Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / octavia-tempest-plugin / ba79d2c666576ecb21f1b46bffc6357a6b0b0f5b / . / octavia_tempest_plugin / tests / test_base.py
blob: e97849353a39c5cd7ddacd1d0ca3a1213670fac9 [file] [log] [blame]
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1# Copyright 2018 Rackspace US Inc. All rights reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15import ipaddress
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]16import os
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]17import random
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]18import re
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]19import shlex
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]20import string
21import subprocess
22import tempfile
23
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]24from cryptography.hazmat.primitives import serialization
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]25from oslo_config import cfg
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]26from oslo_log import log as logging
27from oslo_utils import uuidutils
28from tempest import config
29from tempest.lib.common.utils import data_utils
30from tempest.lib.common.utils.linux import remote_client
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]31from tempest.lib import exceptions
32from tempest import test
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]33import tenacity
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]34
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]35from octavia_tempest_plugin.common import cert_utils
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]36from octavia_tempest_plugin.common import constants as const
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]37from octavia_tempest_plugin.tests import RBAC_tests
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]38from octavia_tempest_plugin.tests import validators
39from octavia_tempest_plugin.tests import waiters
40
41CONF = config.CONF
42LOG = logging.getLogger(__name__)
43
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]44RETRY_ATTEMPTS = 15
45RETRY_INITIAL_DELAY = 1
46RETRY_BACKOFF = 1
47RETRY_MAX = 5
48
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]49
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]50class LoadBalancerBaseTest(validators.ValidatorsMixin,
51 RBAC_tests.RBACTestsMixin, test.BaseTestCase):
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]52 """Base class for load balancer tests."""
53
Gregory Thiemonge3497f6c2021-04-19 21:33:13 +0200[diff] [blame]54 if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
55 credentials = [
56 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
57 ['lb_member', CONF.load_balancer.member_role],
58 ['lb_member2', CONF.load_balancer.member_role]]
59 elif CONF.load_balancer.enforce_new_defaults:
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]60 credentials = [
61 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
62 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
63 ['lb_global_observer', CONF.load_balancer.global_observer_role,
64 'reader'],
65 ['lb_member', CONF.load_balancer.member_role, 'member'],
66 ['lb_member2', CONF.load_balancer.member_role, 'member'],
67 ['lb_member_not_default_member', CONF.load_balancer.member_role]]
68 else:
69 credentials = [
70 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
71 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
72 ['lb_global_observer', CONF.load_balancer.global_observer_role,
73 'reader'],
Michael Johnson9e9f5262023-01-18 17:59:17 +0000[diff] [blame]74 # Note: Some projects are now requiring the 'member' role by
75 # default (nova for example) so make sure our creds have this role
76 ['lb_member', CONF.load_balancer.member_role, 'member'],
77 ['lb_member2', CONF.load_balancer.member_role, 'member']]
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]78
79 # If scope enforcement is enabled, add in the system scope credentials.
80 # The project scope is already handled by the above credentials.
81 if CONF.enforce_scope.octavia:
82 credentials.extend(['system_admin', 'system_reader'])
83
84 # A tuple of credentials that will be allocated by tempest using the
85 # 'credentials' list above. These are used to build RBAC test lists.
86 allocated_creds = []
87 for cred in credentials:
88 if isinstance(cred, list):
89 allocated_creds.append('os_roles_' + cred[0])
90 else:
91 allocated_creds.append('os_' + cred)
92 # Tests shall not mess with the list of allocated credentials
93 allocated_credentials = tuple(allocated_creds)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]94
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]95 webserver1_response = 1
96 webserver2_response = 5
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]97 used_ips = []
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]98
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]99 SRC_PORT_NUMBER_MIN = 32768
100 SRC_PORT_NUMBER_MAX = 61000
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]101 src_port_number = SRC_PORT_NUMBER_MIN
102
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]103 @classmethod
104 def skip_checks(cls):
105 """Check if we should skip all of the children tests."""
106 super(LoadBalancerBaseTest, cls).skip_checks()
107
108 service_list = {
109 'load_balancer': CONF.service_available.load_balancer,
110 }
111
112 live_service_list = {
113 'compute': CONF.service_available.nova,
114 'image': CONF.service_available.glance,
115 'neutron': CONF.service_available.neutron
116 }
117
118 if not CONF.load_balancer.test_with_noop:
119 service_list.update(live_service_list)
120
121 for service, available in service_list.items():
122 if not available:
zhangzs2a6cf672018-11-10 16:13:11 +0800[diff] [blame]123 skip_msg = ("{0} skipped as {1} service is not "
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]124 "available.".format(cls.__name__, service))
125 raise cls.skipException(skip_msg)
126
127 # We must be able to reach our VIP and instances
128 if not (CONF.network.project_networks_reachable
129 or CONF.network.public_network_id):
130 msg = ('Either project_networks_reachable must be "true", or '
131 'public_network_id must be defined.')
132 raise cls.skipException(msg)
133
134 @classmethod
135 def setup_credentials(cls):
136 """Setup test credentials and network resources."""
137 # Do not auto create network resources
138 cls.set_network_resources()
139 super(LoadBalancerBaseTest, cls).setup_credentials()
140
Bas de Bruijne530a88a2022-12-15 11:12:45 -0400[diff] [blame]141 if not CONF.load_balancer.log_user_roles:
142 return
143
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]144 # Log the user roles for this test run
145 role_name_cache = {}
146 for cred in cls.credentials:
147 user_roles = []
148 if isinstance(cred, list):
149 user_name = cred[0]
150 cred_obj = getattr(cls, 'os_roles_' + cred[0])
151 else:
152 user_name = cred
153 cred_obj = getattr(cls, 'os_' + cred)
154 params = {'user.id': cred_obj.credentials.user_id,
155 'project.id': cred_obj.credentials.project_id}
156 roles = cls.os_admin.role_assignments_client.list_role_assignments(
157 **params)['role_assignments']
158 for role in roles:
159 role_id = role['role']['id']
160 try:
161 role_name = role_name_cache[role_id]
162 except KeyError:
163 role_name = cls.os_admin.roles_v3_client.show_role(
164 role_id)['role']['name']
165 role_name_cache[role_id] = role_name
166 user_roles.append([role_name, role['scope']])
167 LOG.info("User %s has roles: %s", user_name, user_roles)
168
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]169 @classmethod
170 def setup_clients(cls):
171 """Setup client aliases."""
172 super(LoadBalancerBaseTest, cls).setup_clients()
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]173 lb_admin_prefix = cls.os_roles_lb_admin.load_balancer_v2
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]174 cls.lb_mem_float_ip_client = cls.os_roles_lb_member.floating_ips_client
175 cls.lb_mem_keypairs_client = cls.os_roles_lb_member.keypairs_client
176 cls.lb_mem_net_client = cls.os_roles_lb_member.networks_client
177 cls.lb_mem_ports_client = cls.os_roles_lb_member.ports_client
178 cls.lb_mem_routers_client = cls.os_roles_lb_member.routers_client
179 cls.lb_mem_SG_client = cls.os_roles_lb_member.security_groups_client
180 cls.lb_mem_SGr_client = (
181 cls.os_roles_lb_member.security_group_rules_client)
182 cls.lb_mem_servers_client = cls.os_roles_lb_member.servers_client
183 cls.lb_mem_subnet_client = cls.os_roles_lb_member.subnets_client
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]184 cls.mem_lb_client = (
185 cls.os_roles_lb_member.load_balancer_v2.LoadbalancerClient())
186 cls.mem_listener_client = (
187 cls.os_roles_lb_member.load_balancer_v2.ListenerClient())
188 cls.mem_pool_client = (
189 cls.os_roles_lb_member.load_balancer_v2.PoolClient())
190 cls.mem_member_client = (
191 cls.os_roles_lb_member.load_balancer_v2.MemberClient())
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]192 cls.mem_healthmonitor_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]193 cls.os_roles_lb_member.load_balancer_v2.HealthMonitorClient())
194 cls.mem_l7policy_client = (
195 cls.os_roles_lb_member.load_balancer_v2.L7PolicyClient())
196 cls.mem_l7rule_client = (
197 cls.os_roles_lb_member.load_balancer_v2.L7RuleClient())
198 cls.lb_admin_amphora_client = lb_admin_prefix.AmphoraClient()
Michael Johnsonaff2e862019-01-11 16:38:00 -0800[diff] [blame]199 cls.lb_admin_flavor_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]200 lb_admin_prefix.FlavorProfileClient())
201 cls.lb_admin_flavor_client = lb_admin_prefix.FlavorClient()
202 cls.mem_flavor_client = (
203 cls.os_roles_lb_member.load_balancer_v2.FlavorClient())
204 cls.mem_provider_client = (
205 cls.os_roles_lb_member.load_balancer_v2.ProviderClient())
Carlos Goncalvesc2e12162019-02-14 23:57:44 +0100[diff] [blame]206 cls.os_admin_servers_client = cls.os_admin.servers_client
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]207 cls.os_admin_routers_client = cls.os_admin.routers_client
208 cls.os_admin_subnetpools_client = cls.os_admin.subnetpools_client
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]209 cls.lb_admin_flavor_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]210 lb_admin_prefix.FlavorCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]211 cls.lb_admin_availability_zone_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]212 lb_admin_prefix.AvailabilityZoneCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]213 cls.lb_admin_availability_zone_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]214 lb_admin_prefix.AvailabilityZoneProfileClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]215 cls.lb_admin_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]216 lb_admin_prefix.AvailabilityZoneClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]217 cls.mem_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]218 cls.os_roles_lb_member.load_balancer_v2.AvailabilityZoneClient())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]219
220 @classmethod
221 def resource_setup(cls):
222 """Setup resources needed by the tests."""
223 super(LoadBalancerBaseTest, cls).resource_setup()
224
225 conf_lb = CONF.load_balancer
226
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]227 cls.api_version = cls.mem_lb_client.get_max_api_version()
228
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]229 if conf_lb.test_subnet_override and not conf_lb.test_network_override:
230 raise exceptions.InvalidConfiguration(
231 "Configuration value test_network_override must be "
232 "specified if test_subnet_override is used.")
233
Michael Johnson6a9236a2020-08-04 23:54:54 +0000[diff] [blame]234 # TODO(johnsom) Remove this
Maciej Józefczykb6df5f82019-12-10 10:12:30 +0000[diff] [blame]235 # Get loadbalancing algorithms supported by provider driver.
236 try:
237 algorithms = const.SUPPORTED_LB_ALGORITHMS[
238 CONF.load_balancer.provider]
239 except KeyError:
240 algorithms = const.SUPPORTED_LB_ALGORITHMS['default']
241 # Set default algorithm as first from the list.
242 cls.lb_algorithm = algorithms[0]
243
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]244 show_subnet = cls.lb_mem_subnet_client.show_subnet
245 if CONF.load_balancer.test_with_noop:
246 cls.lb_member_vip_net = {'id': uuidutils.generate_uuid()}
247 cls.lb_member_vip_subnet = {'id': uuidutils.generate_uuid()}
248 cls.lb_member_1_net = {'id': uuidutils.generate_uuid()}
249 cls.lb_member_1_subnet = {'id': uuidutils.generate_uuid()}
250 cls.lb_member_2_net = {'id': uuidutils.generate_uuid()}
251 cls.lb_member_2_subnet = {'id': uuidutils.generate_uuid()}
252 if CONF.load_balancer.test_with_ipv6:
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]253 cls.lb_member_vip_ipv6_net = {'id': uuidutils.generate_uuid()}
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]254 cls.lb_member_vip_ipv6_subnet = {'id':
255 uuidutils.generate_uuid()}
256 cls.lb_member_1_ipv6_subnet = {'id': uuidutils.generate_uuid()}
257 cls.lb_member_2_ipv6_subnet = {'id': uuidutils.generate_uuid()}
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]258 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]259 return
260 elif CONF.load_balancer.test_network_override:
261 if conf_lb.test_subnet_override:
262 override_subnet = show_subnet(conf_lb.test_subnet_override)
263 else:
264 override_subnet = None
265
266 show_net = cls.lb_mem_net_client.show_network
267 override_network = show_net(conf_lb.test_network_override)
268 override_network = override_network.get('network')
269
270 cls.lb_member_vip_net = override_network
271 cls.lb_member_vip_subnet = override_subnet
272 cls.lb_member_1_net = override_network
273 cls.lb_member_1_subnet = override_subnet
274 cls.lb_member_2_net = override_network
275 cls.lb_member_2_subnet = override_subnet
276
277 if (CONF.load_balancer.test_with_ipv6 and
278 conf_lb.test_IPv6_subnet_override):
279 override_ipv6_subnet = show_subnet(
280 conf_lb.test_IPv6_subnet_override)
281 cls.lb_member_vip_ipv6_subnet = override_ipv6_subnet
282 cls.lb_member_1_ipv6_subnet = override_ipv6_subnet
283 cls.lb_member_2_ipv6_subnet = override_ipv6_subnet
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]284 cls.lb_member_vip_ipv6_subnet_stateful = False
285 if (override_ipv6_subnet[0]['ipv6_address_mode'] ==
286 'dhcpv6-stateful'):
287 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]288 else:
289 cls.lb_member_vip_ipv6_subnet = None
290 cls.lb_member_1_ipv6_subnet = None
291 cls.lb_member_2_ipv6_subnet = None
292 else:
293 cls._create_networks()
294
295 LOG.debug('Octavia Setup: lb_member_vip_net = {}'.format(
296 cls.lb_member_vip_net[const.ID]))
297 if cls.lb_member_vip_subnet:
298 LOG.debug('Octavia Setup: lb_member_vip_subnet = {}'.format(
299 cls.lb_member_vip_subnet[const.ID]))
300 LOG.debug('Octavia Setup: lb_member_1_net = {}'.format(
301 cls.lb_member_1_net[const.ID]))
302 if cls.lb_member_1_subnet:
303 LOG.debug('Octavia Setup: lb_member_1_subnet = {}'.format(
304 cls.lb_member_1_subnet[const.ID]))
305 LOG.debug('Octavia Setup: lb_member_2_net = {}'.format(
306 cls.lb_member_2_net[const.ID]))
307 if cls.lb_member_2_subnet:
308 LOG.debug('Octavia Setup: lb_member_2_subnet = {}'.format(
309 cls.lb_member_2_subnet[const.ID]))
Michael Johnson124ba8b2018-08-30 16:06:05 -0700[diff] [blame]310 if CONF.load_balancer.test_with_ipv6:
311 if cls.lb_member_vip_ipv6_subnet:
312 LOG.debug('Octavia Setup: lb_member_vip_ipv6_subnet = '
313 '{}'.format(cls.lb_member_vip_ipv6_subnet[const.ID]))
314 if cls.lb_member_1_ipv6_subnet:
315 LOG.debug('Octavia Setup: lb_member_1_ipv6_subnet = {}'.format(
316 cls.lb_member_1_ipv6_subnet[const.ID]))
317 if cls.lb_member_2_ipv6_subnet:
318 LOG.debug('Octavia Setup: lb_member_2_ipv6_subnet = {}'.format(
319 cls.lb_member_2_ipv6_subnet[const.ID]))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]320
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]321 @classmethod
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]322 # Neutron can be slow to clean up ports from the subnets/networks.
323 # Retry this delete a few times if we get a "Conflict" error to give
324 # neutron time to fully cleanup the ports.
325 @tenacity.retry(
326 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
327 wait=tenacity.wait_incrementing(
328 RETRY_INITIAL_DELAY, RETRY_BACKOFF, RETRY_MAX),
329 stop=tenacity.stop_after_attempt(RETRY_ATTEMPTS))
330 def _logging_delete_network(cls, net_id):
331 try:
332 cls.lb_mem_net_client.delete_network(net_id)
333 except Exception:
334 LOG.error('Unable to delete network {}. Active ports:'.format(
335 net_id))
336 LOG.error(cls.lb_mem_ports_client.list_ports())
337 raise
338
339 @classmethod
340 # Neutron can be slow to clean up ports from the subnets/networks.
341 # Retry this delete a few times if we get a "Conflict" error to give
342 # neutron time to fully cleanup the ports.
343 @tenacity.retry(
344 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
345 wait=tenacity.wait_incrementing(
346 RETRY_INITIAL_DELAY, RETRY_BACKOFF, RETRY_MAX),
347 stop=tenacity.stop_after_attempt(RETRY_ATTEMPTS))
348 def _logging_delete_subnet(cls, subnet_id):
349 try:
350 cls.lb_mem_subnet_client.delete_subnet(subnet_id)
351 except Exception:
352 LOG.error('Unable to delete subnet {}. Active ports:'.format(
353 subnet_id))
354 LOG.error(cls.lb_mem_ports_client.list_ports())
355 raise
356
357 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]358 def _create_networks(cls):
359 """Creates networks, subnets, and routers used in tests.
360
361 The following are expected to be defined and available to the tests:
362 cls.lb_member_vip_net
363 cls.lb_member_vip_subnet
364 cls.lb_member_vip_ipv6_subnet (optional)
365 cls.lb_member_1_net
366 cls.lb_member_1_subnet
367 cls.lb_member_1_ipv6_subnet (optional)
368 cls.lb_member_2_net
369 cls.lb_member_2_subnet
370 cls.lb_member_2_ipv6_subnet (optional)
371 """
372
373 # Create tenant VIP network
374 network_kwargs = {
375 'name': data_utils.rand_name("lb_member_vip_network")}
376 if CONF.network_feature_enabled.port_security:
Andreas Jaeger4215b702020-03-28 20:13:46 +0100[diff] [blame]377 # Note: Allowed Address Pairs requires port security
378 network_kwargs['port_security_enabled'] = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]379 result = cls.lb_mem_net_client.create_network(**network_kwargs)
380 cls.lb_member_vip_net = result['network']
381 LOG.info('lb_member_vip_net: {}'.format(cls.lb_member_vip_net))
382 cls.addClassResourceCleanup(
383 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]384 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]385 cls.lb_mem_net_client.show_network,
386 cls.lb_member_vip_net['id'])
387
388 # Create tenant VIP subnet
389 subnet_kwargs = {
390 'name': data_utils.rand_name("lb_member_vip_subnet"),
391 'network_id': cls.lb_member_vip_net['id'],
392 'cidr': CONF.load_balancer.vip_subnet_cidr,
393 'ip_version': 4}
394 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
395 cls.lb_member_vip_subnet = result['subnet']
396 LOG.info('lb_member_vip_subnet: {}'.format(cls.lb_member_vip_subnet))
397 cls.addClassResourceCleanup(
398 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]399 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]400 cls.lb_mem_subnet_client.show_subnet,
401 cls.lb_member_vip_subnet['id'])
402
403 # Create tenant VIP IPv6 subnet
404 if CONF.load_balancer.test_with_ipv6:
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]405 cls.lb_member_vip_ipv6_subnet_stateful = False
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]406 cls.lb_member_vip_ipv6_subnet_use_subnetpool = False
407 subnet_kwargs = {
408 'name': data_utils.rand_name("lb_member_vip_ipv6_subnet"),
409 'network_id': cls.lb_member_vip_net['id'],
410 'ip_version': 6}
411
412 # Use a CIDR from devstack's default IPv6 subnetpool if it exists,
413 # the subnetpool's cidr is routable from the devstack node
414 # through the default router
415 subnetpool_name = CONF.load_balancer.default_ipv6_subnetpool
416 if subnetpool_name:
417 subnetpool = cls.os_admin_subnetpools_client.list_subnetpools(
418 name=subnetpool_name)['subnetpools']
419 if len(subnetpool) == 1:
420 subnetpool = subnetpool[0]
421 subnet_kwargs['subnetpool_id'] = subnetpool['id']
422 cls.lb_member_vip_ipv6_subnet_use_subnetpool = True
423
424 if 'subnetpool_id' not in subnet_kwargs:
425 subnet_kwargs['cidr'] = (
426 CONF.load_balancer.vip_ipv6_subnet_cidr)
427
428 result = cls.lb_mem_subnet_client.create_subnet(
429 **subnet_kwargs)
430 cls.lb_member_vip_ipv6_net = cls.lb_member_vip_net
431 cls.lb_member_vip_ipv6_subnet = result['subnet']
432 cls.addClassResourceCleanup(
433 waiters.wait_for_not_found,
434 cls._logging_delete_subnet,
435 cls.lb_mem_subnet_client.show_subnet,
436 cls.lb_member_vip_ipv6_subnet['id'])
Carlos Goncalves84af48c2019-07-25 15:51:30 +0200[diff] [blame]437
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]438 LOG.info('lb_member_vip_ipv6_subnet: {}'.format(
439 cls.lb_member_vip_ipv6_subnet))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]440
441 # Create tenant member 1 network
442 network_kwargs = {
443 'name': data_utils.rand_name("lb_member_1_network")}
444 if CONF.network_feature_enabled.port_security:
445 if CONF.load_balancer.enable_security_groups:
446 network_kwargs['port_security_enabled'] = True
447 else:
448 network_kwargs['port_security_enabled'] = False
449 result = cls.lb_mem_net_client.create_network(**network_kwargs)
450 cls.lb_member_1_net = result['network']
451 LOG.info('lb_member_1_net: {}'.format(cls.lb_member_1_net))
452 cls.addClassResourceCleanup(
453 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]454 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]455 cls.lb_mem_net_client.show_network,
456 cls.lb_member_1_net['id'])
457
458 # Create tenant member 1 subnet
459 subnet_kwargs = {
460 'name': data_utils.rand_name("lb_member_1_subnet"),
461 'network_id': cls.lb_member_1_net['id'],
462 'cidr': CONF.load_balancer.member_1_ipv4_subnet_cidr,
463 'ip_version': 4}
464 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
465 cls.lb_member_1_subnet = result['subnet']
466 LOG.info('lb_member_1_subnet: {}'.format(cls.lb_member_1_subnet))
467 cls.addClassResourceCleanup(
468 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]469 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]470 cls.lb_mem_subnet_client.show_subnet,
471 cls.lb_member_1_subnet['id'])
472
473 # Create tenant member 1 ipv6 subnet
474 if CONF.load_balancer.test_with_ipv6:
475 subnet_kwargs = {
476 'name': data_utils.rand_name("lb_member_1_ipv6_subnet"),
477 'network_id': cls.lb_member_1_net['id'],
478 'cidr': CONF.load_balancer.member_1_ipv6_subnet_cidr,
479 'ip_version': 6}
480 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]481 cls.lb_member_1_subnet_prefix = (
482 CONF.load_balancer.member_1_ipv6_subnet_cidr.rpartition('/')[2]
483 )
484 assert(cls.lb_member_1_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]485 cls.lb_member_1_ipv6_subnet = result['subnet']
486 LOG.info('lb_member_1_ipv6_subnet: {}'.format(
487 cls.lb_member_1_ipv6_subnet))
488 cls.addClassResourceCleanup(
489 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]490 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]491 cls.lb_mem_subnet_client.show_subnet,
492 cls.lb_member_1_ipv6_subnet['id'])
493
494 # Create tenant member 2 network
495 network_kwargs = {
496 'name': data_utils.rand_name("lb_member_2_network")}
497 if CONF.network_feature_enabled.port_security:
498 if CONF.load_balancer.enable_security_groups:
499 network_kwargs['port_security_enabled'] = True
500 else:
501 network_kwargs['port_security_enabled'] = False
502 result = cls.lb_mem_net_client.create_network(**network_kwargs)
503 cls.lb_member_2_net = result['network']
504 LOG.info('lb_member_2_net: {}'.format(cls.lb_member_2_net))
505 cls.addClassResourceCleanup(
506 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]507 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]508 cls.lb_mem_net_client.show_network,
509 cls.lb_member_2_net['id'])
510
511 # Create tenant member 2 subnet
512 subnet_kwargs = {
513 'name': data_utils.rand_name("lb_member_2_subnet"),
514 'network_id': cls.lb_member_2_net['id'],
515 'cidr': CONF.load_balancer.member_2_ipv4_subnet_cidr,
516 'ip_version': 4}
517 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
518 cls.lb_member_2_subnet = result['subnet']
519 LOG.info('lb_member_2_subnet: {}'.format(cls.lb_member_2_subnet))
520 cls.addClassResourceCleanup(
521 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]522 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]523 cls.lb_mem_subnet_client.show_subnet,
524 cls.lb_member_2_subnet['id'])
525
526 # Create tenant member 2 ipv6 subnet
527 if CONF.load_balancer.test_with_ipv6:
528 subnet_kwargs = {
529 'name': data_utils.rand_name("lb_member_2_ipv6_subnet"),
530 'network_id': cls.lb_member_2_net['id'],
531 'cidr': CONF.load_balancer.member_2_ipv6_subnet_cidr,
532 'ip_version': 6}
533 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]534 cls.lb_member_2_subnet_prefix = (
535 CONF.load_balancer.member_2_ipv6_subnet_cidr.rpartition('/')[2]
536 )
537 assert(cls.lb_member_2_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]538 cls.lb_member_2_ipv6_subnet = result['subnet']
539 LOG.info('lb_member_2_ipv6_subnet: {}'.format(
540 cls.lb_member_2_ipv6_subnet))
541 cls.addClassResourceCleanup(
542 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]543 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]544 cls.lb_mem_subnet_client.show_subnet,
545 cls.lb_member_2_ipv6_subnet['id'])
546
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]547 @classmethod
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]548 def _setup_lb_network_kwargs(cls, lb_kwargs, ip_version=None,
549 use_fixed_ip=False):
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]550 if not ip_version:
551 ip_version = 6 if CONF.load_balancer.test_with_ipv6 else 4
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]552 if cls.lb_member_vip_subnet or cls.lb_member_vip_ipv6_subnet:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]553 ip_index = data_utils.rand_int_id(start=10, end=100)
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]554 while ip_index in cls.used_ips:
555 ip_index = data_utils.rand_int_id(start=10, end=100)
556 cls.used_ips.append(ip_index)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]557 if ip_version == 4:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]558 subnet_id = cls.lb_member_vip_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]559 if CONF.load_balancer.test_with_noop:
560 lb_vip_address = '198.18.33.33'
561 else:
562 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
563 network = ipaddress.IPv4Network(subnet['subnet']['cidr'])
564 lb_vip_address = str(network[ip_index])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]565 else:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]566 subnet_id = cls.lb_member_vip_ipv6_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]567 if CONF.load_balancer.test_with_noop:
568 lb_vip_address = '2001:db8:33:33:33:33:33:33'
569 else:
570 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
571 network = ipaddress.IPv6Network(subnet['subnet']['cidr'])
572 lb_vip_address = str(network[ip_index])
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]573 # If the subnet is IPv6 slaac or dhcpv6-stateless
574 # neutron does not allow a fixed IP
575 if not cls.lb_member_vip_ipv6_subnet_stateful:
576 use_fixed_ip = False
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]577 lb_kwargs[const.VIP_SUBNET_ID] = subnet_id
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]578 if use_fixed_ip:
579 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]580 if CONF.load_balancer.test_with_noop:
581 lb_kwargs[const.VIP_NETWORK_ID] = (
582 cls.lb_member_vip_net[const.ID])
Carlos Goncalvesbb238552020-01-15 10:10:55 +0000[diff] [blame]583 if ip_version == 6:
584 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]585 else:
586 lb_kwargs[const.VIP_NETWORK_ID] = cls.lb_member_vip_net[const.ID]
587 lb_kwargs[const.VIP_SUBNET_ID] = None
588
ibumarskovba79d2c2020-09-03 18:21:29 +0400[diff] [blame^]589 @classmethod
590 def check_tf_compatibility(cls, protocol=None, algorithm=None):
591 # TungstenFabric supported protocols and algorithms
592 tf_protocols = [const.HTTP, const.HTTPS, const.TCP, const.UDP,
593 const.TERMINATED_HTTPS]
594 tf_algorithms = [const.LB_ALGORITHM_ROUND_ROBIN,
595 const.LB_ALGORITHM_LEAST_CONNECTIONS,
596 const.LB_ALGORITHM_SOURCE_IP]
597
598 if algorithm and algorithm not in tf_algorithms:
599 raise cls.skipException(
600 'TungstenFabric does not support {} algorithm.'
601 ''.format(algorithm))
602 if protocol and protocol not in tf_protocols:
603 raise cls.skipException(
604 'TungstenFabric does not support {} protocol.'
605 ''.format(protocol))
606
607 @classmethod
608 def _tf_create_listener(cls, name, proto, port, lb_id):
609 listener_kwargs = {
610 const.NAME: name,
611 const.PROTOCOL: proto,
612 const.PROTOCOL_PORT: port,
613 const.LOADBALANCER_ID: lb_id,
614 }
615 listener = cls.mem_listener_client.create_listener(**listener_kwargs)
616 return listener
617
618 @classmethod
619 def _tf_get_free_port(cls, lb_id):
620 port = 8081
621 lb = cls.mem_lb_client.show_loadbalancer(lb_id)
622 listeners = lb[const.LISTENERS]
623 if not listeners:
624 return port
625 ports = [cls.mem_listener_client.show_listener(x[const.ID])[
626 const.PROTOCOL_PORT] for x in listeners]
627 while port in ports:
628 port = port + 1
629 return port
630
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]631
632class LoadBalancerBaseTestWithCompute(LoadBalancerBaseTest):
633 @classmethod
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]634 def remote_client_args(cls):
635 # In case we're using octavia-tempest-plugin with old tempest releases
636 # (for instance on stable/train) that don't support ssh_key_type, catch
637 # the exception and don't pass any argument
638 args = {}
639 try:
640 args['ssh_key_type'] = CONF.validation.ssh_key_type
641 except cfg.NoSuchOptError:
642 pass
643 return args
644
645 @classmethod
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]646 def resource_setup(cls):
647 super(LoadBalancerBaseTestWithCompute, cls).resource_setup()
648 # If validation is disabled in this cloud, we won't be able to
649 # start the webservers, so don't even boot them.
650 if not CONF.validation.run_validation:
651 return
652
653 # Create a keypair for the webservers
654 keypair_name = data_utils.rand_name('lb_member_keypair')
655 result = cls.lb_mem_keypairs_client.create_keypair(
656 name=keypair_name)
657 cls.lb_member_keypair = result['keypair']
658 LOG.info('lb_member_keypair: {}'.format(cls.lb_member_keypair))
659 cls.addClassResourceCleanup(
660 waiters.wait_for_not_found,
661 cls.lb_mem_keypairs_client.delete_keypair,
662 cls.lb_mem_keypairs_client.show_keypair,
663 keypair_name)
664
665 if (CONF.load_balancer.enable_security_groups and
666 CONF.network_feature_enabled.port_security):
667 # Set up the security group for the webservers
668 SG_name = data_utils.rand_name('lb_member_SG')
669 cls.lb_member_sec_group = (
670 cls.lb_mem_SG_client.create_security_group(
671 name=SG_name)['security_group'])
672 cls.addClassResourceCleanup(
673 waiters.wait_for_not_found,
674 cls.lb_mem_SG_client.delete_security_group,
675 cls.lb_mem_SG_client.show_security_group,
676 cls.lb_member_sec_group['id'])
677
678 # Create a security group rule to allow 80-81 (test webservers)
679 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
680 direction='ingress',
681 security_group_id=cls.lb_member_sec_group['id'],
682 protocol='tcp',
683 ethertype='IPv4',
684 port_range_min=80,
685 port_range_max=81)['security_group_rule']
686 cls.addClassResourceCleanup(
687 waiters.wait_for_not_found,
688 cls.lb_mem_SGr_client.delete_security_group_rule,
689 cls.lb_mem_SGr_client.show_security_group_rule,
690 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]691 # Create a security group rule to allow UDP 80-81 (test webservers)
692 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
693 direction='ingress',
694 security_group_id=cls.lb_member_sec_group['id'],
695 protocol='udp',
696 ethertype='IPv4',
697 port_range_min=80,
698 port_range_max=81)['security_group_rule']
699 cls.addClassResourceCleanup(
700 waiters.wait_for_not_found,
701 cls.lb_mem_SGr_client.delete_security_group_rule,
702 cls.lb_mem_SGr_client.show_security_group_rule,
703 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]704 # Create a security group rule to allow 443 (test webservers)
705 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
706 direction='ingress',
707 security_group_id=cls.lb_member_sec_group['id'],
708 protocol='tcp',
709 ethertype='IPv4',
710 port_range_min=443,
711 port_range_max=443)['security_group_rule']
712 cls.addClassResourceCleanup(
713 waiters.wait_for_not_found,
714 cls.lb_mem_SGr_client.delete_security_group_rule,
715 cls.lb_mem_SGr_client.show_security_group_rule,
716 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]717 # Create a security group rule to allow 9443 (test webservers)
718 # Used in the pool backend encryption client authentication tests
719 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
720 direction='ingress',
721 security_group_id=cls.lb_member_sec_group['id'],
722 protocol='tcp',
723 ethertype='IPv4',
724 port_range_min=9443,
725 port_range_max=9443)['security_group_rule']
726 cls.addClassResourceCleanup(
727 waiters.wait_for_not_found,
728 cls.lb_mem_SGr_client.delete_security_group_rule,
729 cls.lb_mem_SGr_client.show_security_group_rule,
730 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]731 # Create a security group rule to allow UDP 9999 (test webservers)
732 # Port 9999 is used to illustrate health monitor ERRORs on closed
733 # ports.
734 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
735 direction='ingress',
736 security_group_id=cls.lb_member_sec_group['id'],
737 protocol='udp',
738 ethertype='IPv4',
739 port_range_min=9999,
740 port_range_max=9999)['security_group_rule']
741 cls.addClassResourceCleanup(
742 waiters.wait_for_not_found,
743 cls.lb_mem_SGr_client.delete_security_group_rule,
744 cls.lb_mem_SGr_client.show_security_group_rule,
745 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]746 # Create a security group rule to allow 22 (ssh)
747 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
748 direction='ingress',
749 security_group_id=cls.lb_member_sec_group['id'],
750 protocol='tcp',
751 ethertype='IPv4',
752 port_range_min=22,
753 port_range_max=22)['security_group_rule']
754 cls.addClassResourceCleanup(
755 waiters.wait_for_not_found,
756 cls.lb_mem_SGr_client.delete_security_group_rule,
757 cls.lb_mem_SGr_client.show_security_group_rule,
758 SGr['id'])
759 if CONF.load_balancer.test_with_ipv6:
760 # Create a security group rule to allow 80-81 (test webservers)
761 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
762 direction='ingress',
763 security_group_id=cls.lb_member_sec_group['id'],
764 protocol='tcp',
765 ethertype='IPv6',
766 port_range_min=80,
767 port_range_max=81)['security_group_rule']
768 cls.addClassResourceCleanup(
769 waiters.wait_for_not_found,
770 cls.lb_mem_SGr_client.delete_security_group_rule,
771 cls.lb_mem_SGr_client.show_security_group_rule,
772 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]773 # Create a security group rule to allow UDP 80-81 (test
774 # webservers)
775 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
776 direction='ingress',
777 security_group_id=cls.lb_member_sec_group['id'],
778 protocol='udp',
779 ethertype='IPv6',
780 port_range_min=80,
781 port_range_max=81)['security_group_rule']
782 cls.addClassResourceCleanup(
783 waiters.wait_for_not_found,
784 cls.lb_mem_SGr_client.delete_security_group_rule,
785 cls.lb_mem_SGr_client.show_security_group_rule,
786 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]787 # Create a security group rule to allow 443 (test webservers)
788 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
789 direction='ingress',
790 security_group_id=cls.lb_member_sec_group['id'],
791 protocol='tcp',
792 ethertype='IPv6',
793 port_range_min=443,
794 port_range_max=443)['security_group_rule']
795 cls.addClassResourceCleanup(
796 waiters.wait_for_not_found,
797 cls.lb_mem_SGr_client.delete_security_group_rule,
798 cls.lb_mem_SGr_client.show_security_group_rule,
799 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]800 # Create a security group rule to allow 9443 (test webservers)
801 # Used in the pool encryption client authentication tests
802 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
803 direction='ingress',
804 security_group_id=cls.lb_member_sec_group['id'],
805 protocol='tcp',
806 ethertype='IPv6',
807 port_range_min=9443,
808 port_range_max=9443)['security_group_rule']
809 cls.addClassResourceCleanup(
810 waiters.wait_for_not_found,
811 cls.lb_mem_SGr_client.delete_security_group_rule,
812 cls.lb_mem_SGr_client.show_security_group_rule,
813 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]814 # Create a security group rule to allow 22 (ssh)
815 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
816 direction='ingress',
817 security_group_id=cls.lb_member_sec_group['id'],
818 protocol='tcp',
819 ethertype='IPv6',
820 port_range_min=22,
821 port_range_max=22)['security_group_rule']
822 cls.addClassResourceCleanup(
823 waiters.wait_for_not_found,
824 cls.lb_mem_SGr_client.delete_security_group_rule,
825 cls.lb_mem_SGr_client.show_security_group_rule,
826 SGr['id'])
827
828 LOG.info('lb_member_sec_group: {}'.format(cls.lb_member_sec_group))
829
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]830 # Setup backend member reencryption PKI
831 cls._create_backend_reencryption_pki()
832
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]833 # Create webserver 1 instance
834 server_details = cls._create_webserver('lb_member_webserver1',
835 cls.lb_member_1_net)
836
837 cls.lb_member_webserver1 = server_details['server']
838 cls.webserver1_ip = server_details.get('ipv4_address')
839 cls.webserver1_ipv6 = server_details.get('ipv6_address')
840 cls.webserver1_public_ip = server_details['public_ipv4_address']
841
842 LOG.debug('Octavia Setup: lb_member_webserver1 = {}'.format(
843 cls.lb_member_webserver1[const.ID]))
844 LOG.debug('Octavia Setup: webserver1_ip = {}'.format(
845 cls.webserver1_ip))
846 LOG.debug('Octavia Setup: webserver1_ipv6 = {}'.format(
847 cls.webserver1_ipv6))
848 LOG.debug('Octavia Setup: webserver1_public_ip = {}'.format(
849 cls.webserver1_public_ip))
850
851 # Create webserver 2 instance
852 server_details = cls._create_webserver('lb_member_webserver2',
853 cls.lb_member_2_net)
854
855 cls.lb_member_webserver2 = server_details['server']
856 cls.webserver2_ip = server_details.get('ipv4_address')
857 cls.webserver2_ipv6 = server_details.get('ipv6_address')
858 cls.webserver2_public_ip = server_details['public_ipv4_address']
859
860 LOG.debug('Octavia Setup: lb_member_webserver2 = {}'.format(
861 cls.lb_member_webserver2[const.ID]))
862 LOG.debug('Octavia Setup: webserver2_ip = {}'.format(
863 cls.webserver2_ip))
864 LOG.debug('Octavia Setup: webserver2_ipv6 = {}'.format(
865 cls.webserver2_ipv6))
866 LOG.debug('Octavia Setup: webserver2_public_ip = {}'.format(
867 cls.webserver2_public_ip))
868
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]869 if CONF.load_balancer.test_with_ipv6:
870 # Enable the IPv6 nic in webserver 1
871 cls._enable_ipv6_nic_webserver(
872 cls.webserver1_public_ip, cls.lb_member_keypair['private_key'],
873 cls.webserver1_ipv6, cls.lb_member_1_subnet_prefix)
874
875 # Enable the IPv6 nic in webserver 2
876 cls._enable_ipv6_nic_webserver(
877 cls.webserver2_public_ip, cls.lb_member_keypair['private_key'],
878 cls.webserver2_ipv6, cls.lb_member_2_subnet_prefix)
879
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]880 # Set up serving on webserver 1
881 cls._install_start_webserver(cls.webserver1_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]882 cls.lb_member_keypair['private_key'],
883 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]884
885 # Validate webserver 1
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]886 cls._validate_webserver(cls.webserver1_public_ip,
887 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]888
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]889 # Validate udp server 1
890 cls._validate_udp_server(cls.webserver1_public_ip,
891 cls.webserver1_response)
892
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]893 # Set up serving on webserver 2
894 cls._install_start_webserver(cls.webserver2_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]895 cls.lb_member_keypair['private_key'],
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]896 cls.webserver2_response, revoke_cert=True)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]897
898 # Validate webserver 2
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]899 cls._validate_webserver(cls.webserver2_public_ip,
900 cls.webserver2_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]901
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]902 # Validate udp server 2
903 cls._validate_udp_server(cls.webserver2_public_ip,
904 cls.webserver2_response)
905
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]906 @classmethod
907 def _create_networks(cls):
908 super(LoadBalancerBaseTestWithCompute, cls)._create_networks()
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]909 # Create a router for the subnets (required for the floating IP)
910 router_name = data_utils.rand_name("lb_member_router")
911 result = cls.lb_mem_routers_client.create_router(
912 name=router_name, admin_state_up=True,
913 external_gateway_info=dict(
914 network_id=CONF.network.public_network_id))
915 cls.lb_member_router = result['router']
916 LOG.info('lb_member_router: {}'.format(cls.lb_member_router))
917 cls.addClassResourceCleanup(
918 waiters.wait_for_not_found,
919 cls.lb_mem_routers_client.delete_router,
920 cls.lb_mem_routers_client.show_router,
921 cls.lb_member_router['id'])
922
923 # Add VIP subnet to router
924 cls.lb_mem_routers_client.add_router_interface(
925 cls.lb_member_router['id'],
926 subnet_id=cls.lb_member_vip_subnet['id'])
927 cls.addClassResourceCleanup(
928 waiters.wait_for_not_found,
929 cls.lb_mem_routers_client.remove_router_interface,
930 cls.lb_mem_routers_client.remove_router_interface,
931 cls.lb_member_router['id'],
932 subnet_id=cls.lb_member_vip_subnet['id'])
933
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]934 if (CONF.load_balancer.test_with_ipv6 and
935 CONF.load_balancer.default_router and
936 cls.lb_member_vip_ipv6_subnet_use_subnetpool):
937
938 router_name = CONF.load_balancer.default_router
939 # if lb_member_vip_ipv6_subnet uses devstack's subnetpool,
940 # plug the subnet into the default router
941 router = cls.os_admin.routers_client.list_routers(
942 name=router_name)['routers']
943
944 if len(router) == 1:
945 router = router[0]
946
947 # Add IPv6 VIP subnet to router1
948 cls.os_admin_routers_client.add_router_interface(
949 router['id'],
950 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
951 cls.addClassResourceCleanup(
952 waiters.wait_for_not_found,
953 cls.os_admin_routers_client.remove_router_interface,
954 cls.os_admin_routers_client.remove_router_interface,
955 router['id'],
956 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
957
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]958 # Add member subnet 1 to router
959 cls.lb_mem_routers_client.add_router_interface(
960 cls.lb_member_router['id'],
961 subnet_id=cls.lb_member_1_subnet['id'])
962 cls.addClassResourceCleanup(
963 waiters.wait_for_not_found,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]964 cls.lb_mem_routers_client.remove_router_interface,
965 cls.lb_mem_routers_client.remove_router_interface,
966 cls.lb_member_router['id'], subnet_id=cls.lb_member_1_subnet['id'])
967
968 # Add member subnet 2 to router
969 cls.lb_mem_routers_client.add_router_interface(
970 cls.lb_member_router['id'],
971 subnet_id=cls.lb_member_2_subnet['id'])
972 cls.addClassResourceCleanup(
973 waiters.wait_for_not_found,
974 cls.lb_mem_routers_client.remove_router_interface,
975 cls.lb_mem_routers_client.remove_router_interface,
976 cls.lb_member_router['id'], subnet_id=cls.lb_member_2_subnet['id'])
977
978 @classmethod
979 def _create_webserver(cls, name, network):
980 """Creates a webserver with two ports.
981
982 webserver_details dictionary contains:
983 server - The compute server object
984 ipv4_address - The IPv4 address for the server (optional)
985 ipv6_address - The IPv6 address for the server (optional)
986 public_ipv4_address - The publicly accessible IPv4 address for the
987 server, this may be a floating IP (optional)
988
989 :param name: The name of the server to create.
990 :param network: The network to boot the server on.
991 :returns: webserver_details dictionary.
992 """
993 server_kwargs = {
994 'name': data_utils.rand_name(name),
995 'flavorRef': CONF.compute.flavor_ref,
996 'imageRef': CONF.compute.image_ref,
997 'key_name': cls.lb_member_keypair['name']}
998 if (CONF.load_balancer.enable_security_groups and
999 CONF.network_feature_enabled.port_security):
1000 server_kwargs['security_groups'] = [
1001 {'name': cls.lb_member_sec_group['name']}]
1002 if not CONF.load_balancer.disable_boot_network:
1003 server_kwargs['networks'] = [{'uuid': network['id']}]
1004
1005 # Replace the name for clouds that have limitations
1006 if CONF.load_balancer.random_server_name_length:
1007 r = random.SystemRandom()
1008 server_kwargs['name'] = "m{}".format("".join(
1009 [r.choice(string.ascii_uppercase + string.digits)
1010 for _ in range(
1011 CONF.load_balancer.random_server_name_length - 1)]
1012 ))
1013 if CONF.load_balancer.availability_zone:
1014 server_kwargs['availability_zone'] = (
1015 CONF.load_balancer.availability_zone)
1016
1017 server = cls.lb_mem_servers_client.create_server(
1018 **server_kwargs)['server']
1019 cls.addClassResourceCleanup(
1020 waiters.wait_for_not_found,
1021 cls.lb_mem_servers_client.delete_server,
1022 cls.lb_mem_servers_client.show_server,
1023 server['id'])
1024 server = waiters.wait_for_status(
1025 cls.lb_mem_servers_client.show_server,
1026 server['id'], 'status', 'ACTIVE',
1027 CONF.load_balancer.build_interval,
1028 CONF.load_balancer.build_timeout,
1029 root_tag='server')
1030 webserver_details = {'server': server}
1031 LOG.info('Created server: {}'.format(server))
1032
1033 addresses = server['addresses']
1034 if CONF.load_balancer.disable_boot_network:
1035 instance_network = addresses.values()[0]
1036 else:
1037 instance_network = addresses[network['name']]
1038 for addr in instance_network:
1039 if addr['version'] == 4:
1040 webserver_details['ipv4_address'] = addr['addr']
1041 if addr['version'] == 6:
1042 webserver_details['ipv6_address'] = addr['addr']
1043
1044 if CONF.validation.connect_method == 'floating':
1045 result = cls.lb_mem_ports_client.list_ports(
1046 network_id=network['id'],
1047 mac_address=instance_network[0]['OS-EXT-IPS-MAC:mac_addr'])
1048 port_id = result['ports'][0]['id']
1049 result = cls.lb_mem_float_ip_client.create_floatingip(
1050 floating_network_id=CONF.network.public_network_id,
1051 port_id=port_id)
1052 floating_ip = result['floatingip']
1053 LOG.info('webserver1_floating_ip: {}'.format(floating_ip))
1054 cls.addClassResourceCleanup(
1055 waiters.wait_for_not_found,
1056 cls.lb_mem_float_ip_client.delete_floatingip,
1057 cls.lb_mem_float_ip_client.show_floatingip,
1058 floatingip_id=floating_ip['id'])
1059 webserver_details['public_ipv4_address'] = (
1060 floating_ip['floating_ip_address'])
1061 else:
1062 webserver_details['public_ipv4_address'] = (
1063 instance_network[0]['addr'])
1064
1065 return webserver_details
1066
1067 @classmethod
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1068 def _get_openssh_version(cls):
1069 p = subprocess.Popen(["ssh", "-V"],
1070 stdout=subprocess.PIPE,
1071 stderr=subprocess.PIPE)
1072 output = p.communicate()[1]
1073
1074 try:
1075 m = re.match(r"OpenSSH_(\d+)\.(\d+)", output.decode('utf-8'))
1076 version_maj = int(m.group(1))
1077 version_min = int(m.group(2))
1078 return version_maj, version_min
1079 except Exception:
1080 return None, None
1081
1082 @classmethod
1083 def _need_scp_protocol(cls):
1084 # When using scp >= 8.7, force the use of the SCP protocol,
1085 # the new default (SFTP protocol) doesn't work with
1086 # cirros VMs.
1087 ssh_version = cls._get_openssh_version()
1088 LOG.debug("ssh_version = {}".format(ssh_version))
1089 return (ssh_version[0] > 8 or
1090 (ssh_version[0] == 8 and ssh_version[1] >= 7))
1091
1092 @classmethod
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1093 def _install_start_webserver(cls, ip_address, ssh_key, start_id,
1094 revoke_cert=False):
Michael Johnson27357352020-11-13 13:55:09 -0800[diff] [blame]1095 local_file = CONF.load_balancer.test_server_path
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1096
1097 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1098 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1099 **cls.remote_client_args())
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1100 linux_client.validate_authentication()
1101
1102 with tempfile.NamedTemporaryFile() as key:
1103 key.write(ssh_key.encode('utf-8'))
1104 key.flush()
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1105 ssh_extra_args = (
1106 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1107 if cls._need_scp_protocol():
1108 ssh_extra_args += " -O"
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1109 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1110 "{7} "
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1111 "-o StrictHostKeyChecking=no "
1112 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1113 "-i {2} {3} {4}@{5}:{6}").format(
1114 CONF.load_balancer.scp_connection_timeout,
1115 CONF.load_balancer.scp_connection_attempts,
1116 key.name, local_file, CONF.validation.image_ssh_user,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1117 ip_address, const.TEST_SERVER_BINARY,
1118 ssh_extra_args)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1119 args = shlex.split(cmd)
1120 subprocess_args = {'stdout': subprocess.PIPE,
1121 'stderr': subprocess.STDOUT,
1122 'cwd': None}
1123 proc = subprocess.Popen(args, **subprocess_args)
1124 stdout, stderr = proc.communicate()
1125 if proc.returncode != 0:
1126 raise exceptions.CommandFailed(proc.returncode, cmd,
1127 stdout, stderr)
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1128
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1129 cls._load_member_pki_content(ip_address, key,
1130 revoke_cert=revoke_cert)
1131
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1132 # Enabling memory overcommit allows to run golang static binaries
1133 # compiled with a recent golang toolchain (>=1.11). Those binaries
1134 # allocate a large amount of virtual memory at init time, and this
1135 # allocation fails in tempest's nano flavor (64MB of RAM)
1136 # (golang issue reported in https://github.com/golang/go/issues/28114,
1137 # follow-up: https://github.com/golang/go/issues/28081)
1138 # TODO(gthiemonge): Remove this call when golang issue is resolved.
1139 linux_client.exec_command('sudo sh -c "echo 1 > '
1140 '/proc/sys/vm/overcommit_memory"')
1141
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1142 # The initial process also supports HTTPS and HTTPS with client auth
1143 linux_client.exec_command(
1144 'sudo screen -d -m {0} -port 80 -id {1} -https_port 443 -cert {2} '
1145 '-key {3} -https_client_auth_port 9443 -client_ca {4}'.format(
1146 const.TEST_SERVER_BINARY, start_id, const.TEST_SERVER_CERT,
1147 const.TEST_SERVER_KEY, const.TEST_SERVER_CLIENT_CA))
1148
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1149 linux_client.exec_command('sudo screen -d -m {0} -port 81 '
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1150 '-id {1}'.format(const.TEST_SERVER_BINARY,
1151 start_id + 1))
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1152
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1153 # Cirros does not configure the assigned IPv6 address by default
1154 # so enable it manually like tempest does here:
1155 # tempest/scenario/test_netowrk_v6.py turn_nic6_on()
1156 @classmethod
1157 def _enable_ipv6_nic_webserver(cls, ip_address, ssh_key,
1158 ipv6_address, ipv6_prefix):
1159 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1160 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1161 **cls.remote_client_args())
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1162 linux_client.validate_authentication()
1163
1164 linux_client.exec_command('sudo ip address add {0}/{1} dev '
1165 'eth0'.format(ipv6_address, ipv6_prefix))
1166
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1167 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1168 def _validate_webserver(cls, ip_address, start_id):
1169 URL = 'http://{0}'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1170 cls.validate_URL_response(URL, expected_body=str(start_id))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1171 URL = 'http://{0}:81'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1172 cls.validate_URL_response(URL, expected_body=str(start_id + 1))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1173
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1174 @classmethod
1175 def _validate_udp_server(cls, ip_address, start_id):
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1176 res = cls.make_udp_request(ip_address, 80)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1177 if res != str(start_id):
1178 raise Exception("Response from test server doesn't match the "
1179 "expected value ({0} != {1}).".format(
1180 res, str(start_id)))
1181
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1182 res = cls.make_udp_request(ip_address, 81)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1183 if res != str(start_id + 1):
1184 raise Exception("Response from test server doesn't match the "
1185 "expected value ({0} != {1}).".format(
1186 res, str(start_id + 1)))
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1187
1188 @classmethod
1189 def _create_backend_reencryption_pki(cls):
1190 # Create a CA self-signed cert and key for the member test servers
1191 cls.member_ca_cert, cls.member_ca_key = (
1192 cert_utils.generate_ca_cert_and_key())
1193
1194 LOG.debug('Member CA Cert: %s', cls.member_ca_cert.public_bytes(
1195 serialization.Encoding.PEM))
1196 LOG.debug('Member CA private Key: %s', cls.member_ca_key.private_bytes(
1197 encoding=serialization.Encoding.PEM,
1198 format=serialization.PrivateFormat.TraditionalOpenSSL,
1199 encryption_algorithm=serialization.NoEncryption()))
1200 LOG.debug('Member CA public Key: %s',
1201 cls.member_ca_key.public_key().public_bytes(
1202 encoding=serialization.Encoding.PEM,
1203 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1204
1205 # Create the member client authentication CA
1206 cls.member_client_ca_cert, member_client_ca_key = (
1207 cert_utils.generate_ca_cert_and_key())
1208
1209 # Create client cert and key
1210 cls.member_client_cn = uuidutils.generate_uuid()
1211 cls.member_client_cert, cls.member_client_key = (
1212 cert_utils.generate_client_cert_and_key(
1213 cls.member_client_ca_cert, member_client_ca_key,
1214 cls.member_client_cn))
1215 # Note: We are not revoking a client cert here as we don't need to
1216 # test the backend web server CRL checking.
1217
1218 @classmethod
1219 def _load_member_pki_content(cls, ip_address, ssh_key, revoke_cert=False):
1220 # Create webserver certificate and key
1221 cert, key = cert_utils.generate_server_cert_and_key(
1222 cls.member_ca_cert, cls.member_ca_key, ip_address)
1223
1224 LOG.debug('%s Cert: %s', ip_address, cert.public_bytes(
1225 serialization.Encoding.PEM))
1226 LOG.debug('%s private Key: %s', ip_address, key.private_bytes(
1227 encoding=serialization.Encoding.PEM,
1228 format=serialization.PrivateFormat.TraditionalOpenSSL,
1229 encryption_algorithm=serialization.NoEncryption()))
1230 public_key = key.public_key()
1231 LOG.debug('%s public Key: %s', ip_address, public_key.public_bytes(
1232 encoding=serialization.Encoding.PEM,
1233 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1234
1235 # Create a CRL with a revoked certificate
1236 if revoke_cert:
1237 # Create a CRL with webserver 2 revoked
1238 cls.member_crl = cert_utils.generate_certificate_revocation_list(
1239 cls.member_ca_cert, cls.member_ca_key, cert)
1240
1241 # Load the certificate, key, and client CA certificate into the
1242 # test server.
1243 with tempfile.TemporaryDirectory() as tmpdir:
1244 os.umask(0)
1245 files_to_send = []
1246 cert_filename = os.path.join(tmpdir, const.CERT_PEM)
1247 files_to_send.append(cert_filename)
1248 with open(os.open(cert_filename, os.O_CREAT | os.O_WRONLY,
1249 0o700), 'w') as fh:
1250 fh.write(cert.public_bytes(
1251 serialization.Encoding.PEM).decode('utf-8'))
1252 fh.flush()
1253 key_filename = os.path.join(tmpdir, const.KEY_PEM)
1254 files_to_send.append(key_filename)
1255 with open(os.open(key_filename, os.O_CREAT | os.O_WRONLY,
1256 0o700), 'w') as fh:
1257 fh.write(key.private_bytes(
1258 encoding=serialization.Encoding.PEM,
1259 format=serialization.PrivateFormat.TraditionalOpenSSL,
1260 encryption_algorithm=serialization.NoEncryption()).decode(
1261 'utf-8'))
1262 fh.flush()
1263 client_ca_filename = os.path.join(tmpdir, const.CLIENT_CA_PEM)
1264 files_to_send.append(client_ca_filename)
1265 with open(os.open(client_ca_filename, os.O_CREAT | os.O_WRONLY,
1266 0o700), 'w') as fh:
1267 fh.write(cls.member_client_ca_cert.public_bytes(
1268 serialization.Encoding.PEM).decode('utf-8'))
1269 fh.flush()
1270
1271 # For security, we don't want to use a shell that can glob
1272 # the file names, so iterate over them.
1273 subprocess_args = {'stdout': subprocess.PIPE,
1274 'stderr': subprocess.STDOUT,
1275 'cwd': None}
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1276 ssh_extra_args = (
1277 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1278 if cls._need_scp_protocol():
1279 ssh_extra_args += " -O"
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1280 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1281 "{9} "
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1282 "-o StrictHostKeyChecking=no "
1283 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1284 "-i {2} {3} {4} {5} {6}@{7}:{8}").format(
1285 CONF.load_balancer.scp_connection_timeout,
1286 CONF.load_balancer.scp_connection_attempts,
1287 ssh_key.name, cert_filename, key_filename, client_ca_filename,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1288 CONF.validation.image_ssh_user, ip_address, const.DEV_SHM_PATH,
1289 ssh_extra_args)
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1290 args = shlex.split(cmd)
1291 proc = subprocess.Popen(args, **subprocess_args)
1292 stdout, stderr = proc.communicate()
1293 if proc.returncode != 0:
1294 raise exceptions.CommandFailed(proc.returncode, cmd,
1295 stdout, stderr)