boot into a network that has "port_security_enabled=False"
If the tenant has a Neutron network with disabled port security and
no security group gets specified when booting an instance, the ports
attached to the instance should not be associated to the 'default'
security group.
NOTE: Commit ee7a0198261 documented this known issue with a release note
"known-issue-on-api-1efca45440136f3e.yaml" and cleaned the "default"
security group from the Nova API.
This adds a feature toggle config option for making the test run where
the bug is fixed, which is mitaka and newton. This allows us to run
the test in mitaka and newton but not on liberty where it still fails
and we won't be backporting the fix. There will be devstack patches to
enable the test in newton and mitaka.
Depends-On: I630008a9733624a9d9b59b7aa3b8b2a3f8985d61
Co-Authored-By: Matt Riedemann <mriedem@us.ibm.com>
Change-Id: I20b8d5d2a300c83a59bdb33374fc20447ce2ede3
Related-bug: 1175464
diff --git a/tempest/config.py b/tempest/config.py
index 0c2b913..edd04eb 100644
--- a/tempest/config.py
+++ b/tempest/config.py
@@ -293,6 +293,12 @@
title="Enabled Compute Service Features")
ComputeFeaturesGroup = [
+ # NOTE(mriedem): This is a feature toggle for bug 1175464 which is fixed in
+ # mitaka and newton. This option can be removed after liberty-eol.
+ cfg.BoolOpt('allow_port_security_disabled',
+ default=False,
+ help='Does the test environment support creating ports in a '
+ 'network where port security is disabled?'),
cfg.BoolOpt('disk_config',
default=True,
help="If false, skip disk config tests"),
diff --git a/tempest/scenario/manager.py b/tempest/scenario/manager.py
index f889c44..9bd437e 100644
--- a/tempest/scenario/manager.py
+++ b/tempest/scenario/manager.py
@@ -696,7 +696,8 @@
def _create_network(self, networks_client=None,
routers_client=None, tenant_id=None,
- namestart='network-smoke-'):
+ namestart='network-smoke-',
+ port_security_enabled=True):
if not networks_client:
networks_client = self.networks_client
if not routers_client:
@@ -704,7 +705,9 @@
if not tenant_id:
tenant_id = networks_client.tenant_id
name = data_utils.rand_name(namestart)
- result = networks_client.create_network(name=name, tenant_id=tenant_id)
+ network_kwargs = dict(name=name, tenant_id=tenant_id,
+ port_security_enabled=port_security_enabled)
+ result = networks_client.create_network(**network_kwargs)
network = result['network']
self.assertEqual(network['name'], name)
@@ -1193,7 +1196,8 @@
def create_networks(self, networks_client=None,
routers_client=None, subnets_client=None,
- tenant_id=None, dns_nameservers=None):
+ tenant_id=None, dns_nameservers=None,
+ port_security_enabled=True):
"""Create a network with a subnet connected to a router.
The baremetal driver is a special case since all nodes are
@@ -1219,7 +1223,8 @@
else:
network = self._create_network(
networks_client=networks_client,
- tenant_id=tenant_id)
+ tenant_id=tenant_id,
+ port_security_enabled=port_security_enabled)
router = self._get_router(client=routers_client,
tenant_id=tenant_id)
subnet_kwargs = dict(network=network,
diff --git a/tempest/scenario/test_security_groups_basic_ops.py b/tempest/scenario/test_security_groups_basic_ops.py
index 86185c8..b893aad 100644
--- a/tempest/scenario/test_security_groups_basic_ops.py
+++ b/tempest/scenario/test_security_groups_basic_ops.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import log
+import testtools
from tempest import clients
from tempest.common.utils import data_utils
@@ -256,7 +257,7 @@
# and distributed routers; 'device_owner' is "" by default.
return port['device_owner'].startswith('network:router_interface')
- def _create_server(self, name, tenant, security_groups=None, **kwargs):
+ def _create_server(self, name, tenant, security_groups, **kwargs):
"""Creates a server and assigns it to security group.
If multi-host is enabled, Ensures servers are created on different
@@ -264,8 +265,6 @@
as scheduler_hints on creation.
Validates servers are created as requested, using admin client.
"""
- if security_groups is None:
- security_groups = [tenant.security_groups['default']]
security_groups_names = [{'name': s['name']} for s in security_groups]
if self.multi_node:
kwargs["scheduler_hints"] = {'different_host': self.servers}
@@ -277,9 +276,10 @@
wait_until='ACTIVE',
clients=tenant.manager,
**kwargs)
- self.assertEqual(
- sorted([s['name'] for s in security_groups]),
- sorted([s['name'] for s in server['security_groups']]))
+ if 'security_groups' in server:
+ self.assertEqual(
+ sorted([s['name'] for s in security_groups]),
+ sorted([s['name'] for s in server['security_groups']]))
# Verify servers are on different compute nodes
if self.multi_node:
@@ -303,7 +303,8 @@
num=i
)
name = data_utils.rand_name(name)
- server = self._create_server(name, tenant)
+ server = self._create_server(name, tenant,
+ [tenant.security_groups['default']])
tenant.servers.append(server)
def _set_access_point(self, tenant):
@@ -326,11 +327,12 @@
client=tenant.manager.floating_ips_client)
self.floating_ips.setdefault(server['id'], floating_ip)
- def _create_tenant_network(self, tenant):
+ def _create_tenant_network(self, tenant, port_security_enabled=True):
network, subnet, router = self.create_networks(
networks_client=tenant.manager.networks_client,
routers_client=tenant.manager.routers_client,
- subnets_client=tenant.manager.subnets_client)
+ subnets_client=tenant.manager.subnets_client,
+ port_security_enabled=port_security_enabled)
tenant.set_network(network, subnet, router)
def _deploy_tenant(self, tenant_or_id):
@@ -533,7 +535,8 @@
tenant=new_tenant.creds.tenant_name
)
name = data_utils.rand_name(name)
- server = self._create_server(name, new_tenant)
+ server = self._create_server(name, new_tenant,
+ [new_tenant.security_groups['default']])
# Check connectivity failure with default security group
try:
@@ -599,7 +602,8 @@
tenant=new_tenant.creds.tenant_name
)
name = data_utils.rand_name(name)
- server = self._create_server(name, new_tenant)
+ server = self._create_server(name, new_tenant,
+ [new_tenant.security_groups['default']])
access_point_ssh = self._connect_to_access_point(new_tenant)
server_id = server['id']
@@ -624,3 +628,24 @@
for tenant in self.tenants.values():
self._log_console_output(servers=tenant.servers)
raise
+
+ @test.requires_ext(service='network', extension='port-security')
+ @test.idempotent_id('13ccf253-e5ad-424b-9c4a-97b88a026699')
+ @testtools.skipUnless(
+ CONF.compute_feature_enabled.allow_port_security_disabled,
+ 'Port security must be enabled.')
+ @test.services('compute', 'network')
+ def test_boot_into_disabled_port_security_network_without_secgroup(self):
+ tenant = self.primary_tenant
+ self._create_tenant_network(tenant, port_security_enabled=False)
+ self.assertFalse(tenant.network['port_security_enabled'])
+ name = data_utils.rand_name('server-smoke')
+ sec_groups = []
+ server = self._create_server(name, tenant, sec_groups)
+ server_id = server['id']
+ ports = self._list_ports(device_id=server_id)
+ self.assertEqual(1, len(ports))
+ for port in ports:
+ self.assertEmpty(port['security_groups'],
+ "Neutron shouldn't even use it's default sec "
+ "group.")