Matthew Treinish | a970d65 | 2015-03-11 15:39:24 -0400 | [diff] [blame] | 1 | .. _tempest-configuration: |
| 2 | |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 3 | Tempest Configuration Guide |
| 4 | =========================== |
| 5 | |
Matthew Treinish | f640f66 | 2015-03-11 15:13:30 -0400 | [diff] [blame] | 6 | This guide is a starting point for configuring tempest. It aims to elaborate |
| 7 | on and explain some of the mandatory and common configuration settings and how |
| 8 | they are used in conjunction. The source of truth on each option is the sample |
Matthew Treinish | f45ba2e | 2015-08-24 15:05:01 -0400 | [diff] [blame] | 9 | config file which explains the purpose of each individual option. You can see |
| 10 | the sample config file here: :ref:`tempest-sampleconf` |
Matthew Treinish | f640f66 | 2015-03-11 15:13:30 -0400 | [diff] [blame] | 11 | |
| 12 | Lock Path |
| 13 | --------- |
| 14 | |
| 15 | There are some tests and operations inside of tempest that need to be |
| 16 | externally locked when running in parallel to prevent them from running at |
| 17 | the same time. This is a mandatory step for configuring tempest and is still |
| 18 | needed even when running serially. All that is needed to do this is: |
| 19 | |
| 20 | #. Set the lock_path option in the oslo_concurrency group |
| 21 | |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 22 | Auth/Credentials |
| 23 | ---------------- |
| 24 | |
| 25 | Tempest currently has 2 different ways in configuration to provide credentials |
| 26 | to use when running tempest. One is a traditional set of configuration options |
| 27 | in the tempest.conf file. These options are in the identity section and let you |
Toru Tanami | 32f4518 | 2015-08-20 05:24:50 +0000 | [diff] [blame] | 28 | specify a regular user, a global admin user, and an alternate user set of |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 29 | credentials. (which consist of a username, password, and project/tenant name) |
| 30 | These options should be clearly labelled in the sample config file in the |
| 31 | identity section. |
| 32 | |
| 33 | The other method to provide credentials is using the accounts.yaml file. This |
| 34 | file is used to specify an arbitrary number of users available to run tests |
| 35 | with. You can specify the location of the file in the |
| 36 | auth section in the tempest.conf file. To see the specific format used in |
| 37 | the file please refer to the accounts.yaml.sample file included in tempest. |
| 38 | Currently users that are specified in the accounts.yaml file are assumed to |
| 39 | have the same set of roles which can be used for executing all the tests you |
| 40 | are running. This will be addressed in the future, but is a current limitation. |
| 41 | Eventually the config options for providing credentials to tempest will be |
| 42 | deprecated and removed in favor of the accounts.yaml file. |
| 43 | |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 44 | Keystone Connection Info |
| 45 | ^^^^^^^^^^^^^^^^^^^^^^^^ |
| 46 | In order for tempest to be able to talk to your OpenStack deployment you need |
| 47 | to provide it with information about how it communicates with keystone. |
| 48 | This involves configuring the following options in the identity section: |
| 49 | |
| 50 | #. auth_version |
| 51 | #. uri |
| 52 | #. uri_v3 |
| 53 | |
| 54 | The *auth_version* option is used to tell tempest whether it should be using |
| 55 | keystone's v2 or v3 api for communicating with keystone. (except for the |
| 56 | identity api tests which will test a specific version) The 2 uri options are |
| 57 | used to tell tempest the url of the keystone endpoint. The *uri* option is used |
| 58 | for keystone v2 request and *uri_v3* is used for keystone v3. You want to ensure |
| 59 | that which ever version you set for *auth_version* has its uri option defined. |
| 60 | |
| 61 | |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 62 | Credential Provider Mechanisms |
| 63 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 64 | |
| 65 | Tempest currently also has 3 different internal methods for providing |
| 66 | authentication to tests. Tenant isolation, locking test accounts, and |
| 67 | non-locking test accounts. Depending on which one is in use the configuration |
| 68 | of tempest is slightly different. |
| 69 | |
| 70 | Tenant Isolation |
| 71 | """""""""""""""" |
| 72 | Tenant isolation was originally create to enable running tempest in parallel. |
| 73 | For each test class it creates a unique set of user credentials to use for the |
| 74 | tests in the class. It can create up to 3 sets of username, password, and |
| 75 | tenant/project names for a primary user, an admin user, and an alternate user. |
| 76 | To enable and use tenant isolation you only need to configure 2 things: |
| 77 | |
| 78 | #. A set of admin credentials with permissions to create users and |
Matthew Treinish | 16cf1e5 | 2015-08-11 10:39:23 -0400 | [diff] [blame] | 79 | tenants/projects. This is specified in the auth section with the |
| 80 | admin_username, admin_tenant_name, admin_domain_name, and admin_password |
| 81 | options |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 82 | #. To enable tenant_isolation in the auth section with the |
| 83 | allow_tenant_isolation option. |
| 84 | |
Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 85 | This is also the currently the default credential provider enabled by tempest, |
| 86 | due to it's common use and ease of configuration. |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 87 | |
Matthew Treinish | 4fae472 | 2015-04-16 21:03:54 -0400 | [diff] [blame] | 88 | It is worth pointing out that depending on your cloud configuration you might |
| 89 | need to assign a role to each of the users created Tempest's tenant isolation. |
| 90 | This can be set using the *tempest_roles* option. It takes in a list of role |
| 91 | names each of which will be assigned to each of the users created by tenant |
| 92 | isolation. This option will not have any effect when set and tempest is not |
| 93 | configured to use tenant isolation. |
| 94 | |
| 95 | |
Matthew Treinish | 9329985 | 2015-04-24 09:58:18 -0400 | [diff] [blame] | 96 | Locking Test Accounts (aka accounts.yaml or accounts file) |
| 97 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 98 | For a long time using tenant isolation was the only method available if you |
| 99 | wanted to enable parallel execution of tempest tests. However this was |
| 100 | insufficient for certain use cases because of the admin credentials requirement |
| 101 | to create the credential sets on demand. To get around that the accounts.yaml |
| 102 | file was introduced and with that a new internal credential provider to enable |
| 103 | using the list of credentials instead of creating them on demand. With locking |
| 104 | test accounts each test class will reserve a set of credentials from the |
| 105 | accounts.yaml before executing any of its tests so that each class is isolated |
| 106 | like in tenant isolation. |
| 107 | |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 108 | To enable and use locking test accounts you need do a few things: |
| 109 | |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 110 | #. Create a accounts.yaml file which contains the set of pre-existing |
| 111 | credentials to use for testing. To make sure you don't have a credentials |
| 112 | starvation issue when running in parallel make sure you have at least 2 |
Matthew Treinish | fc7cd8f | 2015-03-30 11:51:55 -0400 | [diff] [blame] | 113 | times the number of worker processes you are using to execute tempest |
| 114 | available in the file. (if running serially the worker count is 1) |
Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 115 | |
| 116 | You can check the sample file packaged in tempest for the yaml format |
liuchenhong | aa4aa69 | 2015-06-10 12:18:42 +0800 | [diff] [blame] | 117 | #. Provide tempest with the location of your accounts.yaml file with the |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 118 | test_accounts_file option in the auth section |
| 119 | |
Fei Long Wang | 7fee787 | 2015-05-12 11:36:49 +1200 | [diff] [blame] | 120 | #. Set allow_tenant_isolation = False in the auth group |
| 121 | |
Matthew Treinish | 9329985 | 2015-04-24 09:58:18 -0400 | [diff] [blame] | 122 | It is worth pointing out that each set of credentials in the accounts.yaml |
| 123 | should have a unique tenant. This is required to provide proper isolation |
| 124 | to the tests using the credentials, and failure to do this will likely cause |
| 125 | unexpected failures in some tests. |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 126 | |
Matthew Treinish | 9329985 | 2015-04-24 09:58:18 -0400 | [diff] [blame] | 127 | |
| 128 | Non-locking test accounts (aka credentials config options) |
| 129 | """""""""""""""""""""""""""""""""""""""""""""""""""""""""" |
Matthew Treinish | 16cf1e5 | 2015-08-11 10:39:23 -0400 | [diff] [blame] | 130 | **Starting in the Liberty release this mechanism was deprecated and will be |
| 131 | removed in a future release** |
| 132 | |
Matthew Treinish | 5709213 | 2015-04-21 14:21:35 -0400 | [diff] [blame] | 133 | When Tempest was refactored to allow for locking test accounts, the original |
| 134 | non-tenant isolated case was converted to internally work similarly to the |
| 135 | accounts.yaml file. This mechanism was then called the non-locking test accounts |
| 136 | provider. To use the non-locking test accounts provider you can specify the sets |
| 137 | of credentials in the configuration file like detailed above with following 9 |
| 138 | options in the identity section: |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 139 | |
| 140 | #. username |
| 141 | #. password |
| 142 | #. tenant_name |
| 143 | #. admin_username |
| 144 | #. admin_password |
| 145 | #. admin_tenant_name |
| 146 | #. alt_username |
| 147 | #. alt_password |
| 148 | #. alt_tenant_name |
| 149 | |
Atsushi SAKAI | 0a183b8 | 2015-07-28 21:52:17 +0900 | [diff] [blame] | 150 | And in the auth section: |
Fei Long Wang | 7fee787 | 2015-05-12 11:36:49 +1200 | [diff] [blame] | 151 | |
| 152 | #. allow_tenant_isolation = False |
| 153 | #. comment out 'test_accounts_file' or keep it as empty |
| 154 | |
Matthew Treinish | 5709213 | 2015-04-21 14:21:35 -0400 | [diff] [blame] | 155 | It only makes sense to use it if parallel execution isn't needed, since tempest |
| 156 | won't be able to properly isolate tests using this. Additionally, using the |
| 157 | traditional config options for credentials is not able to provide credentials to |
| 158 | tests which requires specific roles on accounts. This is because the config |
| 159 | options do not give sufficient flexibility to describe the roles assigned to a |
| 160 | user for running the tests. There are additional limitations with regard to |
| 161 | network configuration when using this credential provider mechanism, see the |
| 162 | `Networking`_ section below. |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 163 | |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 164 | Compute |
| 165 | ------- |
| 166 | |
| 167 | Flavors |
| 168 | ^^^^^^^ |
| 169 | For tempest to be able to create servers you need to specify flavors that it |
| 170 | can use to boot the servers with. There are 2 options in the tempest config |
| 171 | for doing this: |
| 172 | |
| 173 | #. flavor_ref |
| 174 | #. flavor_ref_alt |
| 175 | |
| 176 | Both of these options are in the compute section of the config file and take |
| 177 | in the flavor id (not the name) from nova. The *flavor_ref* option is what will |
| 178 | be used for booting almost all of the guests, *flavor_ref_alt* is only used in |
| 179 | tests where 2 different sized servers are required. (for example a resize test) |
| 180 | |
| 181 | Using a smaller flavor is generally recommended, when larger flavors are used |
| 182 | the extra time required to bring up servers will likely affect total run time |
| 183 | and probably require tweaking timeout values to ensure tests have ample time to |
| 184 | finish. |
| 185 | |
| 186 | Images |
| 187 | ^^^^^^ |
| 188 | Just like with flavors, tempest needs to know which images to use for booting |
| 189 | servers. There are 2 options in the compute section just like with flavors: |
| 190 | |
| 191 | #. image_ref |
| 192 | #. image_ref_alt |
| 193 | |
| 194 | Both options are expecting an image id (not name) from nova. The *image_ref* |
Brandon Palm | 304bfdd | 2015-08-18 10:57:21 -0500 | [diff] [blame] | 195 | option is what will be used for booting the majority of servers in tempest. |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 196 | *image_ref_alt* is used for tests that require 2 images such as rebuild. If 2 |
| 197 | images are not available you can set both options to the same image_ref and |
| 198 | those tests will be skipped. |
| 199 | |
| 200 | There are also options in the scenario section for images: |
| 201 | |
| 202 | #. img_file |
| 203 | #. img_dir |
| 204 | #. aki_img_file |
| 205 | #. ari_img_file |
| 206 | #. ami_img_file |
| 207 | #. img_container_format |
| 208 | #. img_disk_format |
| 209 | |
| 210 | however unlike the other image options these are used for a very small subset |
| 211 | of scenario tests which are uploading an image. These options are used to tell |
| 212 | tempest where an image file is located and describe it's metadata for when it's |
| 213 | uploaded. |
| 214 | |
| 215 | The behavior of these options is a bit convoluted (which will likely be fixed |
| 216 | in future versions). You first need to specify *img_dir*, which is the directory |
| 217 | tempest will look for the image files in. First it will check if the filename |
| 218 | set for *img_file* could be found in *img_dir*. If it is found then the |
| 219 | *img_container_format* and *img_disk_format* options are used to upload that |
| 220 | image to glance. However if it's not found tempest will look for the 3 uec image |
| 221 | file name options as a fallback. If neither is found the tests requiring an |
| 222 | image to upload will fail. |
| 223 | |
| 224 | It is worth pointing out that using `cirros`_ is a very good choice for running |
| 225 | tempest. It's what is used for upstream testing, they boot quickly and have a |
| 226 | small footprint. |
| 227 | |
| 228 | .. _cirros: https://launchpad.net/cirros |
| 229 | |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 230 | Networking |
| 231 | ---------- |
| 232 | OpenStack has a myriad of different networking configurations possible and |
| 233 | depending on which of the 2 network backends, nova-network or neutron, you are |
| 234 | using things can vary drastically. Due to this complexity Tempest has to provide |
| 235 | a certain level of flexibility in it's configuration to ensure it will work |
| 236 | against any cloud. This ends up causing a large number of permutations in |
| 237 | Tempest's config around network configuration. |
| 238 | |
| 239 | |
| 240 | Enabling Remote Access to Created Servers |
| 241 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 242 | When Tempest creates servers for testing, some tests require being able to |
| 243 | connect those servers. Depending on the configuration of the cloud, the methods |
| 244 | for doing this can be different. In certain configurations it is required to |
| 245 | specify a single network with server create calls. Accordingly, Tempest provides |
| 246 | a few different methods for providing this information in configuration to try |
| 247 | and ensure that regardless of the clouds configuration it'll still be able to |
| 248 | run. This section covers the different methods of configuring Tempest to provide |
| 249 | a network when creating servers. |
| 250 | |
| 251 | Fixed Network Name |
| 252 | """""""""""""""""" |
| 253 | This is the simplest method of specifying how networks should be used. You can |
| 254 | just specify a single network name/label to use for all server creations. The |
| 255 | limitation with this is that all tenants/projects and users must be able to see |
| 256 | that network name/label if they were to perform a network list and be able to |
| 257 | use it. |
| 258 | |
| 259 | If no network name is assigned in the config file and none of the below |
| 260 | alternatives are used, then Tempest will not specify a network on server |
| 261 | creations, which depending on the cloud configuration might prevent them from |
| 262 | booting. |
| 263 | |
| 264 | To set a fixed network name simply do: |
| 265 | |
| 266 | #. Set the fixed_network_name option in the compute group |
| 267 | |
| 268 | In the case that the configured fixed network name can not be found by a user |
| 269 | network list call, it will be treated like one was not provided except that a |
| 270 | warning will be logged stating that it couldn't be found. |
| 271 | |
| 272 | |
| 273 | Accounts File |
| 274 | """"""""""""" |
| 275 | If you are using an accounts file to provide credentials for running Tempest |
| 276 | then you can leverage it to also specify which network should be used with |
| 277 | server creations on a per tenant/project and user pair basis. This provides |
| 278 | the necessary flexibility to work with more intricate networking configurations |
| 279 | by enabling the user to specify exactly which network to use for which |
| 280 | tenants/projects. You can refer to the accounts.yaml sample file included in |
| 281 | the tempest repo for the syntax around specifying networks in the file. |
| 282 | |
| 283 | However, specifying a network is not required when using an accounts file. If |
| 284 | one is not specified you can use a fixed network name to specify the network to |
| 285 | use when creating servers just as without an accounts file. However, any network |
| 286 | specified in the accounts file will take precedence over the fixed network name |
| 287 | provided. If no network is provided in the accounts file and a fixed network |
| 288 | name is not set then no network will be included in create server requests. |
| 289 | |
| 290 | If a fixed network is provided and the accounts.yaml file also contains networks |
| 291 | this has the benefit of enabling a couple more tests which require a static |
| 292 | network to perform operations like server lists with a network filter. If a |
| 293 | fixed network name is not provided these tests are skipped. Additionally, if a |
| 294 | fixed network name is provided it will serve as a fallback in case of a |
| 295 | misconfiguration or a missing network in the accounts file. |
| 296 | |
| 297 | |
| 298 | With Tenant Isolation |
| 299 | """"""""""""""""""""" |
| 300 | With tenant isolation enabled and using nova-network then nothing changes. Your |
| 301 | only option for configuration is to either set a fixed network name or not. |
| 302 | However, in most cases it shouldn't matter because nova-network should have no |
| 303 | problem booting a server with multiple networks. If this is not the case for |
| 304 | your cloud then using an accounts file is recommended because it provides the |
| 305 | necessary flexibility to describe your configuration. Tenant isolation is not |
| 306 | able to dynamically allocate things as necessary if neutron is not enabled. |
| 307 | |
| 308 | With neutron and tenant isolation enabled there should not be any additional |
| 309 | configuration necessary to enable Tempest to create servers with working |
| 310 | networking, assuming you have properly configured the network section to work |
| 311 | for your cloud. Tempest will dynamically create the neutron resources necessary |
| 312 | to enable using servers with that network. Also, just as with the accounts |
| 313 | file, if you specify a fixed network name while using neutron and tenant |
| 314 | isolation it will enable running tests which require a static network and it |
| 315 | will additionally be used as a fallback for server creation. However, unlike |
| 316 | accounts.yaml this should never be triggered. |
Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 317 | |
Matthew Treinish | 2219d38 | 2015-04-24 10:33:04 -0400 | [diff] [blame] | 318 | However, there is an option *create_isolated_networks* to disable tenant |
| 319 | isolation's automatic provisioning of network resources. If this option is |
| 320 | used you will have to either rely on there only being a single/default network |
| 321 | available for the server creation, or use *fixed_network_name* to inform |
| 322 | Tempest which network to use. |
| 323 | |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 324 | Configuring Available Services |
| 325 | ------------------------------ |
| 326 | OpenStack is really a constellation of several different projects which |
| 327 | are running together to create a cloud. However which projects you're running |
| 328 | is not set in stone, and which services are running is up to the deployer. |
| 329 | Tempest however needs to know which services are available so it can figure |
| 330 | out which tests it is able to run and certain setup steps which differ based |
| 331 | on the available services. |
| 332 | |
| 333 | The *service_available* section of the config file is used to set which |
| 334 | services are available. It contains a boolean option for each service (except |
| 335 | for keystone which is a hard requirement) set it to True if the service is |
| 336 | available or False if it is not. |
| 337 | |
| 338 | Service Catalog |
| 339 | ^^^^^^^^^^^^^^^ |
| 340 | Each project which has its own REST API contains an entry in the service |
| 341 | catalog. Like most things in OpenStack this is also completely configurable. |
| 342 | However, for tempest to be able to figure out the endpoints to send REST API |
| 343 | calls for each service to it needs to know how that project is defined in the |
| 344 | service catalog. There are 3 options for each service section to accomplish |
| 345 | this: |
| 346 | |
| 347 | #. catalog_type |
| 348 | #. endpoint_type |
| 349 | #. region |
| 350 | |
| 351 | Setting *catalog_type* and *endpoint_type* should normally give Tempest enough |
| 352 | information to determine which endpoint it should pull from the service |
| 353 | catalog to use for talking to that particular service. However, if you're cloud |
| 354 | has multiple regions available and you need to specify a particular one to use |
| 355 | a service you can set the *region* option in that service's section. |
| 356 | |
| 357 | It should also be noted that the default values for these options are set |
| 358 | to what devstack uses. (which is a de facto standard for service catalog |
| 359 | entries) So often nothing actually needs to be set on these options to enable |
| 360 | communication to a particular service. It is only if you are either not using |
| 361 | the same *catalog_type* as devstack or you want Tempest to talk to a different |
| 362 | endpoint type instead of publicURL for a service that these need to be changed. |
| 363 | |
| 364 | |
Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 365 | Service feature configuration |
| 366 | ----------------------------- |
| 367 | |
| 368 | OpenStack provides its deployers a myriad of different configuration options |
| 369 | to enable anyone deploying it to create a cloud tailor-made for any individual |
| 370 | use case. It provides options for several different backend type, databases, |
| 371 | message queues, etc. However, the downside to this configurability is that |
| 372 | certain operations and features aren't supported depending on the configuration. |
| 373 | These features may or may not be discoverable from the API so the burden is |
| 374 | often on the user to figure out what the cloud they're talking to supports. |
| 375 | Besides the obvious interoperability issues with this it also leaves Tempest |
| 376 | in an interesting situation trying to figure out which tests are expected to |
| 377 | work. However, Tempest tests do not rely on dynamic api discovery for a feature |
| 378 | (assuming one exists). Instead Tempest has to be explicitly configured as to |
| 379 | which optional features are enabled. This is in order to prevent bugs in the |
| 380 | discovery mechanisms from masking failures. |
| 381 | |
| 382 | The service feature-enabled config sections are how Tempest addresses the |
| 383 | optional feature question. Each service that has tests for optional features |
| 384 | contains one of these sections. The only options in it are boolean options |
| 385 | with the name of a feature which is used. If it is set to false any test which |
| 386 | depends on that functionality will be skipped. For a complete list of all these |
| 387 | options refer to the sample config file. |
| 388 | |
| 389 | |
| 390 | API Extensions |
| 391 | ^^^^^^^^^^^^^^ |
| 392 | The service feature-enabled sections often contain an *api-extensions* option |
| 393 | (or in the case of swift a *discoverable_apis* option) this is used to tell |
| 394 | tempest which api extensions (or configurable middleware) is used in your |
| 395 | deployment. It has 2 valid config states, either it contains a single value |
| 396 | "all" (which is the default) which means that every api extension is assumed |
| 397 | to be enabled, or it is set to a list of each individual extension that is |
| 398 | enabled for that service. |