Matthew Treinish | a970d65 | 2015-03-11 15:39:24 -0400 | [diff] [blame] | 1 | .. _tempest-configuration: |
| 2 | |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 3 | Tempest Configuration Guide |
| 4 | =========================== |
| 5 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 6 | This guide is a starting point for configuring Tempest. It aims to elaborate |
Matthew Treinish | f640f66 | 2015-03-11 15:13:30 -0400 | [diff] [blame] | 7 | on and explain some of the mandatory and common configuration settings and how |
| 8 | they are used in conjunction. The source of truth on each option is the sample |
Matthew Treinish | f45ba2e | 2015-08-24 15:05:01 -0400 | [diff] [blame] | 9 | config file which explains the purpose of each individual option. You can see |
| 10 | the sample config file here: :ref:`tempest-sampleconf` |
Matthew Treinish | f640f66 | 2015-03-11 15:13:30 -0400 | [diff] [blame] | 11 | |
Matthew Treinish | e8ab5f9 | 2017-03-01 15:25:39 -0500 | [diff] [blame] | 12 | .. _tempest_cred_provider_conf: |
| 13 | |
Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 14 | Test Credentials |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 15 | ---------------- |
| 16 | |
Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 17 | Tempest allows for configuring a set of admin credentials in the ``auth`` |
| 18 | section, via the following parameters: |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 19 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 20 | #. ``admin_username`` |
| 21 | #. ``admin_password`` |
| 22 | #. ``admin_project_name`` |
| 23 | #. ``admin_domain_name`` |
Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 24 | |
| 25 | Admin credentials are not mandatory to run Tempest, but when provided they |
| 26 | can be used to: |
| 27 | |
| 28 | - Run tests for admin APIs |
| 29 | - Generate test credentials on the fly (see `Dynamic Credentials`_) |
| 30 | |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 31 | When Keystone uses a policy that requires domain scoped tokens for admin |
Andrea Frittoli (andreaf) | 100d18d | 2016-05-05 23:34:52 +0100 | [diff] [blame] | 32 | actions, the flag ``admin_domain_scope`` must be set to ``True``. |
| 33 | The admin user configured, if any, must have a role assigned to the domain to |
| 34 | be usable. |
| 35 | |
Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 36 | Tempest allows for configuring pre-provisioned test credentials as well. |
Matthew Treinish | 40847ac | 2016-01-04 13:16:03 -0500 | [diff] [blame] | 37 | This can be done using the accounts.yaml file (see |
Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 38 | `Pre-Provisioned Credentials`_). This file is used to specify an arbitrary |
| 39 | number of users available to run tests with. |
| 40 | You can specify the location of the file in the ``auth`` section in the |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 41 | tempest.conf file. To see the specific format used in the file please refer to |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 42 | the ``accounts.yaml.sample`` file included in Tempest. |
Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 43 | |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 44 | Keystone Connection Info |
| 45 | ^^^^^^^^^^^^^^^^^^^^^^^^ |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 46 | In order for Tempest to be able to talk to your OpenStack deployment you need |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 47 | to provide it with information about how it communicates with keystone. |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 48 | This involves configuring the following options in the ``identity`` section: |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 49 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 50 | - ``auth_version`` |
| 51 | - ``uri`` |
| 52 | - ``uri_v3`` |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 53 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 54 | The ``auth_version`` option is used to tell Tempest whether it should be using |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 55 | Keystone's v2 or v3 api for communicating with Keystone. The two uri options are |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 56 | used to tell Tempest the url of the keystone endpoint. The ``uri`` option is |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 57 | used for Keystone v2 request and ``uri_v3`` is used for Keystone v3. You want to |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 58 | ensure that which ever version you set for ``auth_version`` has its uri option |
| 59 | defined. |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 60 | |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 61 | Credential Provider Mechanisms |
| 62 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 63 | |
Castulo J. Martinez | 34329b5 | 2016-07-08 10:56:52 -0700 | [diff] [blame] | 64 | Tempest currently has two different internal methods for providing authentication |
| 65 | to tests: dynamic credentials and pre-provisioned credentials. |
| 66 | Depending on which one is in use the configuration of Tempest is slightly different. |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 67 | |
Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 68 | Dynamic Credentials |
| 69 | """"""""""""""""""" |
| 70 | Dynamic Credentials (formerly known as Tenant isolation) was originally created |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 71 | to enable running Tempest in parallel. For each test class it creates a unique |
| 72 | set of user credentials to use for the tests in the class. It can create up to |
Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 73 | three sets of username, password, and project names for a primary user, |
| 74 | an admin user, and an alternate user. To enable and use dynamic credentials you |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 75 | only need to configure two things: |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 76 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 77 | #. A set of admin credentials with permissions to create users and |
| 78 | projects. This is specified in the ``auth`` section with the |
| 79 | ``admin_username``, ``admin_project_name``, ``admin_domain_name`` and |
| 80 | ``admin_password`` options |
| 81 | #. To enable dynamic credentials in the ``auth`` section with the |
| 82 | ``use_dynamic_credentials`` option. |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 83 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 84 | This is also currently the default credential provider enabled by Tempest, due |
| 85 | to its common use and ease of configuration. |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 86 | |
Matthew Treinish | 4fae472 | 2015-04-16 21:03:54 -0400 | [diff] [blame] | 87 | It is worth pointing out that depending on your cloud configuration you might |
Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 88 | need to assign a role to each of the users created by Tempest's dynamic |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 89 | credentials. This can be set using the ``tempest_roles`` option. It takes in a |
| 90 | list of role names each of which will be assigned to each of the users created |
| 91 | by dynamic credentials. This option will not have any effect when Tempest is not |
Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 92 | configured to use dynamic credentials. |
Matthew Treinish | 4fae472 | 2015-04-16 21:03:54 -0400 | [diff] [blame] | 93 | |
Andrea Frittoli (andreaf) | 100d18d | 2016-05-05 23:34:52 +0100 | [diff] [blame] | 94 | When the ``admin_domain_scope`` option is set to ``True``, provisioned admin |
| 95 | accounts will be assigned a role on domain configured in |
| 96 | ``default_credentials_domain_name``. This will make the accounts provisioned |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 97 | usable in a cloud where domain scoped tokens are required by Keystone for |
Hironori Shiina | 91049ad | 2016-09-28 17:28:49 +0900 | [diff] [blame] | 98 | admin operations. Note that the initial pre-provision admin accounts, |
Andrea Frittoli (andreaf) | 100d18d | 2016-05-05 23:34:52 +0100 | [diff] [blame] | 99 | configured in tempest.conf, must have a role on the same domain as well, for |
| 100 | Dynamic Credentials to work. |
| 101 | |
Matthew Treinish | 4fae472 | 2015-04-16 21:03:54 -0400 | [diff] [blame] | 102 | |
Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 103 | Pre-Provisioned Credentials |
| 104 | """"""""""""""""""""""""""" |
| 105 | |
Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 106 | For a long time using dynamic credentials was the only method available if you |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 107 | wanted to enable parallel execution of Tempest tests. However, this was |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 108 | insufficient for certain use cases because of the admin credentials requirement |
| 109 | to create the credential sets on demand. To get around that the accounts.yaml |
| 110 | file was introduced and with that a new internal credential provider to enable |
Matthew Treinish | 4730b9d | 2019-08-15 09:33:15 -0400 | [diff] [blame] | 111 | using the list of credentials instead of creating them on demand. With |
| 112 | pre-provisioned credentials (also known as locking test accounts) each test |
| 113 | class will reserve a set of credentials from the accounts.yaml before executing |
| 114 | any of its tests so that each class is isolated like with dynamic credentials. |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 115 | |
Matthew Treinish | 4730b9d | 2019-08-15 09:33:15 -0400 | [diff] [blame] | 116 | To enable and use pre-provisioned credentials you need do a few things: |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 117 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 118 | #. Create an accounts.yaml file which contains the set of pre-existing |
| 119 | credentials to use for testing. To make sure you don't have a credentials |
| 120 | starvation issue when running in parallel make sure you have at least two |
| 121 | times the number of worker processes you are using to execute Tempest |
| 122 | available in the file. (If running serially the worker count is 1.) |
Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 123 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 124 | You can check the accounts.yaml.sample file packaged in Tempest for the yaml |
| 125 | format. |
| 126 | #. Provide Tempest with the location of your accounts.yaml file with the |
| 127 | ``test_accounts_file`` option in the ``auth`` section |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 128 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 129 | *NOTE: Be sure to use a full path for the file; otherwise Tempest will |
| 130 | likely not find it.* |
Matthew Treinish | 84c6d29 | 2015-12-16 17:50:57 -0500 | [diff] [blame] | 131 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 132 | #. Set ``use_dynamic_credentials = False`` in the ``auth`` group |
Fei Long Wang | 7fee787 | 2015-05-12 11:36:49 +1200 | [diff] [blame] | 133 | |
Matthew Treinish | 9329985 | 2015-04-24 09:58:18 -0400 | [diff] [blame] | 134 | It is worth pointing out that each set of credentials in the accounts.yaml |
Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 135 | should have a unique project. This is required to provide proper isolation |
Matthew Treinish | 9329985 | 2015-04-24 09:58:18 -0400 | [diff] [blame] | 136 | to the tests using the credentials, and failure to do this will likely cause |
Matthew Treinish | 45915b0 | 2016-08-31 10:25:55 -0400 | [diff] [blame] | 137 | unexpected failures in some tests. Also, ensure that these projects and users |
| 138 | used do not have any pre-existing resources created. Tempest assumes all |
| 139 | tenants it's using are empty and may sporadically fail if there are unexpected |
| 140 | resources present. |
Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 141 | |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 142 | When the Keystone in the target cloud requires domain scoped tokens to |
Andrea Frittoli (andreaf) | 100d18d | 2016-05-05 23:34:52 +0100 | [diff] [blame] | 143 | perform admin actions, all pre-provisioned admin users must have a role |
| 144 | assigned on the domain where test accounts a provisioned. |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 145 | The option ``admin_domain_scope`` is used to tell Tempest that domain scoped |
Andrea Frittoli (andreaf) | 100d18d | 2016-05-05 23:34:52 +0100 | [diff] [blame] | 146 | tokens shall be used. ``default_credentials_domain_name`` is the domain where |
| 147 | test accounts are expected to be provisioned if no domain is specified. |
| 148 | |
| 149 | Note that if credentials are pre-provisioned via ``tempest account-generator`` |
| 150 | the role on the domain will be assigned automatically for you, as long as |
| 151 | ``admin_domain_scope`` as ``default_credentials_domain_name`` are configured |
| 152 | properly in tempest.conf. |
| 153 | |
Hironori Shiina | 91049ad | 2016-09-28 17:28:49 +0900 | [diff] [blame] | 154 | Pre-Provisioned Credentials are also known as accounts.yaml or accounts file. |
Matthew Treinish | 9329985 | 2015-04-24 09:58:18 -0400 | [diff] [blame] | 155 | |
Ghanshyam Mann | 672eee1 | 2021-03-11 14:55:39 -0600 | [diff] [blame] | 156 | Keystone Scopes & Roles Support in Tempest |
| 157 | """""""""""""""""""""""""""""""""""""""""" |
| 158 | For details on scope and roles support in Tempest, |
| 159 | please refer to :doc:`this document <keystone_scopes_and_roles_support>` |
| 160 | |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 161 | Compute |
| 162 | ------- |
| 163 | |
| 164 | Flavors |
| 165 | ^^^^^^^ |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 166 | For Tempest to be able to create servers you need to specify flavors that it |
| 167 | can use to boot the servers with. There are two options in the Tempest config |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 168 | for doing this: |
| 169 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 170 | #. ``flavor_ref`` |
| 171 | #. ``flavor_ref_alt`` |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 172 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 173 | Both of these options are in the ``compute`` section of the config file and take |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 174 | in the flavor id (not the name) from Nova. The ``flavor_ref`` option is what |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 175 | will be used for booting almost all of the guests; ``flavor_ref_alt`` is only |
| 176 | used in tests where two different-sized servers are required (for example, a |
| 177 | resize test). |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 178 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 179 | Using a smaller flavor is generally recommended. When larger flavors are used, |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 180 | the extra time required to bring up servers will likely affect the total run time |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 181 | and probably require tweaking timeout values to ensure tests have ample time to |
| 182 | finish. |
| 183 | |
| 184 | Images |
| 185 | ^^^^^^ |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 186 | Just like with flavors, Tempest needs to know which images to use for booting |
| 187 | servers. There are two options in the compute section just like with flavors: |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 188 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 189 | #. ``image_ref`` |
| 190 | #. ``image_ref_alt`` |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 191 | |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 192 | Both options are expecting an image id (not name) from Nova. The ``image_ref`` |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 193 | option is what will be used for booting the majority of servers in Tempest. |
| 194 | ``image_ref_alt`` is used for tests that require two images such as rebuild. If |
| 195 | two images are not available you can set both options to the same image id and |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 196 | those tests will be skipped. |
| 197 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 198 | There are also options in the ``scenario`` section for images: |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 199 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 200 | #. ``img_file`` |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 201 | #. ``img_container_format`` |
| 202 | #. ``img_disk_format`` |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 203 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 204 | However, unlike the other image options, these are used for a very small subset |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 205 | of scenario tests which are uploading an image. These options are used to tell |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 206 | Tempest where an image file is located and describe its metadata for when it is |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 207 | uploaded. |
| 208 | |
Martin Kopec | 02af6a4 | 2020-03-03 12:39:12 +0000 | [diff] [blame] | 209 | You first need to specify full path of the image using ``img_file`` option. |
| 210 | If it is found then the ``img_container_format`` and ``img_disk_format`` |
| 211 | options are used to upload that image to glance. If it's not found, the tests |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 212 | requiring an image to upload will fail. |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 213 | |
| 214 | It is worth pointing out that using `cirros`_ is a very good choice for running |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 215 | Tempest. It's what is used for upstream testing, they boot quickly and have a |
Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 216 | small footprint. |
| 217 | |
| 218 | .. _cirros: https://launchpad.net/cirros |
| 219 | |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 220 | Networking |
| 221 | ---------- |
| 222 | OpenStack has a myriad of different networking configurations possible and |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 223 | depending on which of the two network backends, nova-network or Neutron, you are |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 224 | using things can vary drastically. Due to this complexity Tempest has to provide |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 225 | a certain level of flexibility in its configuration to ensure it will work |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 226 | against any cloud. This ends up causing a large number of permutations in |
| 227 | Tempest's config around network configuration. |
| 228 | |
| 229 | |
| 230 | Enabling Remote Access to Created Servers |
| 231 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Matthew Treinish | e8ab5f9 | 2017-03-01 15:25:39 -0500 | [diff] [blame] | 232 | |
| 233 | .. _tempest_conf_network_allocation: |
| 234 | |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 235 | Network Creation/Usage for Servers |
| 236 | """""""""""""""""""""""""""""""""" |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 237 | When Tempest creates servers for testing, some tests require being able to |
| 238 | connect those servers. Depending on the configuration of the cloud, the methods |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 239 | for doing this can be different. In certain configurations, it is required to |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 240 | specify a single network with server create calls. Accordingly, Tempest provides |
| 241 | a few different methods for providing this information in configuration to try |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 242 | and ensure that regardless of the cloud's configuration it'll still be able to |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 243 | run. This section covers the different methods of configuring Tempest to provide |
| 244 | a network when creating servers. |
| 245 | |
| 246 | Fixed Network Name |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 247 | '''''''''''''''''' |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 248 | This is the simplest method of specifying how networks should be used. You can |
| 249 | just specify a single network name/label to use for all server creations. The |
Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 250 | limitation with this is that all projects and users must be able to see |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 251 | that network name/label if they are to perform a network list and be able to use |
| 252 | it. |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 253 | |
| 254 | If no network name is assigned in the config file and none of the below |
| 255 | alternatives are used, then Tempest will not specify a network on server |
| 256 | creations, which depending on the cloud configuration might prevent them from |
| 257 | booting. |
| 258 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 259 | To set a fixed network name simply: |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 260 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 261 | #. Set the ``fixed_network_name`` option in the ``compute`` group |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 262 | |
| 263 | In the case that the configured fixed network name can not be found by a user |
| 264 | network list call, it will be treated like one was not provided except that a |
| 265 | warning will be logged stating that it couldn't be found. |
| 266 | |
| 267 | |
| 268 | Accounts File |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 269 | ''''''''''''' |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 270 | If you are using an accounts file to provide credentials for running Tempest |
| 271 | then you can leverage it to also specify which network should be used with |
Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 272 | server creations on a per project and user pair basis. This provides |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 273 | the necessary flexibility to work with more intricate networking configurations |
| 274 | by enabling the user to specify exactly which network to use for which |
Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 275 | projects. You can refer to the accounts.yaml.sample file included in |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 276 | the Tempest repo for the syntax around specifying networks in the file. |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 277 | |
| 278 | However, specifying a network is not required when using an accounts file. If |
| 279 | one is not specified you can use a fixed network name to specify the network to |
| 280 | use when creating servers just as without an accounts file. However, any network |
| 281 | specified in the accounts file will take precedence over the fixed network name |
| 282 | provided. If no network is provided in the accounts file and a fixed network |
| 283 | name is not set then no network will be included in create server requests. |
| 284 | |
| 285 | If a fixed network is provided and the accounts.yaml file also contains networks |
| 286 | this has the benefit of enabling a couple more tests which require a static |
| 287 | network to perform operations like server lists with a network filter. If a |
| 288 | fixed network name is not provided these tests are skipped. Additionally, if a |
| 289 | fixed network name is provided it will serve as a fallback in case of a |
| 290 | misconfiguration or a missing network in the accounts file. |
| 291 | |
| 292 | |
Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 293 | With Dynamic Credentials |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 294 | '''''''''''''''''''''''' |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 295 | With dynamic credentials enabled and using nova-network, your only option for |
lanoux | 63bb903 | 2016-03-21 03:16:18 -0700 | [diff] [blame] | 296 | configuration is to either set a fixed network name or not. However, in most |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 297 | cases, it shouldn't matter because nova-network should have no problem booting a |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 298 | server with multiple networks. If this is not the case for your cloud then using |
| 299 | an accounts file is recommended because it provides the necessary flexibility to |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 300 | describe your configuration. Dynamic credentials are not able to dynamically |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 301 | allocate things as necessary if Neutron is not enabled. |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 302 | |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 303 | With Neutron and dynamic credentials enabled there should not be any additional |
Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 304 | configuration necessary to enable Tempest to create servers with working |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 305 | networking, assuming you have properly configured the ``network`` section to |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 306 | work for your cloud. Tempest will dynamically create the Neutron resources |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 307 | necessary to enable using servers with that network. Also, just as with the |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 308 | accounts file, if you specify a fixed network name while using Neutron and |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 309 | dynamic credentials it will enable running tests which require a static network |
| 310 | and it will additionally be used as a fallback for server creation. However, |
| 311 | unlike accounts.yaml this should never be triggered. |
Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 312 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 313 | However, there is an option ``create_isolated_networks`` to disable dynamic |
| 314 | credentials's automatic provisioning of network resources. If this option is set |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 315 | to ``False`` you will have to either rely on there only being a single/default |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 316 | network available for the server creation, or use ``fixed_network_name`` to |
| 317 | inform Tempest which network to use. |
Matthew Treinish | 2219d38 | 2015-04-24 10:33:04 -0400 | [diff] [blame] | 318 | |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 319 | SSH Connection Configuration |
| 320 | """""""""""""""""""""""""""" |
| 321 | There are also several different ways to actually establish a connection and |
| 322 | authenticate/login on the server. After a server is booted with a provided |
| 323 | network there are still details needed to know how to actually connect to |
| 324 | the server. The ``validation`` group gathers all the options regarding |
| 325 | connecting to and remotely accessing the created servers. |
| 326 | |
| 327 | To enable remote access to servers, there are 3 options at a minimum that are used: |
| 328 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 329 | #. ``run_validation`` |
| 330 | #. ``connect_method`` |
| 331 | #. ``auth_method`` |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 332 | |
| 333 | The ``run_validation`` is used to enable or disable ssh connectivity for |
| 334 | all tests (with the exception of scenario tests which do not have a flag for |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 335 | enabling or disabling ssh) To enable ssh connectivity this needs be set to ``True``. |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 336 | |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 337 | The ``connect_method`` option is used to tell Tempest what kind of IP to use for |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 338 | establishing a connection to the server. Two methods are available: ``fixed`` |
| 339 | and ``floating``, the later being set by default. If this is set to floating |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 340 | Tempest will create a floating ip for the server before attempted to connect |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 341 | to it. The IP for the floating ip is what is used for the connection. |
| 342 | |
| 343 | For the ``auth_method`` option there is currently, only one valid option, |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 344 | ``keypair``. With this set to ``keypair`` Tempest will create an ssh keypair |
Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 345 | and use that for authenticating against the created server. |
| 346 | |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 347 | Configuring Available Services |
| 348 | ------------------------------ |
| 349 | OpenStack is really a constellation of several different projects which |
| 350 | are running together to create a cloud. However which projects you're running |
| 351 | is not set in stone, and which services are running is up to the deployer. |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 352 | Tempest, however, needs to know which services are available so it can figure |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 353 | out which tests it is able to run and certain setup steps which differ based |
| 354 | on the available services. |
| 355 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 356 | The ``service_available`` section of the config file is used to set which |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 357 | services are available. It contains a boolean option for each service (except |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 358 | for Keystone which is a hard requirement) set it to ``True`` if the service is |
| 359 | available or ``False`` if it is not. |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 360 | |
| 361 | Service Catalog |
| 362 | ^^^^^^^^^^^^^^^ |
| 363 | Each project which has its own REST API contains an entry in the service |
| 364 | catalog. Like most things in OpenStack this is also completely configurable. |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 365 | However, for Tempest to be able to figure out which endpoints should get REST |
| 366 | API calls for each service, it needs to know how that project is defined in the |
| 367 | service catalog. There are three options for each service section to accomplish |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 368 | this: |
| 369 | |
Masayuki Igawa | b78b923 | 2017-11-17 16:12:37 +0900 | [diff] [blame] | 370 | #. ``catalog_type`` |
| 371 | #. ``endpoint_type`` |
| 372 | #. ``region`` |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 373 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 374 | Setting ``catalog_type`` and ``endpoint_type`` should normally give Tempest |
| 375 | enough information to determine which endpoint it should pull from the service |
| 376 | catalog to use for talking to that particular service. However, if your cloud |
| 377 | has multiple regions available and you need to specify a particular one to use a |
| 378 | service you can set the ``region`` option in that service's section. |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 379 | |
| 380 | It should also be noted that the default values for these options are set |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 381 | to what DevStack uses (which is a de facto standard for service catalog |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 382 | entries). So often nothing actually needs to be set on these options to enable |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 383 | communication to a particular service. It is only if you are either not using |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 384 | the same ``catalog_type`` as DevStack or you want Tempest to talk to a different |
| 385 | endpoint type instead of ``publicURL`` for a service that these need to be |
| 386 | changed. |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 387 | |
ghanshyam | 571dfac | 2015-10-30 11:21:28 +0900 | [diff] [blame] | 388 | .. note:: |
| 389 | |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 390 | Tempest does not serve all kinds of fancy URLs in the service catalog. |
| 391 | The service catalog should be in a standard format (which is going to be |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 392 | standardized at the Keystone level). |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 393 | Tempest expects URLs in the Service catalog in the following format: |
Masayuki Igawa | e63cf0f | 2016-05-25 10:25:21 +0900 | [diff] [blame] | 394 | |
| 395 | * ``http://example.com:1234/<version-info>`` |
| 396 | |
ghanshyam | 571dfac | 2015-10-30 11:21:28 +0900 | [diff] [blame] | 397 | Examples: |
Masayuki Igawa | e63cf0f | 2016-05-25 10:25:21 +0900 | [diff] [blame] | 398 | |
| 399 | * Good - ``http://example.com:1234/v2.0`` |
gaofei | 6ec582f | 2018-01-24 14:08:36 +0800 | [diff] [blame] | 400 | * Wouldn't work - ``http://example.com:1234/xyz/v2.0/`` |
Masayuki Igawa | e63cf0f | 2016-05-25 10:25:21 +0900 | [diff] [blame] | 401 | (adding prefix/suffix around version etc) |
Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 402 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 403 | Service Feature Configuration |
Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 404 | ----------------------------- |
| 405 | |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 406 | OpenStack provides its deployers a myriad of different configuration options to |
| 407 | enable anyone deploying it to create a cloud tailor-made for any individual use |
| 408 | case. It provides options for several different backend types, databases, |
Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 409 | message queues, etc. However, the downside to this configurability is that |
| 410 | certain operations and features aren't supported depending on the configuration. |
| 411 | These features may or may not be discoverable from the API so the burden is |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 412 | often on the user to figure out what is supported by the cloud they're talking |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 413 | to. Besides the obvious interoperability issues with this, it also leaves |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 414 | Tempest in an interesting situation trying to figure out which tests are |
| 415 | expected to work. However, Tempest tests do not rely on dynamic API discovery |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 416 | for a feature (assuming one exists). Instead, Tempest has to be explicitly |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 417 | configured as to which optional features are enabled. This is in order to |
| 418 | prevent bugs in the discovery mechanisms from masking failures. |
Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 419 | |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 420 | The service ``feature-enabled`` config sections are how Tempest addresses the |
Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 421 | optional feature question. Each service that has tests for optional features |
| 422 | contains one of these sections. The only options in it are boolean options |
| 423 | with the name of a feature which is used. If it is set to false any test which |
| 424 | depends on that functionality will be skipped. For a complete list of all these |
| 425 | options refer to the sample config file. |
| 426 | |
| 427 | |
| 428 | API Extensions |
| 429 | ^^^^^^^^^^^^^^ |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 430 | The service feature-enabled sections often contain an ``api-extensions`` option |
Jordan Pittier | 74a56ab | 2017-04-26 16:46:20 +0200 | [diff] [blame] | 431 | (or in the case of Swift a ``discoverable_apis`` option). This is used to tell |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 432 | Tempest which API extensions (or configurable middleware) is used in your |
Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 433 | deployment. It has two valid config states: either it contains a single value |
deepak_mourya | e495cd2 | 2018-07-16 12:38:17 +0530 | [diff] [blame] | 434 | ``all`` (which is the default) which means that every API extension is assumed |
Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 435 | to be enabled, or it is set to a list of each individual extension that is |
| 436 | enabled for that service. |