnet_kwargs = {
381 'name': data_utils.rand_name("lb_member_vip_subnet"),
382 'network_id': cls.lb_member_vip_net['id'],
383 'cidr': CONF.load_balancer.vip_subnet_cidr,
384 'ip_version': 4}
385 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
386 cls.lb_member_vip_subnet = result['subnet']
387 LOG.info('lb_member_vip_subnet: {}'.format(cls.lb_member_vip_subnet))
388 cls.addClassResourceCleanup(
389 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]390 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]391 cls.lb_mem_subnet_client.show_subnet,
392 cls.lb_member_vip_subnet['id'])
393
394 # Create tenant VIP IPv6 subnet
395 if CONF.load_balancer.test_with_ipv6:
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]396 cls.lb_member_vip_ipv6_subnet_stateful = False
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]397 cls.lb_member_vip_ipv6_subnet_use_subnetpool = False
398 subnet_kwargs = {
399 'name': data_utils.rand_name("lb_member_vip_ipv6_subnet"),
400 'network_id': cls.lb_member_vip_net['id'],
401 'ip_version': 6}
402
403 # Use a CIDR from devstack's default IPv6 subnetpool if it exists,
404 # the subnetpool's cidr is routable from the devstack node
405 # through the default router
406 subnetpool_name = CONF.load_balancer.default_ipv6_subnetpool
407 if subnetpool_name:
408 subnetpool = cls.os_admin_subnetpools_client.list_subnetpools(
409 name=subnetpool_name)['subnetpools']
410 if len(subnetpool) == 1:
411 subnetpool = subnetpool[0]
412 subnet_kwargs['subnetpool_id'] = subnetpool['id']
413 cls.lb_member_vip_ipv6_subnet_use_subnetpool = True
414
415 if 'subnetpool_id' not in subnet_kwargs:
416 subnet_kwargs['cidr'] = (
417 CONF.load_balancer.vip_ipv6_subnet_cidr)
418
419 result = cls.lb_mem_subnet_client.create_subnet(
420 **subnet_kwargs)
421 cls.lb_member_vip_ipv6_net = cls.lb_member_vip_net
422 cls.lb_member_vip_ipv6_subnet = result['subnet']
423 cls.addClassResourceCleanup(
424 waiters.wait_for_not_found,
425 cls._logging_delete_subnet,
426 cls.lb_mem_subnet_client.show_subnet,
427 cls.lb_member_vip_ipv6_subnet['id'])
Carlos Goncalves84af48c2019-07-25 15:51:30 +0200[diff] [blame]428
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]429 LOG.info('lb_member_vip_ipv6_subnet: {}'.format(
430 cls.lb_member_vip_ipv6_subnet))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]431
432 # Create tenant member 1 network
433 network_kwargs = {
434 'name': data_utils.rand_name("lb_member_1_network")}
435 if CONF.network_feature_enabled.port_security:
436 if CONF.load_balancer.enable_security_groups:
437 network_kwargs['port_security_enabled'] = True
438 else:
439 network_kwargs['port_security_enabled'] = False
440 result = cls.lb_mem_net_client.create_network(**network_kwargs)
441 cls.lb_member_1_net = result['network']
442 LOG.info('lb_member_1_net: {}'.format(cls.lb_member_1_net))
443 cls.addClassResourceCleanup(
444 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]445 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]446 cls.lb_mem_net_client.show_network,
447 cls.lb_member_1_net['id'])
448
449 # Create tenant member 1 subnet
450 subnet_kwargs = {
451 'name': data_utils.rand_name("lb_member_1_subnet"),
452 'network_id': cls.lb_member_1_net['id'],
453 'cidr': CONF.load_balancer.member_1_ipv4_subnet_cidr,
454 'ip_version': 4}
455 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
456 cls.lb_member_1_subnet = result['subnet']
457 LOG.info('lb_member_1_subnet: {}'.format(cls.lb_member_1_subnet))
458 cls.addClassResourceCleanup(
459 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]460 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]461 cls.lb_mem_subnet_client.show_subnet,
462 cls.lb_member_1_subnet['id'])
463
464 # Create tenant member 1 ipv6 subnet
465 if CONF.load_balancer.test_with_ipv6:
466 subnet_kwargs = {
467 'name': data_utils.rand_name("lb_member_1_ipv6_subnet"),
468 'network_id': cls.lb_member_1_net['id'],
469 'cidr': CONF.load_balancer.member_1_ipv6_subnet_cidr,
470 'ip_version': 6}
471 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]472 cls.lb_member_1_subnet_prefix = (
473 CONF.load_balancer.member_1_ipv6_subnet_cidr.rpartition('/')[2]
474 )
475 assert(cls.lb_member_1_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]476 cls.lb_member_1_ipv6_subnet = result['subnet']
477 LOG.info('lb_member_1_ipv6_subnet: {}'.format(
478 cls.lb_member_1_ipv6_subnet))
479 cls.addClassResourceCleanup(
480 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]481 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]482 cls.lb_mem_subnet_client.show_subnet,
483 cls.lb_member_1_ipv6_subnet['id'])
484
485 # Create tenant member 2 network
486 network_kwargs = {
487 'name': data_utils.rand_name("lb_member_2_network")}
488 if CONF.network_feature_enabled.port_security:
489 if CONF.load_balancer.enable_security_groups:
490 network_kwargs['port_security_enabled'] = True
491 else:
492 network_kwargs['port_security_enabled'] = False
493 result = cls.lb_mem_net_client.create_network(**network_kwargs)
494 cls.lb_member_2_net = result['network']
495 LOG.info('lb_member_2_net: {}'.format(cls.lb_member_2_net))
496 cls.addClassResourceCleanup(
497 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]498 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]499 cls.lb_mem_net_client.show_network,
500 cls.lb_member_2_net['id'])
501
502 # Create tenant member 2 subnet
503 subnet_kwargs = {
504 'name': data_utils.rand_name("lb_member_2_subnet"),
505 'network_id': cls.lb_member_2_net['id'],
506 'cidr': CONF.load_balancer.member_2_ipv4_subnet_cidr,
507 'ip_version': 4}
508 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
509 cls.lb_member_2_subnet = result['subnet']
510 LOG.info('lb_member_2_subnet: {}'.format(cls.lb_member_2_subnet))
511 cls.addClassResourceCleanup(
512 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]513 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]514 cls.lb_mem_subnet_client.show_subnet,
515 cls.lb_member_2_subnet['id'])
516
517 # Create tenant member 2 ipv6 subnet
518 if CONF.load_balancer.test_with_ipv6:
519 subnet_kwargs = {
520 'name': data_utils.rand_name("lb_member_2_ipv6_subnet"),
521 'network_id': cls.lb_member_2_net['id'],
522 'cidr': CONF.load_balancer.member_2_ipv6_subnet_cidr,
523 'ip_version': 6}
524 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]525 cls.lb_member_2_subnet_prefix = (
526 CONF.load_balancer.member_2_ipv6_subnet_cidr.rpartition('/')[2]
527 )
528 assert(cls.lb_member_2_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]529 cls.lb_member_2_ipv6_subnet = result['subnet']
530 LOG.info('lb_member_2_ipv6_subnet: {}'.format(
531 cls.lb_member_2_ipv6_subnet))
532 cls.addClassResourceCleanup(
533 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]534 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]535 cls.lb_mem_subnet_client.show_subnet,
536 cls.lb_member_2_ipv6_subnet['id'])
537
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]538 @classmethod
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]539 def _setup_lb_network_kwargs(cls, lb_kwargs, ip_version=None,
540 use_fixed_ip=False):
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]541 if not ip_version:
542 ip_version = 6 if CONF.load_balancer.test_with_ipv6 else 4
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]543 if cls.lb_member_vip_subnet or cls.lb_member_vip_ipv6_subnet:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]544 ip_index = data_utils.rand_int_id(start=10, end=100)
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]545 while ip_index in cls.used_ips:
546 ip_index = data_utils.rand_int_id(start=10, end=100)
547 cls.used_ips.append(ip_index)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]548 if ip_version == 4:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]549 subnet_id = cls.lb_member_vip_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]550 if CONF.load_balancer.test_with_noop:
551 lb_vip_address = '198.18.33.33'
552 else:
553 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
554 network = ipaddress.IPv4Network(subnet['subnet']['cidr'])
555 lb_vip_address = str(network[ip_index])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]556 else:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]557 subnet_id = cls.lb_member_vip_ipv6_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]558 if CONF.load_balancer.test_with_noop:
559 lb_vip_address = '2001:db8:33:33:33:33:33:33'
560 else:
561 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
562 network = ipaddress.IPv6Network(subnet['subnet']['cidr'])
563 lb_vip_address = str(network[ip_index])
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]564 # If the subnet is IPv6 slaac or dhcpv6-stateless
565 # neutron does not allow a fixed IP
566 if not cls.lb_member_vip_ipv6_subnet_stateful:
567 use_fixed_ip = False
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]568 lb_kwargs[const.VIP_SUBNET_ID] = subnet_id
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]569 if use_fixed_ip:
570 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]571 if CONF.load_balancer.test_with_noop:
572 lb_kwargs[const.VIP_NETWORK_ID] = (
573 cls.lb_member_vip_net[const.ID])
Carlos Goncalvesbb238552020-01-15 10:10:55 +0000[diff] [blame]574 if ip_version == 6:
575 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]576 else:
577 lb_kwargs[const.VIP_NETWORK_ID] = cls.lb_member_vip_net[const.ID]
578 lb_kwargs[const.VIP_SUBNET_ID] = None
579
ibumarskovcb804b12020-09-03 18:21:29 +0400[diff] [blame]580 @classmethod
581 def check_tf_compatibility(cls, protocol=None, algorithm=None):
582 # TungstenFabric supported protocols and algorithms
Ilya Bumarskov3a252d22021-02-03 16:16:42 +0400[diff] [blame]583 tf_protocols = [const.HTTP, const.HTTPS, const.TCP,
ibumarskovcb804b12020-09-03 18:21:29 +0400[diff] [blame]584 const.TERMINATED_HTTPS]
585 tf_algorithms = [const.LB_ALGORITHM_ROUND_ROBIN,
586 const.LB_ALGORITHM_LEAST_CONNECTIONS,
587 const.LB_ALGORITHM_SOURCE_IP]
588
589 if algorithm and algorithm not in tf_algorithms:
590 raise cls.skipException(
591 'TungstenFabric does not support {} algorithm.'
592 ''.format(algorithm))
593 if protocol and protocol not in tf_protocols:
594 raise cls.skipException(
595 'TungstenFabric does not support {} protocol.'
596 ''.format(protocol))
597
598 @classmethod
599 def _tf_create_listener(cls, name, proto, port, lb_id):
600 listener_kwargs = {
601 const.NAME: name,
602 const.PROTOCOL: proto,
603 const.PROTOCOL_PORT: port,
604 const.LOADBALANCER_ID: lb_id,
605 }
606 listener = cls.mem_listener_client.create_listener(**listener_kwargs)
607 return listener
608
609 @classmethod
610 def _tf_get_free_port(cls, lb_id):
611 port = 8081
612 lb = cls.mem_lb_client.show_loadbalancer(lb_id)
613 listeners = lb[const.LISTENERS]
614 if not listeners:
615 return port
616 ports = [cls.mem_listener_client.show_listener(x[const.ID])[
617 const.PROTOCOL_PORT] for x in listeners]
618 while port in ports:
619 port = port + 1
620 return port
621
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]622
623class LoadBalancerBaseTestWithCompute(LoadBalancerBaseTest):
624 @classmethod
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]625 def remote_client_args(cls):
626 # In case we're using octavia-tempest-plugin with old tempest releases
627 # (for instance on stable/train) that don't support ssh_key_type, catch
628 # the exception and don't pass any argument
629 args = {}
630 try:
631 args['ssh_key_type'] = CONF.validation.ssh_key_type
632 except cfg.NoSuchOptError:
633 pass
634 return args
635
636 @classmethod
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]637 def resource_setup(cls):
638 super(LoadBalancerBaseTestWithCompute, cls).resource_setup()
639 # If validation is disabled in this cloud, we won't be able to
640 # start the webservers, so don't even boot them.
641 if not CONF.validation.run_validation:
642 return
643
644 # Create a keypair for the webservers
645 keypair_name = data_utils.rand_name('lb_member_keypair')
646 result = cls.lb_mem_keypairs_client.create_keypair(
647 name=keypair_name)
648 cls.lb_member_keypair = result['keypair']
649 LOG.info('lb_member_keypair: {}'.format(cls.lb_member_keypair))
650 cls.addClassResourceCleanup(
651 waiters.wait_for_not_found,
652 cls.lb_mem_keypairs_client.delete_keypair,
653 cls.lb_mem_keypairs_client.show_keypair,
654 keypair_name)
655
656 if (CONF.load_balancer.enable_security_groups and
657 CONF.network_feature_enabled.port_security):
658 # Set up the security group for the webservers
659 SG_name = data_utils.rand_name('lb_member_SG')
660 cls.lb_member_sec_group = (
661 cls.lb_mem_SG_client.create_security_group(
662 name=SG_name)['security_group'])
663 cls.addClassResourceCleanup(
664 waiters.wait_for_not_found,
665 cls.lb_mem_SG_client.delete_security_group,
666 cls.lb_mem_SG_client.show_security_group,
667 cls.lb_member_sec_group['id'])
668
669 # Create a security group rule to allow 80-81 (test webservers)
670 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
671 direction='ingress',
672 security_group_id=cls.lb_member_sec_group['id'],
673 protocol='tcp',
674 ethertype='IPv4',
675 port_range_min=80,
676 port_range_max=81)['security_group_rule']
677 cls.addClassResourceCleanup(
678 waiters.wait_for_not_found,
679 cls.lb_mem_SGr_client.delete_security_group_rule,
680 cls.lb_mem_SGr_client.show_security_group_rule,
681 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]682 # Create a security group rule to allow UDP 80-81 (test webservers)
683 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
684 direction='ingress',
685 security_group_id=cls.lb_member_sec_group['id'],
686 protocol='udp',
687 ethertype='IPv4',
688 port_range_min=80,
689 port_range_max=81)['security_group_rule']
690 cls.addClassResourceCleanup(
691 waiters.wait_for_not_found,
692 cls.lb_mem_SGr_client.delete_security_group_rule,
693 cls.lb_mem_SGr_client.show_security_group_rule,
694 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]695 # Create a security group rule to allow 443 (test webservers)
696 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
697 direction='ingress',
698 security_group_id=cls.lb_member_sec_group['id'],
699 protocol='tcp',
700 ethertype='IPv4',
701 port_range_min=443,
702 port_range_max=443)['security_group_rule']
703 cls.addClassResourceCleanup(
704 waiters.wait_for_not_found,
705 cls.lb_mem_SGr_client.delete_security_group_rule,
706 cls.lb_mem_SGr_client.show_security_group_rule,
707 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]708 # Create a security group rule to allow UDP 9999 (test webservers)
709 # Port 9999 is used to illustrate health monitor ERRORs on closed
710 # ports.
711 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
712 direction='ingress',
713 security_group_id=cls.lb_member_sec_group['id'],
714 protocol='udp',
715 ethertype='IPv4',
716 port_range_min=9999,
717 port_range_max=9999)['security_group_rule']
718 cls.addClassResourceCleanup(
719 waiters.wait_for_not_found,
720 cls.lb_mem_SGr_client.delete_security_group_rule,
721 cls.lb_mem_SGr_client.show_security_group_rule,
722 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]723 # Create a security group rule to allow 22 (ssh)
724 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
725 direction='ingress',
726 security_group_id=cls.lb_member_sec_group['id'],
727 protocol='tcp',
728 ethertype='IPv4',
729 port_range_min=22,
730 port_range_max=22)['security_group_rule']
731 cls.addClassResourceCleanup(
732 waiters.wait_for_not_found,
733 cls.lb_mem_SGr_client.delete_security_group_rule,
734 cls.lb_mem_SGr_client.show_security_group_rule,
735 SGr['id'])
736 if CONF.load_balancer.test_with_ipv6:
737 # Create a security group rule to allow 80-81 (test webservers)
738 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
739 direction='ingress',
740 security_group_id=cls.lb_member_sec_group['id'],
741 protocol='tcp',
742 ethertype='IPv6',
743 port_range_min=80,
744 port_range_max=81)['security_group_rule']
745 cls.addClassResourceCleanup(
746 waiters.wait_for_not_found,
747 cls.lb_mem_SGr_client.delete_security_group_rule,
748 cls.lb_mem_SGr_client.show_security_group_rule,
749 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]750 # Create a security group rule to allow UDP 80-81 (test
751 # webservers)
752 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
753 direction='ingress',
754 security_group_id=cls.lb_member_sec_group['id'],
755 protocol='udp',
756 ethertype='IPv6',
757 port_range_min=80,
758 port_range_max=81)['security_group_rule']
759 cls.addClassResourceCleanup(
760 waiters.wait_for_not_found,
761 cls.lb_mem_SGr_client.delete_security_group_rule,
762 cls.lb_mem_SGr_client.show_security_group_rule,
763 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]764 # Create a security group rule to allow 443 (test webservers)
765 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
766 direction='ingress',
767 security_group_id=cls.lb_member_sec_group['id'],
768 protocol='tcp',
769 ethertype='IPv6',
770 port_range_min=443,
771 port_range_max=443)['security_group_rule']
772 cls.addClassResourceCleanup(
773 waiters.wait_for_not_found,
774 cls.lb_mem_SGr_client.delete_security_group_rule,
775 cls.lb_mem_SGr_client.show_security_group_rule,
776 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]777 # Create a security group rule to allow 22 (ssh)
778 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
779 direction='ingress',
780 security_group_id=cls.lb_member_sec_group['id'],
781 protocol='tcp',
782 ethertype='IPv6',
783 port_range_min=22,
784 port_range_max=22)['security_group_rule']
785 cls.addClassResourceCleanup(
786 waiters.wait_for_not_found,
787 cls.lb_mem_SGr_client.delete_security_group_rule,
788 cls.lb_mem_SGr_client.show_security_group_rule,
789 SGr['id'])
790
791 LOG.info('lb_member_sec_group: {}'.format(cls.lb_member_sec_group))
792
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]793 # Setup backend member reencryption PKI
794 cls._create_backend_reencryption_pki()
795
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]796 # Create webserver 1 instance
797 server_details = cls._create_webserver('lb_member_webserver1',
798 cls.lb_member_1_net)
799
800 cls.lb_member_webserver1 = server_details['server']
801 cls.webserver1_ip = server_details.get('ipv4_address')
802 cls.webserver1_ipv6 = server_details.get('ipv6_address')
803 cls.webserver1_public_ip = server_details['public_ipv4_address']
804
805 LOG.debug('Octavia Setup: lb_member_webserver1 = {}'.format(
806 cls.lb_member_webserver1[const.ID]))
807 LOG.debug('Octavia Setup: webserver1_ip = {}'.format(
808 cls.webserver1_ip))
809 LOG.debug('Octavia Setup: webserver1_ipv6 = {}'.format(
810 cls.webserver1_ipv6))
811 LOG.debug('Octavia Setup: webserver1_public_ip = {}'.format(
812 cls.webserver1_public_ip))
813
814 # Create webserver 2 instance
815 server_details = cls._create_webserver('lb_member_webserver2',
816 cls.lb_member_2_net)
817
818 cls.lb_member_webserver2 = server_details['server']
819 cls.webserver2_ip = server_details.get('ipv4_address')
820 cls.webserver2_ipv6 = server_details.get('ipv6_address')
821 cls.webserver2_public_ip = server_details['public_ipv4_address']
822
823 LOG.debug('Octavia Setup: lb_member_webserver2 = {}'.format(
824 cls.lb_member_webserver2[const.ID]))
825 LOG.debug('Octavia Setup: webserver2_ip = {}'.format(
826 cls.webserver2_ip))
827 LOG.debug('Octavia Setup: webserver2_ipv6 = {}'.format(
828 cls.webserver2_ipv6))
829 LOG.debug('Octavia Setup: webserver2_public_ip = {}'.format(
830 cls.webserver2_public_ip))
831
Ilya Bumarskoveded9c72023-03-16 14:12:09 +0400[diff] [blame]832 if (CONF.load_balancer.test_with_ipv6 and not
833 config_octavia.is_tungstenfabric_backend_enabled()):
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]834 # Enable the IPv6 nic in webserver 1
835 cls._enable_ipv6_nic_webserver(
836 cls.webserver1_public_ip, cls.lb_member_keypair['private_key'],
837 cls.webserver1_ipv6, cls.lb_member_1_subnet_prefix)
838
839 # Enable the IPv6 nic in webserver 2
840 cls._enable_ipv6_nic_webserver(
841 cls.webserver2_public_ip, cls.lb_member_keypair['private_key'],
842 cls.webserver2_ipv6, cls.lb_member_2_subnet_prefix)
843
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]844 # Set up serving on webserver 1
845 cls._install_start_webserver(cls.webserver1_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]846 cls.lb_member_keypair['private_key'],
847 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]848
849 # Validate webserver 1
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]850 cls._validate_webserver(cls.webserver1_public_ip,
851 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]852
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]853 # Validate udp server 1
854 cls._validate_udp_server(cls.webserver1_public_ip,
855 cls.webserver1_response)
856
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]857 # Set up serving on webserver 2
858 cls._install_start_webserver(cls.webserver2_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]859 cls.lb_member_keypair['private_key'],
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]860 cls.webserver2_response, revoke_cert=True)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]861
862 # Validate webserver 2
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]863 cls._validate_webserver(cls.webserver2_public_ip,
864 cls.webserver2_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]865
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]866 # Validate udp server 2
867 cls._validate_udp_server(cls.webserver2_public_ip,
868 cls.webserver2_response)
869
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]870 @classmethod
871 def _create_networks(cls):
872 super(LoadBalancerBaseTestWithCompute, cls)._create_networks()
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]873 # Create a router for the subnets (required for the floating IP)
874 router_name = data_utils.rand_name("lb_member_router")
875 result = cls.lb_mem_routers_client.create_router(
876 name=router_name, admin_state_up=True,
877 external_gateway_info=dict(
878 network_id=CONF.network.public_network_id))
879 cls.lb_member_router = result['router']
880 LOG.info('lb_member_router: {}'.format(cls.lb_member_router))
881 cls.addClassResourceCleanup(
882 waiters.wait_for_not_found,
883 cls.lb_mem_routers_client.delete_router,
884 cls.lb_mem_routers_client.show_router,
885 cls.lb_member_router['id'])
886
887 # Add VIP subnet to router
888 cls.lb_mem_routers_client.add_router_interface(
889 cls.lb_member_router['id'],
890 subnet_id=cls.lb_member_vip_subnet['id'])
891 cls.addClassResourceCleanup(
892 waiters.wait_for_not_found,
893 cls.lb_mem_routers_client.remove_router_interface,
894 cls.lb_mem_routers_client.remove_router_interface,
895 cls.lb_member_router['id'],
896 subnet_id=cls.lb_member_vip_subnet['id'])
897
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]898 if (CONF.load_balancer.test_with_ipv6 and
899 CONF.load_balancer.default_router and
900 cls.lb_member_vip_ipv6_subnet_use_subnetpool):
901
902 router_name = CONF.load_balancer.default_router
903 # if lb_member_vip_ipv6_subnet uses devstack's subnetpool,
904 # plug the subnet into the default router
905 router = cls.os_admin.routers_client.list_routers(
906 name=router_name)['routers']
907
908 if len(router) == 1:
909 router = router[0]
910
911 # Add IPv6 VIP subnet to router1
912 cls.os_admin_routers_client.add_router_interface(
913 router['id'],
914 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
915 cls.addClassResourceCleanup(
916 waiters.wait_for_not_found,
917 cls.os_admin_routers_client.remove_router_interface,
918 cls.os_admin_routers_client.remove_router_interface,
919 router['id'],
920 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
921
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]922 # Add member subnet 1 to router
923 cls.lb_mem_routers_client.add_router_interface(
924 cls.lb_member_router['id'],
925 subnet_id=cls.lb_member_1_subnet['id'])
926 cls.addClassResourceCleanup(
927 waiters.wait_for_not_found,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]928 cls.lb_mem_routers_client.remove_router_interface,
929 cls.lb_mem_routers_client.remove_router_interface,
930 cls.lb_member_router['id'], subnet_id=cls.lb_member_1_subnet['id'])
931
932 # Add member subnet 2 to router
933 cls.lb_mem_routers_client.add_router_interface(
934 cls.lb_member_router['id'],
935 subnet_id=cls.lb_member_2_subnet['id'])
936 cls.addClassResourceCleanup(
937 waiters.wait_for_not_found,
938 cls.lb_mem_routers_client.remove_router_interface,
939 cls.lb_mem_routers_client.remove_router_interface,
940 cls.lb_member_router['id'], subnet_id=cls.lb_member_2_subnet['id'])
941
942 @classmethod
943 def _create_webserver(cls, name, network):
944 """Creates a webserver with two ports.
945
946 webserver_details dictionary contains:
947 server - The compute server object
948 ipv4_address - The IPv4 address for the server (optional)
949 ipv6_address - The IPv6 address for the server (optional)
950 public_ipv4_address - The publicly accessible IPv4 address for the
951 server, this may be a floating IP (optional)
952
953 :param name: The name of the server to create.
954 :param network: The network to boot the server on.
955 :returns: webserver_details dictionary.
956 """
957 server_kwargs = {
958 'name': data_utils.rand_name(name),
959 'flavorRef': CONF.compute.flavor_ref,
960 'imageRef': CONF.compute.image_ref,
961 'key_name': cls.lb_member_keypair['name']}
962 if (CONF.load_balancer.enable_security_groups and
963 CONF.network_feature_enabled.port_security):
964 server_kwargs['security_groups'] = [
965 {'name': cls.lb_member_sec_group['name']}]
966 if not CONF.load_balancer.disable_boot_network:
967 server_kwargs['networks'] = [{'uuid': network['id']}]
968
969 # Replace the name for clouds that have limitations
970 if CONF.load_balancer.random_server_name_length:
971 r = random.SystemRandom()
972 server_kwargs['name'] = "m{}".format("".join(
973 [r.choice(string.ascii_uppercase + string.digits)
974 for _ in range(
975 CONF.load_balancer.random_server_name_length - 1)]
976 ))
977 if CONF.load_balancer.availability_zone:
978 server_kwargs['availability_zone'] = (
979 CONF.load_balancer.availability_zone)
980
981 server = cls.lb_mem_servers_client.create_server(
982 **server_kwargs)['server']
983 cls.addClassResourceCleanup(
984 waiters.wait_for_not_found,
985 cls.lb_mem_servers_client.delete_server,
986 cls.lb_mem_servers_client.show_server,
987 server['id'])
988 server = waiters.wait_for_status(
989 cls.lb_mem_servers_client.show_server,
990 server['id'], 'status', 'ACTIVE',
991 CONF.load_balancer.build_interval,
992 CONF.load_balancer.build_timeout,
993 root_tag='server')
994 webserver_details = {'server': server}
995 LOG.info('Created server: {}'.format(server))
996
997 addresses = server['addresses']
998 if CONF.load_balancer.disable_boot_network:
999 instance_network = addresses.values()[0]
1000 else:
1001 instance_network = addresses[network['name']]
1002 for addr in instance_network:
1003 if addr['version'] == 4:
1004 webserver_details['ipv4_address'] = addr['addr']
1005 if addr['version'] == 6:
1006 webserver_details['ipv6_address'] = addr['addr']
1007
1008 if CONF.validation.connect_method == 'floating':
1009 result = cls.lb_mem_ports_client.list_ports(
1010 network_id=network['id'],
1011 mac_address=instance_network[0]['OS-EXT-IPS-MAC:mac_addr'])
1012 port_id = result['ports'][0]['id']
Ilya Bumarskoveded9c72023-03-16 14:12:09 +0400[diff] [blame]1013 if config_octavia.is_tungstenfabric_backend_enabled():
1014 port = result['ports'][0]
1015 fixed_ip = None
1016 for ip in port["fixed_ips"]:
1017 if (type(ipaddress.ip_address(ip["ip_address"])) is
1018 ipaddress.IPv4Address):
1019 fixed_ip = ip["ip_address"]
1020 break
1021 assert fixed_ip is not None, (f"Port doesn't have ipv4 "
1022 f"address: {port['fixed_ips']}")
1023 result = cls.lb_mem_float_ip_client.create_floatingip(
1024 floating_network_id=CONF.network.public_network_id,
1025 port_id=port_id,
1026 fixed_ip_address=fixed_ip)
1027 else:
1028 result = cls.lb_mem_float_ip_client.create_floatingip(
1029 floating_network_id=CONF.network.public_network_id,
1030 port_id=port_id)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1031 floating_ip = result['floatingip']
1032 LOG.info('webserver1_floating_ip: {}'.format(floating_ip))
1033 cls.addClassResourceCleanup(
1034 waiters.wait_for_not_found,
1035 cls.lb_mem_float_ip_client.delete_floatingip,
1036 cls.lb_mem_float_ip_client.show_floatingip,
1037 floatingip_id=floating_ip['id'])
1038 webserver_details['public_ipv4_address'] = (
1039 floating_ip['floating_ip_address'])
1040 else:
1041 webserver_details['public_ipv4_address'] = (
1042 instance_network[0]['addr'])
1043
1044 return webserver_details
1045
1046 @classmethod
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1047 def _get_openssh_version(cls):
1048 p = subprocess.Popen(["ssh", "-V"],
1049 stdout=subprocess.PIPE,
1050 stderr=subprocess.PIPE)
1051 output = p.communicate()[1]
1052
1053 try:
1054 m = re.match(r"OpenSSH_(\d+)\.(\d+)", output.decode('utf-8'))
1055 version_maj = int(m.group(1))
1056 version_min = int(m.group(2))
1057 return version_maj, version_min
1058 except Exception:
1059 return None, None
1060
1061 @classmethod
1062 def _need_scp_protocol(cls):
1063 # When using scp >= 8.7, force the use of the SCP protocol,
1064 # the new default (SFTP protocol) doesn't work with
1065 # cirros VMs.
1066 ssh_version = cls._get_openssh_version()
1067 LOG.debug("ssh_version = {}".format(ssh_version))
1068 return (ssh_version[0] > 8 or
1069 (ssh_version[0] == 8 and ssh_version[1] >= 7))
1070
1071 @classmethod
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1072 def _install_start_webserver(cls, ip_address, ssh_key, start_id,
1073 revoke_cert=False):
Michael Johnson27357352020-11-13 13:55:09 -0800[diff] [blame]1074 local_file = CONF.load_balancer.test_server_path
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1075
1076 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1077 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1078 **cls.remote_client_args())
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1079 linux_client.validate_authentication()
1080
1081 with tempfile.NamedTemporaryFile() as key:
1082 key.write(ssh_key.encode('utf-8'))
1083 key.flush()
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1084 ssh_extra_args = (
1085 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1086 if cls._need_scp_protocol():
1087 ssh_extra_args += " -O"
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1088 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1089 "{7} "
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1090 "-o StrictHostKeyChecking=no "
1091 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1092 "-i {2} {3} {4}@{5}:{6}").format(
1093 CONF.load_balancer.scp_connection_timeout,
1094 CONF.load_balancer.scp_connection_attempts,
1095 key.name, local_file, CONF.validation.image_ssh_user,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1096 ip_address, const.TEST_SERVER_BINARY,
1097 ssh_extra_args)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1098 args = shlex.split(cmd)
1099 subprocess_args = {'stdout': subprocess.PIPE,
1100 'stderr': subprocess.STDOUT,
1101 'cwd': None}
1102 proc = subprocess.Popen(args, **subprocess_args)
1103 stdout, stderr = proc.communicate()
1104 if proc.returncode != 0:
1105 raise exceptions.CommandFailed(proc.returncode, cmd,
1106 stdout, stderr)
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1107
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1108 cls._load_member_pki_content(ip_address, key,
1109 revoke_cert=revoke_cert)
1110
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1111 # Enabling memory overcommit allows to run golang static binaries
1112 # compiled with a recent golang toolchain (>=1.11). Those binaries
1113 # allocate a large amount of virtual memory at init time, and this
1114 # allocation fails in tempest's nano flavor (64MB of RAM)
1115 # (golang issue reported in https://github.com/golang/go/issues/28114,
1116 # follow-up: https://github.com/golang/go/issues/28081)
1117 # TODO(gthiemonge): Remove this call when golang issue is resolved.
1118 linux_client.exec_command('sudo sh -c "echo 1 > '
1119 '/proc/sys/vm/overcommit_memory"')
1120
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1121 # The initial process also supports HTTPS and HTTPS with client auth
1122 linux_client.exec_command(
1123 'sudo screen -d -m {0} -port 80 -id {1} -https_port 443 -cert {2} '
1124 '-key {3} -https_client_auth_port 9443 -client_ca {4}'.format(
1125 const.TEST_SERVER_BINARY, start_id, const.TEST_SERVER_CERT,
1126 const.TEST_SERVER_KEY, const.TEST_SERVER_CLIENT_CA))
1127
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1128 linux_client.exec_command('sudo screen -d -m {0} -port 81 '
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1129 '-id {1}'.format(const.TEST_SERVER_BINARY,
1130 start_id + 1))
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1131
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1132 # Cirros does not configure the assigned IPv6 address by default
1133 # so enable it manually like tempest does here:
1134 # tempest/scenario/test_netowrk_v6.py turn_nic6_on()
1135 @classmethod
1136 def _enable_ipv6_nic_webserver(cls, ip_address, ssh_key,
1137 ipv6_address, ipv6_prefix):
1138 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1139 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1140 **cls.remote_client_args())
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1141 linux_client.validate_authentication()
1142
1143 linux_client.exec_command('sudo ip address add {0}/{1} dev '
1144 'eth0'.format(ipv6_address, ipv6_prefix))
1145
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1146 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1147 def _validate_webserver(cls, ip_address, start_id):
1148 URL = 'http://{0}'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1149 cls.validate_URL_response(URL, expected_body=str(start_id))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1150 URL = 'http://{0}:81'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1151 cls.validate_URL_response(URL, expected_body=str(start_id + 1))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1152
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1153 @classmethod
1154 def _validate_udp_server(cls, ip_address, start_id):
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1155 res = cls.make_udp_request(ip_address, 80)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1156 if res != str(start_id):
1157 raise Exception("Response from test server doesn't match the "
1158 "expected value ({0} != {1}).".format(
1159 res, str(start_id)))
1160
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1161 res = cls.make_udp_request(ip_address, 81)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1162 if res != str(start_id + 1):
1163 raise Exception("Response from test server doesn't match the "
1164 "expected value ({0} != {1}).".format(
1165 res, str(start_id + 1)))
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1166
1167 @classmethod
1168 def _create_backend_reencryption_pki(cls):
1169 # Create a CA self-signed cert and key for the member test servers
1170 cls.member_ca_cert, cls.member_ca_key = (
1171 cert_utils.generate_ca_cert_and_key())
1172
1173 LOG.debug('Member CA Cert: %s', cls.member_ca_cert.public_bytes(
1174 serialization.Encoding.PEM))
1175 LOG.debug('Member CA private Key: %s', cls.member_ca_key.private_bytes(
1176 encoding=serialization.Encoding.PEM,
1177 format=serialization.PrivateFormat.TraditionalOpenSSL,
1178 encryption_algorithm=serialization.NoEncryption()))
1179 LOG.debug('Member CA public Key: %s',
1180 cls.member_ca_key.public_key().public_bytes(
1181 encoding=serialization.Encoding.PEM,
1182 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1183
1184 # Create the member client authentication CA
1185 cls.member_client_ca_cert, member_client_ca_key = (
1186 cert_utils.generate_ca_cert_and_key())
1187
1188 # Create client cert and key
1189 cls.member_client_cn = uuidutils.generate_uuid()
1190 cls.member_client_cert, cls.member_client_key = (
1191 cert_utils.generate_client_cert_and_key(
1192 cls.member_client_ca_cert, member_client_ca_key,
1193 cls.member_client_cn))
1194 # Note: We are not revoking a client cert here as we don't need to
1195 # test the backend web server CRL checking.
1196
1197 @classmethod
1198 def _load_member_pki_content(cls, ip_address, ssh_key, revoke_cert=False):
1199 # Create webserver certificate and key
1200 cert, key = cert_utils.generate_server_cert_and_key(
1201 cls.member_ca_cert, cls.member_ca_key, ip_address)
1202
1203 LOG.debug('%s Cert: %s', ip_address, cert.public_bytes(
1204 serialization.Encoding.PEM))
1205 LOG.debug('%s private Key: %s', ip_address, key.private_bytes(
1206 encoding=serialization.Encoding.PEM,
1207 format=serialization.PrivateFormat.TraditionalOpenSSL,
1208 encryption_algorithm=serialization.NoEncryption()))
1209 public_key = key.public_key()
1210 LOG.debug('%s public Key: %s', ip_address, public_key.public_bytes(
1211 encoding=serialization.Encoding.PEM,
1212 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1213
1214 # Create a CRL with a revoked certificate
1215 if revoke_cert:
1216 # Create a CRL with webserver 2 revoked
1217 cls.member_crl = cert_utils.generate_certificate_revocation_list(
1218 cls.member_ca_cert, cls.member_ca_key, cert)
1219
1220 # Load the certificate, key, and client CA certificate into the
1221 # test server.
1222 with tempfile.TemporaryDirectory() as tmpdir:
1223 os.umask(0)
1224 files_to_send = []
1225 cert_filename = os.path.join(tmpdir, const.CERT_PEM)
1226 files_to_send.append(cert_filename)
1227 with open(os.open(cert_filename, os.O_CREAT | os.O_WRONLY,
1228 0o700), 'w') as fh:
1229 fh.write(cert.public_bytes(
1230 serialization.Encoding.PEM).decode('utf-8'))
1231 fh.flush()
1232 key_filename = os.path.join(tmpdir, const.KEY_PEM)
1233 files_to_send.append(key_filename)
1234 with open(os.open(key_filename, os.O_CREAT | os.O_WRONLY,
1235 0o700), 'w') as fh:
1236 fh.write(key.private_bytes(
1237 encoding=serialization.Encoding.PEM,
1238 format=serialization.PrivateFormat.TraditionalOpenSSL,
1239 encryption_algorithm=serialization.NoEncryption()).decode(
1240 'utf-8'))
1241 fh.flush()
1242 client_ca_filename = os.path.join(tmpdir, const.CLIENT_CA_PEM)
1243 files_to_send.append(client_ca_filename)
1244 with open(os.open(client_ca_filename, os.O_CREAT | os.O_WRONLY,
1245 0o700), 'w') as fh:
1246 fh.write(cls.member_client_ca_cert.public_bytes(
1247 serialization.Encoding.PEM).decode('utf-8'))
1248 fh.flush()
1249
1250 # For security, we don't want to use a shell that can glob
1251 # the file names, so iterate over them.
1252 subprocess_args = {'stdout': subprocess.PIPE,
1253 'stderr': subprocess.STDOUT,
1254 'cwd': None}
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1255 ssh_extra_args = (
1256 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1257 if cls._need_scp_protocol():
1258 ssh_extra_args += " -O"
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1259 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1260 "{9} "
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1261 "-o StrictHostKeyChecking=no "
1262 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1263 "-i {2} {3} {4} {5} {6}@{7}:{8}").format(
1264 CONF.load_balancer.scp_connection_timeout,
1265 CONF.load_balancer.scp_connection_attempts,
1266 ssh_key.name, cert_filename, key_filename, client_ca_filename,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1267 CONF.validation.image_ssh_user, ip_address, const.DEV_SHM_PATH,
1268 ssh_extra_args)
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1269 args = shlex.split(cmd)
1270 proc = subprocess.Popen(args, **subprocess_args)
1271 stdout, stderr = proc.communicate()
1272 if proc.returncode != 0:
1273 raise exceptions.CommandFailed(proc.returncode, cmd,
1274 stdout, stderr)