Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / octavia-tempest-plugin / c03e9c39d24feffae9ac246f947e0655b7224547 / . / octavia_tempest_plugin / tests / test_base.py
blob: 51834fec1ed8e560a00166bf003079f05a70006e [file] [log] [blame]
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1# Copyright 2018 Rackspace US Inc. All rights reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15import ipaddress
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]16import os
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]17import random
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]18import re
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]19import shlex
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]20import string
21import subprocess
22import tempfile
23
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]24from cryptography.hazmat.primitives import serialization
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]25from oslo_config import cfg
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]26from oslo_log import log as logging
27from oslo_utils import uuidutils
28from tempest import config
29from tempest.lib.common.utils import data_utils
30from tempest.lib.common.utils.linux import remote_client
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]31from tempest.lib import exceptions
32from tempest import test
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]33import tenacity
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]34
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]35from octavia_tempest_plugin.common import cert_utils
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]36from octavia_tempest_plugin.common import constants as const
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]37import octavia_tempest_plugin.services.load_balancer.v2 as lbv2
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]38from octavia_tempest_plugin.tests import RBAC_tests
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]39from octavia_tempest_plugin.tests import validators
40from octavia_tempest_plugin.tests import waiters
41
42CONF = config.CONF
43LOG = logging.getLogger(__name__)
44
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]45RETRY_ATTEMPTS = 15
46RETRY_INITIAL_DELAY = 1
47RETRY_BACKOFF = 1
48RETRY_MAX = 5
49
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]50
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]51class LoadBalancerBaseTest(validators.ValidatorsMixin,
52 RBAC_tests.RBACTestsMixin, test.BaseTestCase):
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]53 """Base class for load balancer tests."""
54
Gregory Thiemonge3497f6c2021-04-19 21:33:13 +0200[diff] [blame]55 if CONF.load_balancer.RBAC_test_type == const.OWNERADMIN:
56 credentials = [
57 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
58 ['lb_member', CONF.load_balancer.member_role],
59 ['lb_member2', CONF.load_balancer.member_role]]
Michael Johnson6dac8ff2023-03-09 00:04:37 +0000[diff] [blame]60 elif CONF.load_balancer.RBAC_test_type == const.KEYSTONE_DEFAULT_ROLES:
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]61 credentials = [
Michael Johnson6dac8ff2023-03-09 00:04:37 +0000[diff] [blame]62 'admin', 'primary',
63 ['lb_admin', CONF.load_balancer.admin_role, 'admin'],
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]64 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
65 ['lb_global_observer', CONF.load_balancer.global_observer_role,
66 'reader'],
67 ['lb_member', CONF.load_balancer.member_role, 'member'],
68 ['lb_member2', CONF.load_balancer.member_role, 'member'],
69 ['lb_member_not_default_member', CONF.load_balancer.member_role]]
70 else:
71 credentials = [
72 'admin', 'primary', ['lb_admin', CONF.load_balancer.admin_role],
73 ['lb_observer', CONF.load_balancer.observer_role, 'reader'],
74 ['lb_global_observer', CONF.load_balancer.global_observer_role,
75 'reader'],
Michael Johnson9e9f5262023-01-18 17:59:17 +0000[diff] [blame]76 # Note: Some projects are now requiring the 'member' role by
77 # default (nova for example) so make sure our creds have this role
78 ['lb_member', CONF.load_balancer.member_role, 'member'],
79 ['lb_member2', CONF.load_balancer.member_role, 'member']]
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]80
81 # If scope enforcement is enabled, add in the system scope credentials.
82 # The project scope is already handled by the above credentials.
83 if CONF.enforce_scope.octavia:
84 credentials.extend(['system_admin', 'system_reader'])
85
86 # A tuple of credentials that will be allocated by tempest using the
87 # 'credentials' list above. These are used to build RBAC test lists.
88 allocated_creds = []
89 for cred in credentials:
90 if isinstance(cred, list):
91 allocated_creds.append('os_roles_' + cred[0])
92 else:
93 allocated_creds.append('os_' + cred)
94 # Tests shall not mess with the list of allocated credentials
95 allocated_credentials = tuple(allocated_creds)
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]96
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]97 webserver1_response = 1
98 webserver2_response = 5
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]99 used_ips = []
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]100
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]101 SRC_PORT_NUMBER_MIN = 32768
102 SRC_PORT_NUMBER_MAX = 61000
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]103 src_port_number = SRC_PORT_NUMBER_MIN
104
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]105 @classmethod
106 def skip_checks(cls):
107 """Check if we should skip all of the children tests."""
108 super(LoadBalancerBaseTest, cls).skip_checks()
109
110 service_list = {
111 'load_balancer': CONF.service_available.load_balancer,
112 }
113
114 live_service_list = {
115 'compute': CONF.service_available.nova,
116 'image': CONF.service_available.glance,
117 'neutron': CONF.service_available.neutron
118 }
119
120 if not CONF.load_balancer.test_with_noop:
121 service_list.update(live_service_list)
122
123 for service, available in service_list.items():
124 if not available:
zhangzs2a6cf672018-11-10 16:13:11 +0800[diff] [blame]125 skip_msg = ("{0} skipped as {1} service is not "
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]126 "available.".format(cls.__name__, service))
127 raise cls.skipException(skip_msg)
128
129 # We must be able to reach our VIP and instances
130 if not (CONF.network.project_networks_reachable
131 or CONF.network.public_network_id):
132 msg = ('Either project_networks_reachable must be "true", or '
133 'public_network_id must be defined.')
134 raise cls.skipException(msg)
135
136 @classmethod
137 def setup_credentials(cls):
138 """Setup test credentials and network resources."""
139 # Do not auto create network resources
140 cls.set_network_resources()
141 super(LoadBalancerBaseTest, cls).setup_credentials()
142
Bas de Bruijne530a88a2022-12-15 11:12:45 -0400[diff] [blame]143 if not CONF.load_balancer.log_user_roles:
144 return
145
Michael Johnson6006de72021-02-21 01:42:39 +0000[diff] [blame]146 # Log the user roles for this test run
147 role_name_cache = {}
148 for cred in cls.credentials:
149 user_roles = []
150 if isinstance(cred, list):
151 user_name = cred[0]
152 cred_obj = getattr(cls, 'os_roles_' + cred[0])
153 else:
154 user_name = cred
155 cred_obj = getattr(cls, 'os_' + cred)
156 params = {'user.id': cred_obj.credentials.user_id,
157 'project.id': cred_obj.credentials.project_id}
158 roles = cls.os_admin.role_assignments_client.list_role_assignments(
159 **params)['role_assignments']
160 for role in roles:
161 role_id = role['role']['id']
162 try:
163 role_name = role_name_cache[role_id]
164 except KeyError:
165 role_name = cls.os_admin.roles_v3_client.show_role(
166 role_id)['role']['name']
167 role_name_cache[role_id] = role_name
168 user_roles.append([role_name, role['scope']])
169 LOG.info("User %s has roles: %s", user_name, user_roles)
170
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]171 @classmethod
172 def setup_clients(cls):
173 """Setup client aliases."""
174 super(LoadBalancerBaseTest, cls).setup_clients()
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]175 lb_admin_prefix = cls.os_roles_lb_admin.load_balancer_v2
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]176 cls.lb_mem_float_ip_client = cls.os_roles_lb_member.floating_ips_client
177 cls.lb_mem_keypairs_client = cls.os_roles_lb_member.keypairs_client
178 cls.lb_mem_net_client = cls.os_roles_lb_member.networks_client
179 cls.lb_mem_ports_client = cls.os_roles_lb_member.ports_client
180 cls.lb_mem_routers_client = cls.os_roles_lb_member.routers_client
181 cls.lb_mem_SG_client = cls.os_roles_lb_member.security_groups_client
182 cls.lb_mem_SGr_client = (
183 cls.os_roles_lb_member.security_group_rules_client)
184 cls.lb_mem_servers_client = cls.os_roles_lb_member.servers_client
185 cls.lb_mem_subnet_client = cls.os_roles_lb_member.subnets_client
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]186 cls.mem_lb_client: lbv2.LoadbalancerClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]187 cls.os_roles_lb_member.load_balancer_v2.LoadbalancerClient())
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]188 cls.mem_listener_client: lbv2.ListenerClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]189 cls.os_roles_lb_member.load_balancer_v2.ListenerClient())
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]190 cls.mem_pool_client: lbv2.PoolClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]191 cls.os_roles_lb_member.load_balancer_v2.PoolClient())
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]192 cls.mem_member_client: lbv2.MemberClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]193 cls.os_roles_lb_member.load_balancer_v2.MemberClient())
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]194 cls.mem_healthmonitor_client: lbv2.HealthMonitorClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]195 cls.os_roles_lb_member.load_balancer_v2.HealthMonitorClient())
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]196 cls.mem_l7policy_client: lbv2.L7PolicyClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]197 cls.os_roles_lb_member.load_balancer_v2.L7PolicyClient())
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]198 cls.mem_l7rule_client: lbv2.L7RuleClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]199 cls.os_roles_lb_member.load_balancer_v2.L7RuleClient())
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]200 cls.lb_admin_amphora_client: lbv2.AmphoraClient = (
201 lb_admin_prefix.AmphoraClient())
202 cls.lb_admin_flavor_profile_client: lbv2.FlavorProfileClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]203 lb_admin_prefix.FlavorProfileClient())
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]204 cls.lb_admin_flavor_client: lbv2.FlavorClient = (
205 lb_admin_prefix.FlavorClient())
206 cls.mem_flavor_client: lbv2.FlavorClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]207 cls.os_roles_lb_member.load_balancer_v2.FlavorClient())
Tom Weiningerc03e9c32024-04-23 14:07:04 +0200[diff] [blame^]208 cls.mem_provider_client: lbv2.ProviderClient = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]209 cls.os_roles_lb_member.load_balancer_v2.ProviderClient())
Carlos Goncalvesc2e12162019-02-14 23:57:44 +0100[diff] [blame]210 cls.os_admin_servers_client = cls.os_admin.servers_client
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]211 cls.os_admin_routers_client = cls.os_admin.routers_client
212 cls.os_admin_subnetpools_client = cls.os_admin.subnetpools_client
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]213 cls.lb_admin_flavor_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]214 lb_admin_prefix.FlavorCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]215 cls.lb_admin_availability_zone_capabilities_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]216 lb_admin_prefix.AvailabilityZoneCapabilitiesClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]217 cls.lb_admin_availability_zone_profile_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]218 lb_admin_prefix.AvailabilityZoneProfileClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]219 cls.lb_admin_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]220 lb_admin_prefix.AvailabilityZoneClient())
Adam Harwellc2aa20c2019-11-20 11:15:07 -0800[diff] [blame]221 cls.mem_availability_zone_client = (
Michael Johnson29d8e612021-06-23 16:16:12 +0000[diff] [blame]222 cls.os_roles_lb_member.load_balancer_v2.AvailabilityZoneClient())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]223
224 @classmethod
225 def resource_setup(cls):
226 """Setup resources needed by the tests."""
227 super(LoadBalancerBaseTest, cls).resource_setup()
228
229 conf_lb = CONF.load_balancer
230
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]231 cls.api_version = cls.mem_lb_client.get_max_api_version()
232
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]233 if conf_lb.test_subnet_override and not conf_lb.test_network_override:
234 raise exceptions.InvalidConfiguration(
235 "Configuration value test_network_override must be "
236 "specified if test_subnet_override is used.")
237
Michael Johnson6a9236a2020-08-04 23:54:54 +0000[diff] [blame]238 # TODO(johnsom) Remove this
Maciej Józefczykb6df5f82019-12-10 10:12:30 +0000[diff] [blame]239 # Get loadbalancing algorithms supported by provider driver.
240 try:
241 algorithms = const.SUPPORTED_LB_ALGORITHMS[
242 CONF.load_balancer.provider]
243 except KeyError:
244 algorithms = const.SUPPORTED_LB_ALGORITHMS['default']
245 # Set default algorithm as first from the list.
246 cls.lb_algorithm = algorithms[0]
247
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]248 show_subnet = cls.lb_mem_subnet_client.show_subnet
249 if CONF.load_balancer.test_with_noop:
250 cls.lb_member_vip_net = {'id': uuidutils.generate_uuid()}
251 cls.lb_member_vip_subnet = {'id': uuidutils.generate_uuid()}
252 cls.lb_member_1_net = {'id': uuidutils.generate_uuid()}
253 cls.lb_member_1_subnet = {'id': uuidutils.generate_uuid()}
254 cls.lb_member_2_net = {'id': uuidutils.generate_uuid()}
255 cls.lb_member_2_subnet = {'id': uuidutils.generate_uuid()}
256 if CONF.load_balancer.test_with_ipv6:
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]257 cls.lb_member_vip_ipv6_net = {'id': uuidutils.generate_uuid()}
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]258 cls.lb_member_vip_ipv6_subnet = {'id':
259 uuidutils.generate_uuid()}
260 cls.lb_member_1_ipv6_subnet = {'id': uuidutils.generate_uuid()}
261 cls.lb_member_2_ipv6_subnet = {'id': uuidutils.generate_uuid()}
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]262 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]263 return
264 elif CONF.load_balancer.test_network_override:
265 if conf_lb.test_subnet_override:
266 override_subnet = show_subnet(conf_lb.test_subnet_override)
267 else:
268 override_subnet = None
269
270 show_net = cls.lb_mem_net_client.show_network
271 override_network = show_net(conf_lb.test_network_override)
272 override_network = override_network.get('network')
273
274 cls.lb_member_vip_net = override_network
275 cls.lb_member_vip_subnet = override_subnet
276 cls.lb_member_1_net = override_network
277 cls.lb_member_1_subnet = override_subnet
278 cls.lb_member_2_net = override_network
279 cls.lb_member_2_subnet = override_subnet
280
281 if (CONF.load_balancer.test_with_ipv6 and
282 conf_lb.test_IPv6_subnet_override):
283 override_ipv6_subnet = show_subnet(
284 conf_lb.test_IPv6_subnet_override)
285 cls.lb_member_vip_ipv6_subnet = override_ipv6_subnet
286 cls.lb_member_1_ipv6_subnet = override_ipv6_subnet
287 cls.lb_member_2_ipv6_subnet = override_ipv6_subnet
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]288 cls.lb_member_vip_ipv6_subnet_stateful = False
289 if (override_ipv6_subnet[0]['ipv6_address_mode'] ==
290 'dhcpv6-stateful'):
291 cls.lb_member_vip_ipv6_subnet_stateful = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]292 else:
293 cls.lb_member_vip_ipv6_subnet = None
294 cls.lb_member_1_ipv6_subnet = None
295 cls.lb_member_2_ipv6_subnet = None
296 else:
297 cls._create_networks()
298
299 LOG.debug('Octavia Setup: lb_member_vip_net = {}'.format(
300 cls.lb_member_vip_net[const.ID]))
301 if cls.lb_member_vip_subnet:
302 LOG.debug('Octavia Setup: lb_member_vip_subnet = {}'.format(
303 cls.lb_member_vip_subnet[const.ID]))
304 LOG.debug('Octavia Setup: lb_member_1_net = {}'.format(
305 cls.lb_member_1_net[const.ID]))
306 if cls.lb_member_1_subnet:
307 LOG.debug('Octavia Setup: lb_member_1_subnet = {}'.format(
308 cls.lb_member_1_subnet[const.ID]))
309 LOG.debug('Octavia Setup: lb_member_2_net = {}'.format(
310 cls.lb_member_2_net[const.ID]))
311 if cls.lb_member_2_subnet:
312 LOG.debug('Octavia Setup: lb_member_2_subnet = {}'.format(
313 cls.lb_member_2_subnet[const.ID]))
Michael Johnson124ba8b2018-08-30 16:06:05 -0700[diff] [blame]314 if CONF.load_balancer.test_with_ipv6:
315 if cls.lb_member_vip_ipv6_subnet:
316 LOG.debug('Octavia Setup: lb_member_vip_ipv6_subnet = '
317 '{}'.format(cls.lb_member_vip_ipv6_subnet[const.ID]))
318 if cls.lb_member_1_ipv6_subnet:
319 LOG.debug('Octavia Setup: lb_member_1_ipv6_subnet = {}'.format(
320 cls.lb_member_1_ipv6_subnet[const.ID]))
321 if cls.lb_member_2_ipv6_subnet:
322 LOG.debug('Octavia Setup: lb_member_2_ipv6_subnet = {}'.format(
323 cls.lb_member_2_ipv6_subnet[const.ID]))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]324
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]325 @classmethod
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]326 # Neutron can be slow to clean up ports from the subnets/networks.
327 # Retry this delete a few times if we get a "Conflict" error to give
328 # neutron time to fully cleanup the ports.
329 @tenacity.retry(
330 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
331 wait=tenacity.wait_incrementing(
332 RETRY_INITIAL_DELAY, RETRY_BACKOFF, RETRY_MAX),
333 stop=tenacity.stop_after_attempt(RETRY_ATTEMPTS))
334 def _logging_delete_network(cls, net_id):
335 try:
336 cls.lb_mem_net_client.delete_network(net_id)
337 except Exception:
338 LOG.error('Unable to delete network {}. Active ports:'.format(
339 net_id))
340 LOG.error(cls.lb_mem_ports_client.list_ports())
341 raise
342
343 @classmethod
344 # Neutron can be slow to clean up ports from the subnets/networks.
345 # Retry this delete a few times if we get a "Conflict" error to give
346 # neutron time to fully cleanup the ports.
347 @tenacity.retry(
348 retry=tenacity.retry_if_exception_type(exceptions.Conflict),
349 wait=tenacity.wait_incrementing(
350 RETRY_INITIAL_DELAY, RETRY_BACKOFF, RETRY_MAX),
351 stop=tenacity.stop_after_attempt(RETRY_ATTEMPTS))
352 def _logging_delete_subnet(cls, subnet_id):
353 try:
354 cls.lb_mem_subnet_client.delete_subnet(subnet_id)
355 except Exception:
356 LOG.error('Unable to delete subnet {}. Active ports:'.format(
357 subnet_id))
358 LOG.error(cls.lb_mem_ports_client.list_ports())
359 raise
360
361 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]362 def _create_networks(cls):
363 """Creates networks, subnets, and routers used in tests.
364
365 The following are expected to be defined and available to the tests:
366 cls.lb_member_vip_net
367 cls.lb_member_vip_subnet
368 cls.lb_member_vip_ipv6_subnet (optional)
369 cls.lb_member_1_net
370 cls.lb_member_1_subnet
371 cls.lb_member_1_ipv6_subnet (optional)
372 cls.lb_member_2_net
373 cls.lb_member_2_subnet
374 cls.lb_member_2_ipv6_subnet (optional)
375 """
376
377 # Create tenant VIP network
378 network_kwargs = {
379 'name': data_utils.rand_name("lb_member_vip_network")}
380 if CONF.network_feature_enabled.port_security:
Andreas Jaeger4215b702020-03-28 20:13:46 +0100[diff] [blame]381 # Note: Allowed Address Pairs requires port security
382 network_kwargs['port_security_enabled'] = True
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]383 result = cls.lb_mem_net_client.create_network(**network_kwargs)
384 cls.lb_member_vip_net = result['network']
385 LOG.info('lb_member_vip_net: {}'.format(cls.lb_member_vip_net))
386 cls.addClassResourceCleanup(
387 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]388 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]389 cls.lb_mem_net_client.show_network,
390 cls.lb_member_vip_net['id'])
391
392 # Create tenant VIP subnet
393 subnet_kwargs = {
394 'name': data_utils.rand_name("lb_member_vip_subnet"),
395 'network_id': cls.lb_member_vip_net['id'],
396 'cidr': CONF.load_balancer.vip_subnet_cidr,
397 'ip_version': 4}
398 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
399 cls.lb_member_vip_subnet = result['subnet']
400 LOG.info('lb_member_vip_subnet: {}'.format(cls.lb_member_vip_subnet))
401 cls.addClassResourceCleanup(
402 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]403 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]404 cls.lb_mem_subnet_client.show_subnet,
405 cls.lb_member_vip_subnet['id'])
406
407 # Create tenant VIP IPv6 subnet
408 if CONF.load_balancer.test_with_ipv6:
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]409 cls.lb_member_vip_ipv6_subnet_stateful = False
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]410 cls.lb_member_vip_ipv6_subnet_use_subnetpool = False
411 subnet_kwargs = {
412 'name': data_utils.rand_name("lb_member_vip_ipv6_subnet"),
413 'network_id': cls.lb_member_vip_net['id'],
414 'ip_version': 6}
415
416 # Use a CIDR from devstack's default IPv6 subnetpool if it exists,
417 # the subnetpool's cidr is routable from the devstack node
418 # through the default router
419 subnetpool_name = CONF.load_balancer.default_ipv6_subnetpool
420 if subnetpool_name:
421 subnetpool = cls.os_admin_subnetpools_client.list_subnetpools(
422 name=subnetpool_name)['subnetpools']
423 if len(subnetpool) == 1:
424 subnetpool = subnetpool[0]
425 subnet_kwargs['subnetpool_id'] = subnetpool['id']
426 cls.lb_member_vip_ipv6_subnet_use_subnetpool = True
427
428 if 'subnetpool_id' not in subnet_kwargs:
429 subnet_kwargs['cidr'] = (
430 CONF.load_balancer.vip_ipv6_subnet_cidr)
431
432 result = cls.lb_mem_subnet_client.create_subnet(
433 **subnet_kwargs)
434 cls.lb_member_vip_ipv6_net = cls.lb_member_vip_net
435 cls.lb_member_vip_ipv6_subnet = result['subnet']
436 cls.addClassResourceCleanup(
437 waiters.wait_for_not_found,
438 cls._logging_delete_subnet,
439 cls.lb_mem_subnet_client.show_subnet,
440 cls.lb_member_vip_ipv6_subnet['id'])
Carlos Goncalves84af48c2019-07-25 15:51:30 +0200[diff] [blame]441
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]442 LOG.info('lb_member_vip_ipv6_subnet: {}'.format(
443 cls.lb_member_vip_ipv6_subnet))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]444
445 # Create tenant member 1 network
446 network_kwargs = {
447 'name': data_utils.rand_name("lb_member_1_network")}
448 if CONF.network_feature_enabled.port_security:
449 if CONF.load_balancer.enable_security_groups:
450 network_kwargs['port_security_enabled'] = True
451 else:
452 network_kwargs['port_security_enabled'] = False
453 result = cls.lb_mem_net_client.create_network(**network_kwargs)
454 cls.lb_member_1_net = result['network']
455 LOG.info('lb_member_1_net: {}'.format(cls.lb_member_1_net))
456 cls.addClassResourceCleanup(
457 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]458 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]459 cls.lb_mem_net_client.show_network,
460 cls.lb_member_1_net['id'])
461
462 # Create tenant member 1 subnet
463 subnet_kwargs = {
464 'name': data_utils.rand_name("lb_member_1_subnet"),
465 'network_id': cls.lb_member_1_net['id'],
466 'cidr': CONF.load_balancer.member_1_ipv4_subnet_cidr,
467 'ip_version': 4}
468 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
469 cls.lb_member_1_subnet = result['subnet']
470 LOG.info('lb_member_1_subnet: {}'.format(cls.lb_member_1_subnet))
471 cls.addClassResourceCleanup(
472 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]473 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]474 cls.lb_mem_subnet_client.show_subnet,
475 cls.lb_member_1_subnet['id'])
476
477 # Create tenant member 1 ipv6 subnet
478 if CONF.load_balancer.test_with_ipv6:
479 subnet_kwargs = {
480 'name': data_utils.rand_name("lb_member_1_ipv6_subnet"),
481 'network_id': cls.lb_member_1_net['id'],
482 'cidr': CONF.load_balancer.member_1_ipv6_subnet_cidr,
483 'ip_version': 6}
484 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]485 cls.lb_member_1_subnet_prefix = (
486 CONF.load_balancer.member_1_ipv6_subnet_cidr.rpartition('/')[2]
487 )
488 assert(cls.lb_member_1_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]489 cls.lb_member_1_ipv6_subnet = result['subnet']
490 LOG.info('lb_member_1_ipv6_subnet: {}'.format(
491 cls.lb_member_1_ipv6_subnet))
492 cls.addClassResourceCleanup(
493 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]494 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]495 cls.lb_mem_subnet_client.show_subnet,
496 cls.lb_member_1_ipv6_subnet['id'])
497
498 # Create tenant member 2 network
499 network_kwargs = {
500 'name': data_utils.rand_name("lb_member_2_network")}
501 if CONF.network_feature_enabled.port_security:
502 if CONF.load_balancer.enable_security_groups:
503 network_kwargs['port_security_enabled'] = True
504 else:
505 network_kwargs['port_security_enabled'] = False
506 result = cls.lb_mem_net_client.create_network(**network_kwargs)
507 cls.lb_member_2_net = result['network']
508 LOG.info('lb_member_2_net: {}'.format(cls.lb_member_2_net))
509 cls.addClassResourceCleanup(
510 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]511 cls._logging_delete_network,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]512 cls.lb_mem_net_client.show_network,
513 cls.lb_member_2_net['id'])
514
515 # Create tenant member 2 subnet
516 subnet_kwargs = {
517 'name': data_utils.rand_name("lb_member_2_subnet"),
518 'network_id': cls.lb_member_2_net['id'],
519 'cidr': CONF.load_balancer.member_2_ipv4_subnet_cidr,
520 'ip_version': 4}
521 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
522 cls.lb_member_2_subnet = result['subnet']
523 LOG.info('lb_member_2_subnet: {}'.format(cls.lb_member_2_subnet))
524 cls.addClassResourceCleanup(
525 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]526 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]527 cls.lb_mem_subnet_client.show_subnet,
528 cls.lb_member_2_subnet['id'])
529
530 # Create tenant member 2 ipv6 subnet
531 if CONF.load_balancer.test_with_ipv6:
532 subnet_kwargs = {
533 'name': data_utils.rand_name("lb_member_2_ipv6_subnet"),
534 'network_id': cls.lb_member_2_net['id'],
535 'cidr': CONF.load_balancer.member_2_ipv6_subnet_cidr,
536 'ip_version': 6}
537 result = cls.lb_mem_subnet_client.create_subnet(**subnet_kwargs)
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]538 cls.lb_member_2_subnet_prefix = (
539 CONF.load_balancer.member_2_ipv6_subnet_cidr.rpartition('/')[2]
540 )
541 assert(cls.lb_member_2_subnet_prefix.isdigit())
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]542 cls.lb_member_2_ipv6_subnet = result['subnet']
543 LOG.info('lb_member_2_ipv6_subnet: {}'.format(
544 cls.lb_member_2_ipv6_subnet))
545 cls.addClassResourceCleanup(
546 waiters.wait_for_not_found,
Michael Johnson04dc5cb2019-01-20 11:03:50 -0800[diff] [blame]547 cls._logging_delete_subnet,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]548 cls.lb_mem_subnet_client.show_subnet,
549 cls.lb_member_2_ipv6_subnet['id'])
550
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]551 @classmethod
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]552 def _setup_lb_network_kwargs(cls, lb_kwargs, ip_version=None,
553 use_fixed_ip=False):
Adam Harwell60ed9d92018-05-10 13:23:13 -0700[diff] [blame]554 if not ip_version:
555 ip_version = 6 if CONF.load_balancer.test_with_ipv6 else 4
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]556 if cls.lb_member_vip_subnet or cls.lb_member_vip_ipv6_subnet:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]557 ip_index = data_utils.rand_int_id(start=10, end=100)
Michael Johnsondfd818a2018-08-21 20:54:54 -0700[diff] [blame]558 while ip_index in cls.used_ips:
559 ip_index = data_utils.rand_int_id(start=10, end=100)
560 cls.used_ips.append(ip_index)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]561 if ip_version == 4:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]562 subnet_id = cls.lb_member_vip_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]563 if CONF.load_balancer.test_with_noop:
564 lb_vip_address = '198.18.33.33'
565 else:
566 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
567 network = ipaddress.IPv4Network(subnet['subnet']['cidr'])
568 lb_vip_address = str(network[ip_index])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]569 else:
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]570 subnet_id = cls.lb_member_vip_ipv6_subnet[const.ID]
Michael Johnson5a16ad32018-10-18 14:49:11 -0700[diff] [blame]571 if CONF.load_balancer.test_with_noop:
572 lb_vip_address = '2001:db8:33:33:33:33:33:33'
573 else:
574 subnet = cls.os_admin.subnets_client.show_subnet(subnet_id)
575 network = ipaddress.IPv6Network(subnet['subnet']['cidr'])
576 lb_vip_address = str(network[ip_index])
Michael Johnson590fbe12019-07-03 14:30:01 -0700[diff] [blame]577 # If the subnet is IPv6 slaac or dhcpv6-stateless
578 # neutron does not allow a fixed IP
579 if not cls.lb_member_vip_ipv6_subnet_stateful:
580 use_fixed_ip = False
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]581 lb_kwargs[const.VIP_SUBNET_ID] = subnet_id
Michael Johnson07c9a632018-06-07 13:27:42 -0700[diff] [blame]582 if use_fixed_ip:
583 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]584 if CONF.load_balancer.test_with_noop:
585 lb_kwargs[const.VIP_NETWORK_ID] = (
586 cls.lb_member_vip_net[const.ID])
Carlos Goncalvesbb238552020-01-15 10:10:55 +0000[diff] [blame]587 if ip_version == 6:
588 lb_kwargs[const.VIP_ADDRESS] = lb_vip_address
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]589 else:
590 lb_kwargs[const.VIP_NETWORK_ID] = cls.lb_member_vip_net[const.ID]
591 lb_kwargs[const.VIP_SUBNET_ID] = None
592
Gregory Thiemongeece5ab42020-10-29 08:46:05 +0100[diff] [blame]593 def _validate_listener_protocol(self, protocol, raise_if_unsupported=True):
594 if (protocol == const.SCTP and
595 not self.mem_listener_client.is_version_supported(
596 self.api_version, '2.23')):
597 if raise_if_unsupported:
598 raise self.skipException('SCTP listener protocol '
599 'is only available on Octavia '
600 'API version 2.23 or newer.')
601 return False
602 return True
603
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]604
605class LoadBalancerBaseTestWithCompute(LoadBalancerBaseTest):
606 @classmethod
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]607 def remote_client_args(cls):
608 # In case we're using octavia-tempest-plugin with old tempest releases
609 # (for instance on stable/train) that don't support ssh_key_type, catch
610 # the exception and don't pass any argument
611 args = {}
612 try:
613 args['ssh_key_type'] = CONF.validation.ssh_key_type
614 except cfg.NoSuchOptError:
615 pass
616 return args
617
618 @classmethod
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]619 def resource_setup(cls):
620 super(LoadBalancerBaseTestWithCompute, cls).resource_setup()
621 # If validation is disabled in this cloud, we won't be able to
622 # start the webservers, so don't even boot them.
623 if not CONF.validation.run_validation:
624 return
625
626 # Create a keypair for the webservers
627 keypair_name = data_utils.rand_name('lb_member_keypair')
628 result = cls.lb_mem_keypairs_client.create_keypair(
629 name=keypair_name)
630 cls.lb_member_keypair = result['keypair']
631 LOG.info('lb_member_keypair: {}'.format(cls.lb_member_keypair))
632 cls.addClassResourceCleanup(
633 waiters.wait_for_not_found,
634 cls.lb_mem_keypairs_client.delete_keypair,
635 cls.lb_mem_keypairs_client.show_keypair,
636 keypair_name)
637
638 if (CONF.load_balancer.enable_security_groups and
639 CONF.network_feature_enabled.port_security):
640 # Set up the security group for the webservers
641 SG_name = data_utils.rand_name('lb_member_SG')
642 cls.lb_member_sec_group = (
643 cls.lb_mem_SG_client.create_security_group(
644 name=SG_name)['security_group'])
645 cls.addClassResourceCleanup(
646 waiters.wait_for_not_found,
647 cls.lb_mem_SG_client.delete_security_group,
648 cls.lb_mem_SG_client.show_security_group,
649 cls.lb_member_sec_group['id'])
650
651 # Create a security group rule to allow 80-81 (test webservers)
652 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
653 direction='ingress',
654 security_group_id=cls.lb_member_sec_group['id'],
655 protocol='tcp',
656 ethertype='IPv4',
657 port_range_min=80,
658 port_range_max=81)['security_group_rule']
659 cls.addClassResourceCleanup(
660 waiters.wait_for_not_found,
661 cls.lb_mem_SGr_client.delete_security_group_rule,
662 cls.lb_mem_SGr_client.show_security_group_rule,
663 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]664 # Create a security group rule to allow UDP 80-81 (test webservers)
665 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
666 direction='ingress',
667 security_group_id=cls.lb_member_sec_group['id'],
668 protocol='udp',
669 ethertype='IPv4',
670 port_range_min=80,
671 port_range_max=81)['security_group_rule']
672 cls.addClassResourceCleanup(
673 waiters.wait_for_not_found,
674 cls.lb_mem_SGr_client.delete_security_group_rule,
675 cls.lb_mem_SGr_client.show_security_group_rule,
676 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]677 # Create a security group rule to allow 443 (test webservers)
678 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
679 direction='ingress',
680 security_group_id=cls.lb_member_sec_group['id'],
681 protocol='tcp',
682 ethertype='IPv4',
683 port_range_min=443,
684 port_range_max=443)['security_group_rule']
685 cls.addClassResourceCleanup(
686 waiters.wait_for_not_found,
687 cls.lb_mem_SGr_client.delete_security_group_rule,
688 cls.lb_mem_SGr_client.show_security_group_rule,
689 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]690 # Create a security group rule to allow 9443 (test webservers)
691 # Used in the pool backend encryption client authentication tests
692 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
693 direction='ingress',
694 security_group_id=cls.lb_member_sec_group['id'],
695 protocol='tcp',
696 ethertype='IPv4',
697 port_range_min=9443,
698 port_range_max=9443)['security_group_rule']
699 cls.addClassResourceCleanup(
700 waiters.wait_for_not_found,
701 cls.lb_mem_SGr_client.delete_security_group_rule,
702 cls.lb_mem_SGr_client.show_security_group_rule,
703 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]704 # Create a security group rule to allow UDP 9999 (test webservers)
705 # Port 9999 is used to illustrate health monitor ERRORs on closed
706 # ports.
707 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
708 direction='ingress',
709 security_group_id=cls.lb_member_sec_group['id'],
710 protocol='udp',
711 ethertype='IPv4',
712 port_range_min=9999,
713 port_range_max=9999)['security_group_rule']
714 cls.addClassResourceCleanup(
715 waiters.wait_for_not_found,
716 cls.lb_mem_SGr_client.delete_security_group_rule,
717 cls.lb_mem_SGr_client.show_security_group_rule,
718 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]719 # Create a security group rule to allow 22 (ssh)
720 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
721 direction='ingress',
722 security_group_id=cls.lb_member_sec_group['id'],
723 protocol='tcp',
724 ethertype='IPv4',
725 port_range_min=22,
726 port_range_max=22)['security_group_rule']
727 cls.addClassResourceCleanup(
728 waiters.wait_for_not_found,
729 cls.lb_mem_SGr_client.delete_security_group_rule,
730 cls.lb_mem_SGr_client.show_security_group_rule,
731 SGr['id'])
732 if CONF.load_balancer.test_with_ipv6:
733 # Create a security group rule to allow 80-81 (test webservers)
734 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
735 direction='ingress',
736 security_group_id=cls.lb_member_sec_group['id'],
737 protocol='tcp',
738 ethertype='IPv6',
739 port_range_min=80,
740 port_range_max=81)['security_group_rule']
741 cls.addClassResourceCleanup(
742 waiters.wait_for_not_found,
743 cls.lb_mem_SGr_client.delete_security_group_rule,
744 cls.lb_mem_SGr_client.show_security_group_rule,
745 SGr['id'])
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]746 # Create a security group rule to allow UDP 80-81 (test
747 # webservers)
748 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
749 direction='ingress',
750 security_group_id=cls.lb_member_sec_group['id'],
751 protocol='udp',
752 ethertype='IPv6',
753 port_range_min=80,
754 port_range_max=81)['security_group_rule']
755 cls.addClassResourceCleanup(
756 waiters.wait_for_not_found,
757 cls.lb_mem_SGr_client.delete_security_group_rule,
758 cls.lb_mem_SGr_client.show_security_group_rule,
759 SGr['id'])
Michael Johnson74b6f2f2020-10-29 15:11:39 -0700[diff] [blame]760 # Create a security group rule to allow 443 (test webservers)
761 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
762 direction='ingress',
763 security_group_id=cls.lb_member_sec_group['id'],
764 protocol='tcp',
765 ethertype='IPv6',
766 port_range_min=443,
767 port_range_max=443)['security_group_rule']
768 cls.addClassResourceCleanup(
769 waiters.wait_for_not_found,
770 cls.lb_mem_SGr_client.delete_security_group_rule,
771 cls.lb_mem_SGr_client.show_security_group_rule,
772 SGr['id'])
Michael Johnson031ecca2020-10-29 16:45:32 -0700[diff] [blame]773 # Create a security group rule to allow 9443 (test webservers)
774 # Used in the pool encryption client authentication tests
775 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
776 direction='ingress',
777 security_group_id=cls.lb_member_sec_group['id'],
778 protocol='tcp',
779 ethertype='IPv6',
780 port_range_min=9443,
781 port_range_max=9443)['security_group_rule']
782 cls.addClassResourceCleanup(
783 waiters.wait_for_not_found,
784 cls.lb_mem_SGr_client.delete_security_group_rule,
785 cls.lb_mem_SGr_client.show_security_group_rule,
786 SGr['id'])
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]787 # Create a security group rule to allow 22 (ssh)
788 SGr = cls.lb_mem_SGr_client.create_security_group_rule(
789 direction='ingress',
790 security_group_id=cls.lb_member_sec_group['id'],
791 protocol='tcp',
792 ethertype='IPv6',
793 port_range_min=22,
794 port_range_max=22)['security_group_rule']
795 cls.addClassResourceCleanup(
796 waiters.wait_for_not_found,
797 cls.lb_mem_SGr_client.delete_security_group_rule,
798 cls.lb_mem_SGr_client.show_security_group_rule,
799 SGr['id'])
800
801 LOG.info('lb_member_sec_group: {}'.format(cls.lb_member_sec_group))
802
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]803 # Setup backend member reencryption PKI
804 cls._create_backend_reencryption_pki()
805
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]806 # Create webserver 1 instance
807 server_details = cls._create_webserver('lb_member_webserver1',
808 cls.lb_member_1_net)
809
810 cls.lb_member_webserver1 = server_details['server']
811 cls.webserver1_ip = server_details.get('ipv4_address')
812 cls.webserver1_ipv6 = server_details.get('ipv6_address')
813 cls.webserver1_public_ip = server_details['public_ipv4_address']
814
815 LOG.debug('Octavia Setup: lb_member_webserver1 = {}'.format(
816 cls.lb_member_webserver1[const.ID]))
817 LOG.debug('Octavia Setup: webserver1_ip = {}'.format(
818 cls.webserver1_ip))
819 LOG.debug('Octavia Setup: webserver1_ipv6 = {}'.format(
820 cls.webserver1_ipv6))
821 LOG.debug('Octavia Setup: webserver1_public_ip = {}'.format(
822 cls.webserver1_public_ip))
823
824 # Create webserver 2 instance
825 server_details = cls._create_webserver('lb_member_webserver2',
826 cls.lb_member_2_net)
827
828 cls.lb_member_webserver2 = server_details['server']
829 cls.webserver2_ip = server_details.get('ipv4_address')
830 cls.webserver2_ipv6 = server_details.get('ipv6_address')
831 cls.webserver2_public_ip = server_details['public_ipv4_address']
832
833 LOG.debug('Octavia Setup: lb_member_webserver2 = {}'.format(
834 cls.lb_member_webserver2[const.ID]))
835 LOG.debug('Octavia Setup: webserver2_ip = {}'.format(
836 cls.webserver2_ip))
837 LOG.debug('Octavia Setup: webserver2_ipv6 = {}'.format(
838 cls.webserver2_ipv6))
839 LOG.debug('Octavia Setup: webserver2_public_ip = {}'.format(
840 cls.webserver2_public_ip))
841
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]842 if CONF.load_balancer.test_with_ipv6:
843 # Enable the IPv6 nic in webserver 1
844 cls._enable_ipv6_nic_webserver(
845 cls.webserver1_public_ip, cls.lb_member_keypair['private_key'],
846 cls.webserver1_ipv6, cls.lb_member_1_subnet_prefix)
847
848 # Enable the IPv6 nic in webserver 2
849 cls._enable_ipv6_nic_webserver(
850 cls.webserver2_public_ip, cls.lb_member_keypair['private_key'],
851 cls.webserver2_ipv6, cls.lb_member_2_subnet_prefix)
852
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]853 # Set up serving on webserver 1
854 cls._install_start_webserver(cls.webserver1_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]855 cls.lb_member_keypair['private_key'],
856 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]857
858 # Validate webserver 1
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]859 cls._validate_webserver(cls.webserver1_public_ip,
860 cls.webserver1_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]861
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]862 # Validate udp server 1
863 cls._validate_udp_server(cls.webserver1_public_ip,
864 cls.webserver1_response)
865
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]866 # Set up serving on webserver 2
867 cls._install_start_webserver(cls.webserver2_public_ip,
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]868 cls.lb_member_keypair['private_key'],
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]869 cls.webserver2_response, revoke_cert=True)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]870
871 # Validate webserver 2
Adam Harwelle029af22018-05-24 17:13:28 -0700[diff] [blame]872 cls._validate_webserver(cls.webserver2_public_ip,
873 cls.webserver2_response)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]874
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]875 # Validate udp server 2
876 cls._validate_udp_server(cls.webserver2_public_ip,
877 cls.webserver2_response)
878
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]879 @classmethod
880 def _create_networks(cls):
881 super(LoadBalancerBaseTestWithCompute, cls)._create_networks()
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]882 # Create a router for the subnets (required for the floating IP)
883 router_name = data_utils.rand_name("lb_member_router")
884 result = cls.lb_mem_routers_client.create_router(
885 name=router_name, admin_state_up=True,
886 external_gateway_info=dict(
887 network_id=CONF.network.public_network_id))
888 cls.lb_member_router = result['router']
889 LOG.info('lb_member_router: {}'.format(cls.lb_member_router))
890 cls.addClassResourceCleanup(
891 waiters.wait_for_not_found,
892 cls.lb_mem_routers_client.delete_router,
893 cls.lb_mem_routers_client.show_router,
894 cls.lb_member_router['id'])
895
896 # Add VIP subnet to router
897 cls.lb_mem_routers_client.add_router_interface(
898 cls.lb_member_router['id'],
899 subnet_id=cls.lb_member_vip_subnet['id'])
900 cls.addClassResourceCleanup(
901 waiters.wait_for_not_found,
902 cls.lb_mem_routers_client.remove_router_interface,
903 cls.lb_mem_routers_client.remove_router_interface,
904 cls.lb_member_router['id'],
905 subnet_id=cls.lb_member_vip_subnet['id'])
906
Gregory Thiemonge54225ad2021-02-04 15:25:17 +0100[diff] [blame]907 if (CONF.load_balancer.test_with_ipv6 and
908 CONF.load_balancer.default_router and
909 cls.lb_member_vip_ipv6_subnet_use_subnetpool):
910
911 router_name = CONF.load_balancer.default_router
912 # if lb_member_vip_ipv6_subnet uses devstack's subnetpool,
913 # plug the subnet into the default router
914 router = cls.os_admin.routers_client.list_routers(
915 name=router_name)['routers']
916
917 if len(router) == 1:
918 router = router[0]
919
920 # Add IPv6 VIP subnet to router1
921 cls.os_admin_routers_client.add_router_interface(
922 router['id'],
923 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
924 cls.addClassResourceCleanup(
925 waiters.wait_for_not_found,
926 cls.os_admin_routers_client.remove_router_interface,
927 cls.os_admin_routers_client.remove_router_interface,
928 router['id'],
929 subnet_id=cls.lb_member_vip_ipv6_subnet['id'])
930
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]931 # Add member subnet 1 to router
932 cls.lb_mem_routers_client.add_router_interface(
933 cls.lb_member_router['id'],
934 subnet_id=cls.lb_member_1_subnet['id'])
935 cls.addClassResourceCleanup(
936 waiters.wait_for_not_found,
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]937 cls.lb_mem_routers_client.remove_router_interface,
938 cls.lb_mem_routers_client.remove_router_interface,
939 cls.lb_member_router['id'], subnet_id=cls.lb_member_1_subnet['id'])
940
941 # Add member subnet 2 to router
942 cls.lb_mem_routers_client.add_router_interface(
943 cls.lb_member_router['id'],
944 subnet_id=cls.lb_member_2_subnet['id'])
945 cls.addClassResourceCleanup(
946 waiters.wait_for_not_found,
947 cls.lb_mem_routers_client.remove_router_interface,
948 cls.lb_mem_routers_client.remove_router_interface,
949 cls.lb_member_router['id'], subnet_id=cls.lb_member_2_subnet['id'])
950
951 @classmethod
952 def _create_webserver(cls, name, network):
953 """Creates a webserver with two ports.
954
955 webserver_details dictionary contains:
956 server - The compute server object
957 ipv4_address - The IPv4 address for the server (optional)
958 ipv6_address - The IPv6 address for the server (optional)
959 public_ipv4_address - The publicly accessible IPv4 address for the
960 server, this may be a floating IP (optional)
961
962 :param name: The name of the server to create.
963 :param network: The network to boot the server on.
964 :returns: webserver_details dictionary.
965 """
966 server_kwargs = {
967 'name': data_utils.rand_name(name),
968 'flavorRef': CONF.compute.flavor_ref,
969 'imageRef': CONF.compute.image_ref,
970 'key_name': cls.lb_member_keypair['name']}
971 if (CONF.load_balancer.enable_security_groups and
972 CONF.network_feature_enabled.port_security):
973 server_kwargs['security_groups'] = [
974 {'name': cls.lb_member_sec_group['name']}]
975 if not CONF.load_balancer.disable_boot_network:
976 server_kwargs['networks'] = [{'uuid': network['id']}]
977
978 # Replace the name for clouds that have limitations
979 if CONF.load_balancer.random_server_name_length:
980 r = random.SystemRandom()
981 server_kwargs['name'] = "m{}".format("".join(
982 [r.choice(string.ascii_uppercase + string.digits)
983 for _ in range(
984 CONF.load_balancer.random_server_name_length - 1)]
985 ))
986 if CONF.load_balancer.availability_zone:
987 server_kwargs['availability_zone'] = (
988 CONF.load_balancer.availability_zone)
989
990 server = cls.lb_mem_servers_client.create_server(
991 **server_kwargs)['server']
992 cls.addClassResourceCleanup(
993 waiters.wait_for_not_found,
994 cls.lb_mem_servers_client.delete_server,
995 cls.lb_mem_servers_client.show_server,
996 server['id'])
997 server = waiters.wait_for_status(
998 cls.lb_mem_servers_client.show_server,
999 server['id'], 'status', 'ACTIVE',
1000 CONF.load_balancer.build_interval,
1001 CONF.load_balancer.build_timeout,
1002 root_tag='server')
1003 webserver_details = {'server': server}
1004 LOG.info('Created server: {}'.format(server))
1005
1006 addresses = server['addresses']
1007 if CONF.load_balancer.disable_boot_network:
1008 instance_network = addresses.values()[0]
1009 else:
1010 instance_network = addresses[network['name']]
1011 for addr in instance_network:
1012 if addr['version'] == 4:
1013 webserver_details['ipv4_address'] = addr['addr']
1014 if addr['version'] == 6:
1015 webserver_details['ipv6_address'] = addr['addr']
1016
1017 if CONF.validation.connect_method == 'floating':
1018 result = cls.lb_mem_ports_client.list_ports(
1019 network_id=network['id'],
1020 mac_address=instance_network[0]['OS-EXT-IPS-MAC:mac_addr'])
1021 port_id = result['ports'][0]['id']
1022 result = cls.lb_mem_float_ip_client.create_floatingip(
1023 floating_network_id=CONF.network.public_network_id,
1024 port_id=port_id)
1025 floating_ip = result['floatingip']
1026 LOG.info('webserver1_floating_ip: {}'.format(floating_ip))
1027 cls.addClassResourceCleanup(
1028 waiters.wait_for_not_found,
1029 cls.lb_mem_float_ip_client.delete_floatingip,
1030 cls.lb_mem_float_ip_client.show_floatingip,
1031 floatingip_id=floating_ip['id'])
1032 webserver_details['public_ipv4_address'] = (
1033 floating_ip['floating_ip_address'])
1034 else:
1035 webserver_details['public_ipv4_address'] = (
1036 instance_network[0]['addr'])
1037
1038 return webserver_details
1039
1040 @classmethod
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1041 def _get_openssh_version(cls):
1042 p = subprocess.Popen(["ssh", "-V"],
1043 stdout=subprocess.PIPE,
1044 stderr=subprocess.PIPE)
1045 output = p.communicate()[1]
1046
1047 try:
1048 m = re.match(r"OpenSSH_(\d+)\.(\d+)", output.decode('utf-8'))
1049 version_maj = int(m.group(1))
1050 version_min = int(m.group(2))
1051 return version_maj, version_min
1052 except Exception:
1053 return None, None
1054
1055 @classmethod
1056 def _need_scp_protocol(cls):
1057 # When using scp >= 8.7, force the use of the SCP protocol,
1058 # the new default (SFTP protocol) doesn't work with
1059 # cirros VMs.
1060 ssh_version = cls._get_openssh_version()
1061 LOG.debug("ssh_version = {}".format(ssh_version))
1062 return (ssh_version[0] > 8 or
1063 (ssh_version[0] == 8 and ssh_version[1] >= 7))
1064
1065 @classmethod
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1066 def _install_start_webserver(cls, ip_address, ssh_key, start_id,
1067 revoke_cert=False):
Michael Johnson27357352020-11-13 13:55:09 -0800[diff] [blame]1068 local_file = CONF.load_balancer.test_server_path
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1069
1070 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1071 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1072 **cls.remote_client_args())
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1073 linux_client.validate_authentication()
1074
1075 with tempfile.NamedTemporaryFile() as key:
1076 key.write(ssh_key.encode('utf-8'))
1077 key.flush()
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1078 ssh_extra_args = (
1079 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1080 if cls._need_scp_protocol():
1081 ssh_extra_args += " -O"
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1082 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1083 "{7} "
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1084 "-o StrictHostKeyChecking=no "
1085 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1086 "-i {2} {3} {4}@{5}:{6}").format(
1087 CONF.load_balancer.scp_connection_timeout,
1088 CONF.load_balancer.scp_connection_attempts,
1089 key.name, local_file, CONF.validation.image_ssh_user,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1090 ip_address, const.TEST_SERVER_BINARY,
1091 ssh_extra_args)
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1092 args = shlex.split(cmd)
1093 subprocess_args = {'stdout': subprocess.PIPE,
1094 'stderr': subprocess.STDOUT,
1095 'cwd': None}
1096 proc = subprocess.Popen(args, **subprocess_args)
1097 stdout, stderr = proc.communicate()
1098 if proc.returncode != 0:
1099 raise exceptions.CommandFailed(proc.returncode, cmd,
1100 stdout, stderr)
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1101
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1102 cls._load_member_pki_content(ip_address, key,
1103 revoke_cert=revoke_cert)
1104
Gregory Thiemongef72a8862019-08-06 17:25:42 +0200[diff] [blame]1105 # Enabling memory overcommit allows to run golang static binaries
1106 # compiled with a recent golang toolchain (>=1.11). Those binaries
1107 # allocate a large amount of virtual memory at init time, and this
1108 # allocation fails in tempest's nano flavor (64MB of RAM)
1109 # (golang issue reported in https://github.com/golang/go/issues/28114,
1110 # follow-up: https://github.com/golang/go/issues/28081)
1111 # TODO(gthiemonge): Remove this call when golang issue is resolved.
1112 linux_client.exec_command('sudo sh -c "echo 1 > '
1113 '/proc/sys/vm/overcommit_memory"')
1114
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1115 # The initial process also supports HTTPS and HTTPS with client auth
1116 linux_client.exec_command(
1117 'sudo screen -d -m {0} -port 80 -id {1} -https_port 443 -cert {2} '
1118 '-key {3} -https_client_auth_port 9443 -client_ca {4}'.format(
1119 const.TEST_SERVER_BINARY, start_id, const.TEST_SERVER_CERT,
1120 const.TEST_SERVER_KEY, const.TEST_SERVER_CLIENT_CA))
1121
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1122 linux_client.exec_command('sudo screen -d -m {0} -port 81 '
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1123 '-id {1}'.format(const.TEST_SERVER_BINARY,
1124 start_id + 1))
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1125
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1126 # Cirros does not configure the assigned IPv6 address by default
1127 # so enable it manually like tempest does here:
1128 # tempest/scenario/test_netowrk_v6.py turn_nic6_on()
1129 @classmethod
1130 def _enable_ipv6_nic_webserver(cls, ip_address, ssh_key,
1131 ipv6_address, ipv6_prefix):
1132 linux_client = remote_client.RemoteClient(
Ade Leed0ea4062021-09-06 15:33:27 -0400[diff] [blame]1133 ip_address, CONF.validation.image_ssh_user, pkey=ssh_key,
Gregory Thiemongeb0da4f32022-02-04 08:58:06 +0100[diff] [blame]1134 **cls.remote_client_args())
Michael Johnsonbf916df2018-10-17 10:59:28 -0700[diff] [blame]1135 linux_client.validate_authentication()
1136
1137 linux_client.exec_command('sudo ip address add {0}/{1} dev '
1138 'eth0'.format(ipv6_address, ipv6_prefix))
1139
Adam Harwellcd72b562018-05-07 11:37:22 -0700[diff] [blame]1140 @classmethod
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1141 def _validate_webserver(cls, ip_address, start_id):
1142 URL = 'http://{0}'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1143 cls.validate_URL_response(URL, expected_body=str(start_id))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1144 URL = 'http://{0}:81'.format(ip_address)
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1145 cls.validate_URL_response(URL, expected_body=str(start_id + 1))
Jude Cross986e3f52017-07-24 14:57:20 -0700[diff] [blame]1146
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1147 @classmethod
1148 def _validate_udp_server(cls, ip_address, start_id):
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1149 res = cls.make_udp_request(ip_address, 80)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1150 if res != str(start_id):
1151 raise Exception("Response from test server doesn't match the "
1152 "expected value ({0} != {1}).".format(
1153 res, str(start_id)))
1154
Michael Johnson89bdbcd2020-03-19 15:59:19 -0700[diff] [blame]1155 res = cls.make_udp_request(ip_address, 81)
Gregory Thiemonge29d17902019-04-30 15:06:17 +0200[diff] [blame]1156 if res != str(start_id + 1):
1157 raise Exception("Response from test server doesn't match the "
1158 "expected value ({0} != {1}).".format(
1159 res, str(start_id + 1)))
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1160
1161 @classmethod
1162 def _create_backend_reencryption_pki(cls):
1163 # Create a CA self-signed cert and key for the member test servers
1164 cls.member_ca_cert, cls.member_ca_key = (
1165 cert_utils.generate_ca_cert_and_key())
1166
1167 LOG.debug('Member CA Cert: %s', cls.member_ca_cert.public_bytes(
1168 serialization.Encoding.PEM))
1169 LOG.debug('Member CA private Key: %s', cls.member_ca_key.private_bytes(
1170 encoding=serialization.Encoding.PEM,
1171 format=serialization.PrivateFormat.TraditionalOpenSSL,
1172 encryption_algorithm=serialization.NoEncryption()))
1173 LOG.debug('Member CA public Key: %s',
1174 cls.member_ca_key.public_key().public_bytes(
1175 encoding=serialization.Encoding.PEM,
1176 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1177
1178 # Create the member client authentication CA
1179 cls.member_client_ca_cert, member_client_ca_key = (
1180 cert_utils.generate_ca_cert_and_key())
1181
1182 # Create client cert and key
1183 cls.member_client_cn = uuidutils.generate_uuid()
1184 cls.member_client_cert, cls.member_client_key = (
1185 cert_utils.generate_client_cert_and_key(
1186 cls.member_client_ca_cert, member_client_ca_key,
1187 cls.member_client_cn))
1188 # Note: We are not revoking a client cert here as we don't need to
1189 # test the backend web server CRL checking.
1190
1191 @classmethod
1192 def _load_member_pki_content(cls, ip_address, ssh_key, revoke_cert=False):
1193 # Create webserver certificate and key
1194 cert, key = cert_utils.generate_server_cert_and_key(
1195 cls.member_ca_cert, cls.member_ca_key, ip_address)
1196
1197 LOG.debug('%s Cert: %s', ip_address, cert.public_bytes(
1198 serialization.Encoding.PEM))
1199 LOG.debug('%s private Key: %s', ip_address, key.private_bytes(
1200 encoding=serialization.Encoding.PEM,
1201 format=serialization.PrivateFormat.TraditionalOpenSSL,
1202 encryption_algorithm=serialization.NoEncryption()))
1203 public_key = key.public_key()
1204 LOG.debug('%s public Key: %s', ip_address, public_key.public_bytes(
1205 encoding=serialization.Encoding.PEM,
1206 format=serialization.PublicFormat.SubjectPublicKeyInfo))
1207
1208 # Create a CRL with a revoked certificate
1209 if revoke_cert:
1210 # Create a CRL with webserver 2 revoked
1211 cls.member_crl = cert_utils.generate_certificate_revocation_list(
1212 cls.member_ca_cert, cls.member_ca_key, cert)
1213
1214 # Load the certificate, key, and client CA certificate into the
1215 # test server.
1216 with tempfile.TemporaryDirectory() as tmpdir:
1217 os.umask(0)
1218 files_to_send = []
1219 cert_filename = os.path.join(tmpdir, const.CERT_PEM)
1220 files_to_send.append(cert_filename)
1221 with open(os.open(cert_filename, os.O_CREAT | os.O_WRONLY,
1222 0o700), 'w') as fh:
1223 fh.write(cert.public_bytes(
1224 serialization.Encoding.PEM).decode('utf-8'))
1225 fh.flush()
1226 key_filename = os.path.join(tmpdir, const.KEY_PEM)
1227 files_to_send.append(key_filename)
1228 with open(os.open(key_filename, os.O_CREAT | os.O_WRONLY,
1229 0o700), 'w') as fh:
1230 fh.write(key.private_bytes(
1231 encoding=serialization.Encoding.PEM,
1232 format=serialization.PrivateFormat.TraditionalOpenSSL,
1233 encryption_algorithm=serialization.NoEncryption()).decode(
1234 'utf-8'))
1235 fh.flush()
1236 client_ca_filename = os.path.join(tmpdir, const.CLIENT_CA_PEM)
1237 files_to_send.append(client_ca_filename)
1238 with open(os.open(client_ca_filename, os.O_CREAT | os.O_WRONLY,
1239 0o700), 'w') as fh:
1240 fh.write(cls.member_client_ca_cert.public_bytes(
1241 serialization.Encoding.PEM).decode('utf-8'))
1242 fh.flush()
1243
1244 # For security, we don't want to use a shell that can glob
1245 # the file names, so iterate over them.
1246 subprocess_args = {'stdout': subprocess.PIPE,
1247 'stderr': subprocess.STDOUT,
1248 'cwd': None}
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1249 ssh_extra_args = (
1250 "-o PubkeyAcceptedKeyTypes=+ssh-rsa")
1251 if cls._need_scp_protocol():
1252 ssh_extra_args += " -O"
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1253 cmd = ("scp -v -o UserKnownHostsFile=/dev/null "
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1254 "{9} "
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1255 "-o StrictHostKeyChecking=no "
1256 "-o ConnectTimeout={0} -o ConnectionAttempts={1} "
1257 "-i {2} {3} {4} {5} {6}@{7}:{8}").format(
1258 CONF.load_balancer.scp_connection_timeout,
1259 CONF.load_balancer.scp_connection_attempts,
1260 ssh_key.name, cert_filename, key_filename, client_ca_filename,
Gregory Thiemongea2c234e2021-11-02 17:08:29 +0100[diff] [blame]1261 CONF.validation.image_ssh_user, ip_address, const.DEV_SHM_PATH,
1262 ssh_extra_args)
Michael Johnsonbaf12e02020-10-27 16:10:28 -0700[diff] [blame]1263 args = shlex.split(cmd)
1264 proc = subprocess.Popen(args, **subprocess_args)
1265 stdout, stderr = proc.communicate()
1266 if proc.returncode != 0:
1267 raise exceptions.CommandFailed(proc.returncode, cmd,
1268 stdout, stderr)