| Matthew Treinish | a970d65 | 2015-03-11 15:39:24 -0400 | [diff] [blame] | 1 | .. _tempest-configuration: | 
|  | 2 |  | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 3 | Tempest Configuration Guide | 
|  | 4 | =========================== | 
|  | 5 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 6 | This guide is a starting point for configuring Tempest. It aims to elaborate | 
| Matthew Treinish | f640f66 | 2015-03-11 15:13:30 -0400 | [diff] [blame] | 7 | on and explain some of the mandatory and common configuration settings and how | 
|  | 8 | they are used in conjunction. The source of truth on each option is the sample | 
| Matthew Treinish | f45ba2e | 2015-08-24 15:05:01 -0400 | [diff] [blame] | 9 | config file which explains the purpose of each individual option. You can see | 
|  | 10 | the sample config file here: :ref:`tempest-sampleconf` | 
| Matthew Treinish | f640f66 | 2015-03-11 15:13:30 -0400 | [diff] [blame] | 11 |  | 
| Matthew Treinish | e8ab5f9 | 2017-03-01 15:25:39 -0500 | [diff] [blame] | 12 | .. _tempest_cred_provider_conf: | 
|  | 13 |  | 
| Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 14 | Test Credentials | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 15 | ---------------- | 
|  | 16 |  | 
| Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 17 | Tempest allows for configuring a set of admin credentials in the ``auth`` | 
|  | 18 | section, via the following parameters: | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 19 |  | 
| Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 20 | #. ``admin_username`` | 
|  | 21 | #. ``admin_password`` | 
|  | 22 | #. ``admin_project_name`` | 
|  | 23 | #. ``admin_domain_name`` | 
|  | 24 |  | 
|  | 25 | Admin credentials are not mandatory to run Tempest, but when provided they | 
|  | 26 | can be used to: | 
|  | 27 |  | 
|  | 28 | - Run tests for admin APIs | 
|  | 29 | - Generate test credentials on the fly (see `Dynamic Credentials`_) | 
|  | 30 |  | 
| Andrea Frittoli (andreaf) | 100d18d | 2016-05-05 23:34:52 +0100 | [diff] [blame] | 31 | When keystone uses a policy that requires domain scoped tokens for admin | 
|  | 32 | actions, the flag ``admin_domain_scope`` must be set to ``True``. | 
|  | 33 | The admin user configured, if any, must have a role assigned to the domain to | 
|  | 34 | be usable. | 
|  | 35 |  | 
| Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 36 | Tempest allows for configuring pre-provisioned test credentials as well. | 
| Matthew Treinish | 40847ac | 2016-01-04 13:16:03 -0500 | [diff] [blame] | 37 | This can be done using the accounts.yaml file (see | 
| Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 38 | `Pre-Provisioned Credentials`_). This file is used to specify an arbitrary | 
|  | 39 | number of users available to run tests with. | 
|  | 40 | You can specify the location of the file in the ``auth`` section in the | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 41 | tempest.conf file. To see the specific format used in the file please refer to | 
| Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 42 | the accounts.yaml.sample file included in Tempest. | 
|  | 43 |  | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 44 | Keystone Connection Info | 
|  | 45 | ^^^^^^^^^^^^^^^^^^^^^^^^ | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 46 | In order for Tempest to be able to talk to your OpenStack deployment you need | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 47 | to provide it with information about how it communicates with keystone. | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 48 | This involves configuring the following options in the ``identity`` section: | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 49 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 50 | #. ``auth_version`` | 
|  | 51 | #. ``uri`` | 
|  | 52 | #. ``uri_v3`` | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 53 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 54 | The ``auth_version`` option is used to tell Tempest whether it should be using | 
| zhufl | cc0c048 | 2017-05-27 16:21:18 +0800 | [diff] [blame] | 55 | keystone's v2 or v3 api for communicating with keystone. The two uri options are | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 56 | used to tell Tempest the url of the keystone endpoint. The ``uri`` option is | 
|  | 57 | used for keystone v2 request and ``uri_v3`` is used for keystone v3. You want to | 
|  | 58 | ensure that which ever version you set for ``auth_version`` has its uri option | 
|  | 59 | defined. | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 60 |  | 
|  | 61 |  | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 62 | Credential Provider Mechanisms | 
|  | 63 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | 
|  | 64 |  | 
| Castulo J. Martinez | 34329b5 | 2016-07-08 10:56:52 -0700 | [diff] [blame] | 65 | Tempest currently has two different internal methods for providing authentication | 
|  | 66 | to tests: dynamic credentials and pre-provisioned credentials. | 
|  | 67 | Depending on which one is in use the configuration of Tempest is slightly different. | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 68 |  | 
| Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 69 | Dynamic Credentials | 
|  | 70 | """"""""""""""""""" | 
|  | 71 | Dynamic Credentials (formerly known as Tenant isolation) was originally created | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 72 | to enable running Tempest in parallel.  For each test class it creates a unique | 
|  | 73 | set of user credentials to use for the tests in the class. It can create up to | 
| Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 74 | three sets of username, password, and project names for a primary user, | 
|  | 75 | an admin user, and an alternate user. To enable and use dynamic credentials you | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 76 | only need to configure two things: | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 77 |  | 
|  | 78 | #. A set of admin credentials with permissions to create users and | 
| Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 79 | projects. This is specified in the ``auth`` section with the | 
|  | 80 | ``admin_username``, ``admin_project_name``, ``admin_domain_name`` and | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 81 | ``admin_password`` options | 
|  | 82 | #. To enable dynamic credentials in the ``auth`` section with the | 
|  | 83 | ``use_dynamic_credentials`` option. | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 84 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 85 | This is also currently the default credential provider enabled by Tempest, due | 
|  | 86 | to its common use and ease of configuration. | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 87 |  | 
| Matthew Treinish | 4fae472 | 2015-04-16 21:03:54 -0400 | [diff] [blame] | 88 | It is worth pointing out that depending on your cloud configuration you might | 
| Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 89 | need to assign a role to each of the users created by Tempest's dynamic | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 90 | credentials.  This can be set using the ``tempest_roles`` option. It takes in a | 
|  | 91 | list of role names each of which will be assigned to each of the users created | 
|  | 92 | by dynamic credentials. This option will not have any effect when Tempest is not | 
| Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 93 | configured to use dynamic credentials. | 
| Matthew Treinish | 4fae472 | 2015-04-16 21:03:54 -0400 | [diff] [blame] | 94 |  | 
| Andrea Frittoli (andreaf) | 100d18d | 2016-05-05 23:34:52 +0100 | [diff] [blame] | 95 | When the ``admin_domain_scope`` option is set to ``True``, provisioned admin | 
|  | 96 | accounts will be assigned a role on domain configured in | 
|  | 97 | ``default_credentials_domain_name``. This will make the accounts provisioned | 
|  | 98 | usable in a cloud where domain scoped tokens are required by keystone for | 
| Hironori Shiina | 91049ad | 2016-09-28 17:28:49 +0900 | [diff] [blame] | 99 | admin operations. Note that the initial pre-provision admin accounts, | 
| Andrea Frittoli (andreaf) | 100d18d | 2016-05-05 23:34:52 +0100 | [diff] [blame] | 100 | configured in tempest.conf, must have a role on the same domain as well, for | 
|  | 101 | Dynamic Credentials to work. | 
|  | 102 |  | 
| Matthew Treinish | 4fae472 | 2015-04-16 21:03:54 -0400 | [diff] [blame] | 103 |  | 
| Andrea Frittoli (andreaf) | dd25070 | 2016-04-29 15:01:22 -0500 | [diff] [blame] | 104 | Pre-Provisioned Credentials | 
|  | 105 | """"""""""""""""""""""""""" | 
|  | 106 |  | 
| Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 107 | For a long time using dynamic credentials was the only method available if you | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 108 | wanted to enable parallel execution of Tempest tests. However, this was | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 109 | insufficient for certain use cases because of the admin credentials requirement | 
|  | 110 | to create the credential sets on demand. To get around that the accounts.yaml | 
|  | 111 | file was introduced and with that a new internal credential provider to enable | 
|  | 112 | using the list of credentials instead of creating them on demand. With locking | 
|  | 113 | test accounts each test class will reserve a set of credentials from the | 
|  | 114 | accounts.yaml before executing any of its tests so that each class is isolated | 
| Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 115 | like with dynamic credentials. | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 116 |  | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 117 | To enable and use locking test accounts you need do a few things: | 
|  | 118 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 119 | #. Create an accounts.yaml file which contains the set of pre-existing | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 120 | credentials to use for testing. To make sure you don't have a credentials | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 121 | starvation issue when running in parallel make sure you have at least two | 
|  | 122 | times the number of worker processes you are using to execute Tempest | 
|  | 123 | available in the file. (If running serially the worker count is 1.) | 
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 124 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 125 | You can check the accounts.yaml.sample file packaged in Tempest for the yaml | 
|  | 126 | format. | 
|  | 127 | #. Provide Tempest with the location of your accounts.yaml file with the | 
|  | 128 | ``test_accounts_file`` option in the ``auth`` section | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 129 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 130 | *NOTE: Be sure to use a full path for the file; otherwise Tempest will | 
| Matthew Treinish | 84c6d29 | 2015-12-16 17:50:57 -0500 | [diff] [blame] | 131 | likely not find it.* | 
|  | 132 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 133 | #. Set ``use_dynamic_credentials = False`` in the ``auth`` group | 
| Fei Long Wang | 7fee787 | 2015-05-12 11:36:49 +1200 | [diff] [blame] | 134 |  | 
| Matthew Treinish | 9329985 | 2015-04-24 09:58:18 -0400 | [diff] [blame] | 135 | It is worth pointing out that each set of credentials in the accounts.yaml | 
| Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 136 | should have a unique project. This is required to provide proper isolation | 
| Matthew Treinish | 9329985 | 2015-04-24 09:58:18 -0400 | [diff] [blame] | 137 | to the tests using the credentials, and failure to do this will likely cause | 
| Matthew Treinish | 45915b0 | 2016-08-31 10:25:55 -0400 | [diff] [blame] | 138 | unexpected failures in some tests. Also, ensure that these projects and users | 
|  | 139 | used do not have any pre-existing resources created. Tempest assumes all | 
|  | 140 | tenants it's using are empty and may sporadically fail if there are unexpected | 
|  | 141 | resources present. | 
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 142 |  | 
| Andrea Frittoli (andreaf) | 100d18d | 2016-05-05 23:34:52 +0100 | [diff] [blame] | 143 | When the keystone in the target cloud requires domain scoped tokens to | 
|  | 144 | perform admin actions, all pre-provisioned admin users must have a role | 
|  | 145 | assigned on the domain where test accounts a provisioned. | 
|  | 146 | The option ``admin_domain_scope`` is used to tell tempest that domain scoped | 
|  | 147 | tokens shall be used. ``default_credentials_domain_name`` is the domain where | 
|  | 148 | test accounts are expected to be provisioned if no domain is specified. | 
|  | 149 |  | 
|  | 150 | Note that if credentials are pre-provisioned via ``tempest account-generator`` | 
|  | 151 | the role on the domain will be assigned automatically for you, as long as | 
|  | 152 | ``admin_domain_scope`` as ``default_credentials_domain_name`` are configured | 
|  | 153 | properly in tempest.conf. | 
|  | 154 |  | 
| Hironori Shiina | 91049ad | 2016-09-28 17:28:49 +0900 | [diff] [blame] | 155 | Pre-Provisioned Credentials are also known as accounts.yaml or accounts file. | 
| Matthew Treinish | 9329985 | 2015-04-24 09:58:18 -0400 | [diff] [blame] | 156 |  | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 157 | Compute | 
|  | 158 | ------- | 
|  | 159 |  | 
|  | 160 | Flavors | 
|  | 161 | ^^^^^^^ | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 162 | For Tempest to be able to create servers you need to specify flavors that it | 
|  | 163 | can use to boot the servers with. There are two options in the Tempest config | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 164 | for doing this: | 
|  | 165 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 166 | #. ``flavor_ref`` | 
|  | 167 | #. ``flavor_ref_alt`` | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 168 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 169 | Both of these options are in the ``compute`` section of the config file and take | 
|  | 170 | in the flavor id (not the name) from nova. The ``flavor_ref`` option is what | 
|  | 171 | will be used for booting almost all of the guests; ``flavor_ref_alt`` is only | 
|  | 172 | used in tests where two different-sized servers are required (for example, a | 
|  | 173 | resize test). | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 174 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 175 | Using a smaller flavor is generally recommended. When larger flavors are used, | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 176 | the extra time required to bring up servers will likely affect total run time | 
|  | 177 | and probably require tweaking timeout values to ensure tests have ample time to | 
|  | 178 | finish. | 
|  | 179 |  | 
|  | 180 | Images | 
|  | 181 | ^^^^^^ | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 182 | Just like with flavors, Tempest needs to know which images to use for booting | 
|  | 183 | servers. There are two options in the compute section just like with flavors: | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 184 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 185 | #. ``image_ref`` | 
|  | 186 | #. ``image_ref_alt`` | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 187 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 188 | Both options are expecting an image id (not name) from nova. The ``image_ref`` | 
|  | 189 | option is what will be used for booting the majority of servers in Tempest. | 
|  | 190 | ``image_ref_alt`` is used for tests that require two images such as rebuild. If | 
|  | 191 | two images are not available you can set both options to the same image id and | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 192 | those tests will be skipped. | 
|  | 193 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 194 | There are also options in the ``scenario`` section for images: | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 195 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 196 | #. ``img_file`` | 
|  | 197 | #. ``img_dir`` | 
|  | 198 | #. ``aki_img_file`` | 
|  | 199 | #. ``ari_img_file`` | 
|  | 200 | #. ``ami_img_file`` | 
|  | 201 | #. ``img_container_format`` | 
|  | 202 | #. ``img_disk_format`` | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 203 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 204 | However, unlike the other image options, these are used for a very small subset | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 205 | of scenario tests which are uploading an image. These options are used to tell | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 206 | Tempest where an image file is located and describe its metadata for when it is | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 207 | uploaded. | 
|  | 208 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 209 | The behavior of these options is a bit convoluted (which will likely be fixed in | 
|  | 210 | future versions). You first need to specify ``img_dir``, which is the directory | 
|  | 211 | in which Tempest will look for the image files. First it will check if the | 
|  | 212 | filename set for ``img_file`` could be found in ``img_dir``. If it is found then | 
|  | 213 | the ``img_container_format`` and ``img_disk_format`` options are used to upload | 
|  | 214 | that image to glance. However, if it is not found, Tempest will look for the | 
|  | 215 | three uec image file name options as a fallback. If neither is found, the tests | 
|  | 216 | requiring an image to upload will fail. | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 217 |  | 
|  | 218 | It is worth pointing out that using `cirros`_ is a very good choice for running | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 219 | Tempest. It's what is used for upstream testing, they boot quickly and have a | 
| Matthew Treinish | 7909e12 | 2015-04-15 15:43:50 -0400 | [diff] [blame] | 220 | small footprint. | 
|  | 221 |  | 
|  | 222 | .. _cirros: https://launchpad.net/cirros | 
|  | 223 |  | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 224 | Networking | 
|  | 225 | ---------- | 
|  | 226 | OpenStack has a myriad of different networking configurations possible and | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 227 | depending on which of the two network backends, nova-network or neutron, you are | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 228 | using things can vary drastically. Due to this complexity Tempest has to provide | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 229 | a certain level of flexibility in its configuration to ensure it will work | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 230 | against any cloud. This ends up causing a large number of permutations in | 
|  | 231 | Tempest's config around network configuration. | 
|  | 232 |  | 
|  | 233 |  | 
|  | 234 | Enabling Remote Access to Created Servers | 
|  | 235 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | 
| Matthew Treinish | e8ab5f9 | 2017-03-01 15:25:39 -0500 | [diff] [blame] | 236 |  | 
|  | 237 | .. _tempest_conf_network_allocation: | 
|  | 238 |  | 
| Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 239 | Network Creation/Usage for Servers | 
|  | 240 | """""""""""""""""""""""""""""""""" | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 241 | When Tempest creates servers for testing, some tests require being able to | 
|  | 242 | connect those servers. Depending on the configuration of the cloud, the methods | 
|  | 243 | for doing this can be different. In certain configurations it is required to | 
|  | 244 | specify a single network with server create calls. Accordingly, Tempest provides | 
|  | 245 | a few different methods for providing this information in configuration to try | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 246 | and ensure that regardless of the cloud's configuration it'll still be able to | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 247 | run. This section covers the different methods of configuring Tempest to provide | 
|  | 248 | a network when creating servers. | 
|  | 249 |  | 
|  | 250 | Fixed Network Name | 
| Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 251 | '''''''''''''''''' | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 252 | This is the simplest method of specifying how networks should be used. You can | 
|  | 253 | just specify a single network name/label to use for all server creations. The | 
| Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 254 | limitation with this is that all projects and users must be able to see | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 255 | that network name/label if they are to perform a network list and be able to use | 
|  | 256 | it. | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 257 |  | 
|  | 258 | If no network name is assigned in the config file and none of the below | 
|  | 259 | alternatives are used, then Tempest will not specify a network on server | 
|  | 260 | creations, which depending on the cloud configuration might prevent them from | 
|  | 261 | booting. | 
|  | 262 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 263 | To set a fixed network name simply: | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 264 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 265 | #. Set the ``fixed_network_name`` option in the ``compute`` group | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 266 |  | 
|  | 267 | In the case that the configured fixed network name can not be found by a user | 
|  | 268 | network list call, it will be treated like one was not provided except that a | 
|  | 269 | warning will be logged stating that it couldn't be found. | 
|  | 270 |  | 
|  | 271 |  | 
|  | 272 | Accounts File | 
| Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 273 | ''''''''''''' | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 274 | If you are using an accounts file to provide credentials for running Tempest | 
|  | 275 | then you can leverage it to also specify which network should be used with | 
| Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 276 | server creations on a per project and user pair basis. This provides | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 277 | the necessary flexibility to work with more intricate networking configurations | 
|  | 278 | by enabling the user to specify exactly which network to use for which | 
| Sean Dague | ed6e586 | 2016-04-04 10:49:13 -0400 | [diff] [blame] | 279 | projects. You can refer to the accounts.yaml.sample file included in | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 280 | the Tempest repo for the syntax around specifying networks in the file. | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 281 |  | 
|  | 282 | However, specifying a network is not required when using an accounts file. If | 
|  | 283 | one is not specified you can use a fixed network name to specify the network to | 
|  | 284 | use when creating servers just as without an accounts file. However, any network | 
|  | 285 | specified in the accounts file will take precedence over the fixed network name | 
|  | 286 | provided. If no network is provided in the accounts file and a fixed network | 
|  | 287 | name is not set then no network will be included in create server requests. | 
|  | 288 |  | 
|  | 289 | If a fixed network is provided and the accounts.yaml file also contains networks | 
|  | 290 | this has the benefit of enabling a couple more tests which require a static | 
|  | 291 | network to perform operations like server lists with a network filter. If a | 
|  | 292 | fixed network name is not provided these tests are skipped. Additionally, if a | 
|  | 293 | fixed network name is provided it will serve as a fallback in case of a | 
|  | 294 | misconfiguration or a missing network in the accounts file. | 
|  | 295 |  | 
|  | 296 |  | 
| Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 297 | With Dynamic Credentials | 
| Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 298 | '''''''''''''''''''''''' | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 299 | With dynamic credentials enabled and using nova-network, your only option for | 
| lanoux | 63bb903 | 2016-03-21 03:16:18 -0700 | [diff] [blame] | 300 | configuration is to either set a fixed network name or not. However, in most | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 301 | cases it shouldn't matter because nova-network should have no problem booting a | 
|  | 302 | server with multiple networks. If this is not the case for your cloud then using | 
|  | 303 | an accounts file is recommended because it provides the necessary flexibility to | 
|  | 304 | describe your configuration. Dynamic credentials is not able to dynamically | 
|  | 305 | allocate things as necessary if neutron is not enabled. | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 306 |  | 
| Andrea Frittoli (andreaf) | 17209bb | 2015-05-22 10:16:57 -0700 | [diff] [blame] | 307 | With neutron and dynamic credentials enabled there should not be any additional | 
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame] | 308 | configuration necessary to enable Tempest to create servers with working | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 309 | networking, assuming you have properly configured the ``network`` section to | 
|  | 310 | work for your cloud. Tempest will dynamically create the neutron resources | 
|  | 311 | necessary to enable using servers with that network. Also, just as with the | 
|  | 312 | accounts file, if you specify a fixed network name while using neutron and | 
|  | 313 | dynamic credentials it will enable running tests which require a static network | 
|  | 314 | and it will additionally be used as a fallback for server creation. However, | 
|  | 315 | unlike accounts.yaml this should never be triggered. | 
| Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 316 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 317 | However, there is an option ``create_isolated_networks`` to disable dynamic | 
|  | 318 | credentials's automatic provisioning of network resources. If this option is set | 
|  | 319 | to False you will have to either rely on there only being a single/default | 
|  | 320 | network available for the server creation, or use ``fixed_network_name`` to | 
|  | 321 | inform Tempest which network to use. | 
| Matthew Treinish | 2219d38 | 2015-04-24 10:33:04 -0400 | [diff] [blame] | 322 |  | 
| Matthew Treinish | 275f178 | 2016-06-07 12:19:34 -0400 | [diff] [blame] | 323 | SSH Connection Configuration | 
|  | 324 | """""""""""""""""""""""""""" | 
|  | 325 | There are also several different ways to actually establish a connection and | 
|  | 326 | authenticate/login on the server. After a server is booted with a provided | 
|  | 327 | network there are still details needed to know how to actually connect to | 
|  | 328 | the server. The ``validation`` group gathers all the options regarding | 
|  | 329 | connecting to and remotely accessing the created servers. | 
|  | 330 |  | 
|  | 331 | To enable remote access to servers, there are 3 options at a minimum that are used: | 
|  | 332 |  | 
|  | 333 | #. ``run_validation`` | 
|  | 334 | #. ``connect_method`` | 
|  | 335 | #. ``auth_method`` | 
|  | 336 |  | 
|  | 337 | The ``run_validation`` is used to enable or disable ssh connectivity for | 
|  | 338 | all tests (with the exception of scenario tests which do not have a flag for | 
|  | 339 | enabling or disabling ssh) To enable ssh connectivity this needs be set to ``true``. | 
|  | 340 |  | 
|  | 341 | The ``connect_method`` option is used to tell tempest what kind of IP to use for | 
|  | 342 | establishing a connection to the server. Two methods are available: ``fixed`` | 
|  | 343 | and ``floating``, the later being set by default. If this is set to floating | 
|  | 344 | tempest will create a floating ip for the server before attempted to connect | 
|  | 345 | to it. The IP for the floating ip is what is used for the connection. | 
|  | 346 |  | 
|  | 347 | For the ``auth_method`` option there is currently, only one valid option, | 
|  | 348 | ``keypair``. With this set to ``keypair`` tempest will create an ssh keypair | 
|  | 349 | and use that for authenticating against the created server. | 
|  | 350 |  | 
| Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 351 | Configuring Available Services | 
|  | 352 | ------------------------------ | 
|  | 353 | OpenStack is really a constellation of several different projects which | 
|  | 354 | are running together to create a cloud. However which projects you're running | 
|  | 355 | is not set in stone, and which services are running is up to the deployer. | 
|  | 356 | Tempest however needs to know which services are available so it can figure | 
|  | 357 | out which tests it is able to run and certain setup steps which differ based | 
|  | 358 | on the available services. | 
|  | 359 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 360 | The ``service_available`` section of the config file is used to set which | 
| Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 361 | services are available. It contains a boolean option for each service (except | 
|  | 362 | for keystone which is a hard requirement) set it to True if the service is | 
|  | 363 | available or False if it is not. | 
|  | 364 |  | 
|  | 365 | Service Catalog | 
|  | 366 | ^^^^^^^^^^^^^^^ | 
|  | 367 | Each project which has its own REST API contains an entry in the service | 
|  | 368 | catalog. Like most things in OpenStack this is also completely configurable. | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 369 | However, for Tempest to be able to figure out which endpoints should get REST | 
|  | 370 | API calls for each service, it needs to know how that project is defined in the | 
|  | 371 | service catalog. There are three options for each service section to accomplish | 
| Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 372 | this: | 
|  | 373 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 374 | #. ``catalog_type`` | 
|  | 375 | #. ``endpoint_type`` | 
|  | 376 | #. ``region`` | 
| Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 377 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 378 | Setting ``catalog_type`` and ``endpoint_type`` should normally give Tempest | 
|  | 379 | enough information to determine which endpoint it should pull from the service | 
|  | 380 | catalog to use for talking to that particular service. However, if your cloud | 
|  | 381 | has multiple regions available and you need to specify a particular one to use a | 
|  | 382 | service you can set the ``region`` option in that service's section. | 
| Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 383 |  | 
|  | 384 | It should also be noted that the default values for these options are set | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 385 | to what devstack uses (which is a de facto standard for service catalog | 
|  | 386 | entries). So often nothing actually needs to be set on these options to enable | 
| Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 387 | communication to a particular service. It is only if you are either not using | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 388 | the same ``catalog_type`` as devstack or you want Tempest to talk to a different | 
| Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 389 | endpoint type instead of publicURL for a service that these need to be changed. | 
|  | 390 |  | 
| ghanshyam | 571dfac | 2015-10-30 11:21:28 +0900 | [diff] [blame] | 391 | .. note:: | 
|  | 392 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 393 | Tempest does not serve all kinds of fancy URLs in the service catalog.  The | 
|  | 394 | service catalog should be in a standard format (which is going to be | 
|  | 395 | standardized at the keystone level). | 
|  | 396 | Tempest expects URLs in the Service catalog in the following format: | 
| Masayuki Igawa | e63cf0f | 2016-05-25 10:25:21 +0900 | [diff] [blame] | 397 |  | 
|  | 398 | * ``http://example.com:1234/<version-info>`` | 
|  | 399 |  | 
| ghanshyam | 571dfac | 2015-10-30 11:21:28 +0900 | [diff] [blame] | 400 | Examples: | 
| Masayuki Igawa | e63cf0f | 2016-05-25 10:25:21 +0900 | [diff] [blame] | 401 |  | 
|  | 402 | * Good - ``http://example.com:1234/v2.0`` | 
|  | 403 | * Wouldn’t work -  ``http://example.com:1234/xyz/v2.0/`` | 
|  | 404 | (adding prefix/suffix around version etc) | 
| Matthew Treinish | f96ab3a | 2015-04-15 19:11:31 -0400 | [diff] [blame] | 405 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 406 | Service Feature Configuration | 
| Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 407 | ----------------------------- | 
|  | 408 |  | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 409 | OpenStack provides its deployers a myriad of different configuration options to | 
|  | 410 | enable anyone deploying it to create a cloud tailor-made for any individual use | 
|  | 411 | case. It provides options for several different backend types, databases, | 
| Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 412 | message queues, etc. However, the downside to this configurability is that | 
|  | 413 | certain operations and features aren't supported depending on the configuration. | 
|  | 414 | These features may or may not be discoverable from the API so the burden is | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 415 | often on the user to figure out what is supported by the cloud they're talking | 
|  | 416 | to.  Besides the obvious interoperability issues with this it also leaves | 
|  | 417 | Tempest in an interesting situation trying to figure out which tests are | 
|  | 418 | expected to work. However, Tempest tests do not rely on dynamic API discovery | 
|  | 419 | for a feature (assuming one exists). Instead Tempest has to be explicitly | 
|  | 420 | configured as to which optional features are enabled. This is in order to | 
|  | 421 | prevent bugs in the discovery mechanisms from masking failures. | 
| Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 422 |  | 
|  | 423 | The service feature-enabled config sections are how Tempest addresses the | 
|  | 424 | optional feature question. Each service that has tests for optional features | 
|  | 425 | contains one of these sections. The only options in it are boolean options | 
|  | 426 | with the name of a feature which is used. If it is set to false any test which | 
|  | 427 | depends on that functionality will be skipped. For a complete list of all these | 
|  | 428 | options refer to the sample config file. | 
|  | 429 |  | 
|  | 430 |  | 
|  | 431 | API Extensions | 
|  | 432 | ^^^^^^^^^^^^^^ | 
| Eric Fried | e0cfc3e | 2015-12-14 16:10:49 -0600 | [diff] [blame] | 433 | The service feature-enabled sections often contain an ``api-extensions`` option | 
|  | 434 | (or in the case of swift a ``discoverable_apis`` option). This is used to tell | 
|  | 435 | Tempest which api extensions (or configurable middleware) is used in your | 
|  | 436 | deployment. It has two valid config states: either it contains a single value | 
|  | 437 | ``all`` (which is the default) which means that every api extension is assumed | 
| Matthew Treinish | 3220cad | 2015-04-15 16:25:48 -0400 | [diff] [blame] | 438 | to be enabled, or it is set to a list of each individual extension that is | 
|  | 439 | enabled for that service. |