opendev/system-config
Code Issues Proposed changes
951c2f4cde
system-config/testinfra/util.py
James E. Blair 3d6cefe9dd Stop using backend hostname in zuul testinfra tests 
Tests that call host.backend.get_hostname() to switch on test
assertions are likely to fail open.  Stop using this in zuul tests
and instead add new files for each of the types of zuul hosts
where we want to do additional verification.

Share the iptables related code between all the tests that perform
iptables checks.

Also, some extra merger test and some negative assertions are added.

Move multi-node-hosts-file to after set-hostname. multi-node-hosts-file
is designed to append, and set-hostname is designed to write.

When we write the gate version of the inventory, map the nodepool
private_ipv4 address as the public_v4 address of the inventory host
since that's what is written to /etc/hosts, and is therefore, in the
context of a gate job, the "public" address.

Change-Id: Id2dad08176865169272a8c135d232c2b58a7a2c1
2020-06-10 14:48:40 -07:00

61 lines
2.1 KiB
Python
Raw Blame History

# Copyright 2018 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import socket
def get_ips(value, family=None):
ret = set()
try:
addr_info = socket.getaddrinfo(value, None, family)
except socket.gaierror:
return ret
for addr in addr_info:
ret.add(addr[4][0])
return ret
def verify_iptables(host):
rules = host.iptables.rules()
rules = [x.strip() for x in rules]
needed_rules = [
'-P INPUT ACCEPT',
'-P FORWARD DROP',
'-P OUTPUT ACCEPT',
'-N openstack-INPUT',
'-A INPUT -j openstack-INPUT',
'-A openstack-INPUT -i lo -j ACCEPT',
'-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
'-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
'-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
'-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
]
for rule in needed_rules:
assert rule in rules
# Ensure all IPv4+6 addresses for cacti are allowed
for ip in get_ips('cacti.openstack.org', socket.AF_INET):
snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
' --dport 161 -j ACCEPT' % ip)
assert snmp in rules
# TODO(ianw) add ip6tables support to testinfra iptables module
ip6rules = host.check_output('ip6tables -S')
for ip in get_ips('cacti.openstack.org', socket.AF_INET6):
snmp = ('-A openstack-INPUT -s %s/128 -p udp -m udp'
' --dport 161 -j ACCEPT' % ip)
assert snmp in ip6rules
return rules
View Git Blame Copy Permalink