charm-neutron-gateway/tests/basic_deployment.py
Edward Hope-Morley 7f5acef378 Add hardening support
Add charmhelpers.contrib.hardening and calls to install,
config-changed, upgrade-charm and update-status hooks.
Also add new config option to allow one or more hardening
modules to be applied at runtime.

Change-Id: I0f3035c8f8feae90ad3572297fab0ac28e7d97e2
2016-03-31 15:01:54 +01:00

1023 lines
42 KiB
Python

import amulet
import os
import yaml
from neutronclient.v2_0 import client as neutronclient
from charmhelpers.contrib.openstack.amulet.deployment import (
OpenStackAmuletDeployment
)
from charmhelpers.contrib.openstack.amulet.utils import (
OpenStackAmuletUtils,
DEBUG,
# ERROR
)
# Use DEBUG to turn on debug logging
u = OpenStackAmuletUtils(DEBUG)
class NeutronGatewayBasicDeployment(OpenStackAmuletDeployment):
"""Amulet tests on a basic neutron-gateway deployment."""
def __init__(self, series, openstack=None, source=None, git=False,
stable=False):
"""Deploy the entire test environment."""
super(NeutronGatewayBasicDeployment, self).__init__(series, openstack,
source, stable)
self.git = git
self._add_services()
self._add_relations()
self._configure_services()
self._deploy()
u.log.info('Waiting on extended status checks...')
exclude_services = ['mysql']
self._auto_wait_for_status(exclude_services=exclude_services)
self._initialize_tests()
def _add_services(self):
"""Add services
Add the services that we're testing, where neutron-gateway is local,
and the rest of the service are from lp branches that are
compatible with the local charm (e.g. stable or next).
"""
this_service = {'name': 'neutron-gateway'}
other_services = [{'name': 'mysql'},
{'name': 'rabbitmq-server'},
{'name': 'keystone'},
{'name': 'glance'}, # satisfy workload status
{'name': 'nova-cloud-controller'},
{'name': 'nova-compute'}, # satisfy workload stat
{'name': 'neutron-api'}]
super(NeutronGatewayBasicDeployment, self)._add_services(
this_service, other_services)
def _add_relations(self):
"""Add all of the relations for the services."""
relations = {
'keystone:shared-db': 'mysql:shared-db',
'neutron-gateway:amqp': 'rabbitmq-server:amqp',
'nova-cloud-controller:quantum-network-service':
'neutron-gateway:quantum-network-service',
'nova-cloud-controller:shared-db': 'mysql:shared-db',
'nova-cloud-controller:identity-service': 'keystone:'
'identity-service',
'nova-cloud-controller:amqp': 'rabbitmq-server:amqp',
'neutron-api:shared-db': 'mysql:shared-db',
'neutron-api:amqp': 'rabbitmq-server:amqp',
'neutron-api:neutron-api': 'nova-cloud-controller:neutron-api',
'neutron-api:identity-service': 'keystone:identity-service',
'glance:identity-service': 'keystone:identity-service',
'glance:shared-db': 'mysql:shared-db',
'glance:amqp': 'rabbitmq-server:amqp',
'nova-cloud-controller:cloud-compute': 'nova-compute:'
'cloud-compute',
'nova-compute:amqp': 'rabbitmq-server:amqp',
'nova-compute:image-service': 'glance:image-service',
'nova-cloud-controller:image-service': 'glance:image-service',
}
super(NeutronGatewayBasicDeployment, self)._add_relations(relations)
def _configure_services(self):
"""Configure all of the services."""
neutron_gateway_config = {}
if self.git:
amulet_http_proxy = os.environ.get('AMULET_HTTP_PROXY')
branch = 'stable/' + self._get_openstack_release_string()
if self._get_openstack_release() >= self.trusty_kilo:
openstack_origin_git = {
'repositories': [
{'name': 'requirements',
'repository': 'git://github.com/openstack/requirements', # noqa
'branch': branch},
{'name': 'neutron-fwaas',
'repository': 'git://github.com/openstack/neutron-fwaas', # noqa
'branch': branch},
{'name': 'neutron-lbaas',
'repository': 'git://github.com/openstack/neutron-lbaas', # noqa
'branch': branch},
{'name': 'neutron-vpnaas',
'repository': 'git://github.com/openstack/neutron-vpnaas', # noqa
'branch': branch},
{'name': 'neutron',
'repository': 'git://github.com/openstack/neutron',
'branch': branch},
],
'directory': '/mnt/openstack-git',
'http_proxy': amulet_http_proxy,
'https_proxy': amulet_http_proxy,
}
else:
reqs_repo = 'git://github.com/openstack/requirements'
neutron_repo = 'git://github.com/openstack/neutron'
if self._get_openstack_release() == self.trusty_icehouse:
reqs_repo = 'git://github.com/coreycb/requirements'
neutron_repo = 'git://github.com/coreycb/neutron'
openstack_origin_git = {
'repositories': [
{'name': 'requirements',
'repository': reqs_repo,
'branch': branch},
{'name': 'neutron',
'repository': neutron_repo,
'branch': branch},
],
'directory': '/mnt/openstack-git',
'http_proxy': amulet_http_proxy,
'https_proxy': amulet_http_proxy,
}
neutron_gateway_config['openstack-origin-git'] = \
yaml.dump(openstack_origin_git)
keystone_config = {'admin-password': 'openstack',
'admin-token': 'ubuntutesting'}
nova_cc_config = {'network-manager': 'Quantum',
'quantum-security-groups': 'yes'}
configs = {'neutron-gateway': neutron_gateway_config,
'keystone': keystone_config,
'nova-cloud-controller': nova_cc_config}
super(NeutronGatewayBasicDeployment, self)._configure_services(configs)
def _initialize_tests(self):
"""Perform final initialization before tests get run."""
# Access the sentries for inspecting service units
self.mysql_sentry = self.d.sentry.unit['mysql/0']
self.keystone_sentry = self.d.sentry.unit['keystone/0']
self.rmq_sentry = self.d.sentry.unit['rabbitmq-server/0']
self.nova_cc_sentry = self.d.sentry.unit['nova-cloud-controller/0']
self.neutron_gateway_sentry = self.d.sentry.unit['neutron-gateway/0']
self.neutron_api_sentry = self.d.sentry.unit['neutron-api/0']
# Authenticate admin with keystone
self.keystone = u.authenticate_keystone_admin(self.keystone_sentry,
user='admin',
password='openstack',
tenant='admin')
# Authenticate admin with neutron
ep = self.keystone.service_catalog.url_for(service_type='identity',
endpoint_type='publicURL')
self.neutron = neutronclient.Client(auth_url=ep,
username='admin',
password='openstack',
tenant_name='admin',
region_name='RegionOne')
def get_private_address(self, unit):
"""Return the private address of the given sentry unit."""
address, retcode = unit.run('unit-get private-address')
assert retcode == 0, 'error retrieving unit private address'
return address.strip()
def test_100_services(self):
"""Verify the expected services are running on the corresponding
service units."""
neutron_services = ['neutron-dhcp-agent',
'neutron-lbaas-agent',
'neutron-metadata-agent',
'neutron-metering-agent',
'neutron-ovs-cleanup',
'neutron-plugin-openvswitch-agent']
if self._get_openstack_release() <= self.trusty_juno:
neutron_services.append('neutron-vpn-agent')
if self._get_openstack_release() >= self.trusty_mitaka:
# neutron-plugin-openvswitch-agent -> neutron-openvswitch-agent
neutron_services.remove('neutron-plugin-openvswitch-agent')
neutron_services.append('neutron-openvswitch-agent')
nova_cc_services = ['nova-api-ec2',
'nova-api-os-compute',
'nova-objectstore',
'nova-cert',
'nova-scheduler',
'nova-conductor']
if self._get_openstack_release_string() >= 'liberty':
nova_cc_services.remove('nova-api-ec2')
nova_cc_services.remove('nova-objectstore')
commands = {
self.mysql_sentry: ['mysql'],
self.keystone_sentry: ['keystone'],
self.nova_cc_sentry: nova_cc_services,
self.neutron_gateway_sentry: neutron_services
}
ret = u.validate_services_by_name(commands)
if ret:
amulet.raise_status(amulet.FAIL, msg=ret)
def test_102_service_catalog(self):
"""Verify that the service catalog endpoint data is valid."""
u.log.debug('Checking keystone service catalog...')
endpoint_check = {
'adminURL': u.valid_url,
'id': u.not_null,
'region': 'RegionOne',
'publicURL': u.valid_url,
'internalURL': u.valid_url
}
expected = {
'network': [endpoint_check],
'compute': [endpoint_check],
'identity': [endpoint_check]
}
actual = self.keystone.service_catalog.get_endpoints()
ret = u.validate_svc_catalog_endpoint_data(expected, actual)
if ret:
amulet.raise_status(amulet.FAIL, msg=ret)
def test_104_network_endpoint(self):
"""Verify the neutron network endpoint data."""
u.log.debug('Checking neutron network api endpoint data...')
endpoints = self.keystone.endpoints.list()
admin_port = internal_port = public_port = '9696'
expected = {
'id': u.not_null,
'region': 'RegionOne',
'adminurl': u.valid_url,
'internalurl': u.valid_url,
'publicurl': u.valid_url,
'service_id': u.not_null
}
ret = u.validate_endpoint_data(endpoints, admin_port, internal_port,
public_port, expected)
if ret:
amulet.raise_status(amulet.FAIL,
msg='glance endpoint: {}'.format(ret))
def test_110_users(self):
"""Verify expected users."""
u.log.debug('Checking keystone users...')
expected = [
{'name': 'admin',
'enabled': True,
'tenantId': u.not_null,
'id': u.not_null,
'email': 'juju@localhost'},
{'name': 'neutron',
'enabled': True,
'tenantId': u.not_null,
'id': u.not_null,
'email': 'juju@localhost'}
]
if self._get_openstack_release() >= self.trusty_kilo:
# Kilo or later
expected.append({
'name': 'nova',
'enabled': True,
'tenantId': u.not_null,
'id': u.not_null,
'email': 'juju@localhost'
})
else:
# Juno and earlier
expected.append({
'name': 's3_ec2_nova',
'enabled': True,
'tenantId': u.not_null,
'id': u.not_null,
'email': 'juju@localhost'
})
actual = self.keystone.users.list()
ret = u.validate_user_data(expected, actual)
if ret:
amulet.raise_status(amulet.FAIL, msg=ret)
def test_202_neutron_gateway_rabbitmq_amqp_relation(self):
"""Verify the neutron-gateway to rabbitmq-server amqp relation data"""
u.log.debug('Checking neutron-gateway:rmq amqp relation data...')
unit = self.neutron_gateway_sentry
relation = ['amqp', 'rabbitmq-server:amqp']
expected = {
'username': 'neutron',
'private-address': u.valid_ip,
'vhost': 'openstack'
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('neutron-gateway amqp', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_203_rabbitmq_neutron_gateway_amqp_relation(self):
"""Verify the rabbitmq-server to neutron-gateway amqp relation data"""
u.log.debug('Checking rmq:neutron-gateway amqp relation data...')
unit = self.rmq_sentry
relation = ['amqp', 'neutron-gateway:amqp']
expected = {
'private-address': u.valid_ip,
'password': u.not_null,
'hostname': u.valid_ip
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('rabbitmq amqp', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_204_neutron_gateway_network_service_relation(self):
"""Verify the neutron-gateway to nova-cc quantum-network-service
relation data"""
u.log.debug('Checking neutron-gateway:nova-cc net svc '
'relation data...')
unit = self.neutron_gateway_sentry
relation = ['quantum-network-service',
'nova-cloud-controller:quantum-network-service']
expected = {
'private-address': u.valid_ip
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('neutron-gateway network-service', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_205_nova_cc_network_service_relation(self):
"""Verify the nova-cc to neutron-gateway quantum-network-service
relation data"""
u.log.debug('Checking nova-cc:neutron-gateway net svc '
'relation data...')
unit = self.nova_cc_sentry
relation = ['quantum-network-service',
'neutron-gateway:quantum-network-service']
expected = {
'service_protocol': 'http',
'service_tenant': 'services',
'quantum_url': u.valid_url,
'quantum_port': '9696',
'service_port': '5000',
'region': 'RegionOne',
'service_password': u.not_null,
'quantum_host': u.valid_ip,
'auth_port': '35357',
'auth_protocol': 'http',
'private-address': u.valid_ip,
'keystone_host': u.valid_ip,
'quantum_plugin': 'ovs',
'auth_host': u.valid_ip,
'service_tenant_name': 'services'
}
if self._get_openstack_release() >= self.trusty_kilo:
# Kilo or later
expected['service_username'] = 'nova'
else:
# Juno or earlier
expected['service_username'] = 's3_ec2_nova'
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('nova-cc network-service', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_206_neutron_api_shared_db_relation(self):
"""Verify the neutron-api to mysql shared-db relation data"""
u.log.debug('Checking neutron-api:mysql db relation data...')
unit = self.neutron_api_sentry
relation = ['shared-db', 'mysql:shared-db']
expected = {
'private-address': u.valid_ip,
'database': 'neutron',
'username': 'neutron',
'hostname': u.valid_ip
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('neutron-api shared-db', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_207_shared_db_neutron_api_relation(self):
"""Verify the mysql to neutron-api shared-db relation data"""
u.log.debug('Checking mysql:neutron-api db relation data...')
unit = self.mysql_sentry
relation = ['shared-db', 'neutron-api:shared-db']
expected = {
'db_host': u.valid_ip,
'private-address': u.valid_ip,
'password': u.not_null,
'allowed_units': u.not_null,
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('mysql shared-db', ret)
amulet.raise_status(amulet.FAIL, msg=message)
relation_data = unit.relation(relation[0], relation[1])
allowed_units = relation_data['allowed_units'].split()
if 'neutron-api/0' not in allowed_units:
message = 'neutron-api/0 not found in allowed_units'
amulet.raise_status(amulet.FAIL, msg=message)
def test_208_neutron_api_amqp_relation(self):
"""Verify the neutron-api to rabbitmq-server amqp relation data"""
u.log.debug('Checking neutron-api:amqp relation data...')
unit = self.neutron_api_sentry
relation = ['amqp', 'rabbitmq-server:amqp']
expected = {
'username': 'neutron',
'private-address': u.valid_ip,
'vhost': 'openstack'
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('neutron-api amqp', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_209_amqp_neutron_api_relation(self):
"""Verify the rabbitmq-server to neutron-api amqp relation data"""
u.log.debug('Checking amqp:neutron-api relation data...')
unit = self.rmq_sentry
relation = ['amqp', 'neutron-api:amqp']
expected = {
'hostname': u.valid_ip,
'private-address': u.valid_ip,
'password': u.not_null
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('rabbitmq amqp', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_210_neutron_api_keystone_identity_relation(self):
"""Verify the neutron-api to keystone identity-service relation data"""
u.log.debug('Checking neutron-api:keystone id relation data...')
unit = self.neutron_api_sentry
relation = ['identity-service', 'keystone:identity-service']
api_ip = unit.relation('identity-service',
'keystone:identity-service')['private-address']
api_endpoint = 'http://{}:9696'.format(api_ip)
expected = {
'private-address': u.valid_ip,
'neutron_region': 'RegionOne',
'neutron_service': 'neutron',
'neutron_admin_url': api_endpoint,
'neutron_internal_url': api_endpoint,
'neutron_public_url': api_endpoint,
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('neutron-api identity-service', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_211_keystone_neutron_api_identity_relation(self):
"""Verify the keystone to neutron-api identity-service relation data"""
u.log.debug('Checking keystone:neutron-api id relation data...')
unit = self.keystone_sentry
relation = ['identity-service', 'neutron-api:identity-service']
rel_ks_id = unit.relation('identity-service',
'neutron-api:identity-service')
id_ip = rel_ks_id['private-address']
expected = {
'admin_token': 'ubuntutesting',
'auth_host': id_ip,
'auth_port': "35357",
'auth_protocol': 'http',
'private-address': id_ip,
'service_host': id_ip,
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('neutron-api identity-service', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_212_neutron_api_novacc_relation(self):
"""Verify the neutron-api to nova-cloud-controller relation data"""
u.log.debug('Checking neutron-api:novacc relation data...')
unit = self.neutron_api_sentry
relation = ['neutron-api', 'nova-cloud-controller:neutron-api']
api_ip = unit.relation('identity-service',
'keystone:identity-service')['private-address']
api_endpoint = 'http://{}:9696'.format(api_ip)
expected = {
'private-address': api_ip,
'neutron-plugin': 'ovs',
'neutron-security-groups': "no",
'neutron-url': api_endpoint,
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('neutron-api neutron-api', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_213_novacc_neutron_api_relation(self):
"""Verify the nova-cloud-controller to neutron-api relation data"""
u.log.debug('Checking novacc:neutron-api relation data...')
unit = self.nova_cc_sentry
relation = ['neutron-api', 'neutron-api:neutron-api']
cc_ip = unit.relation('neutron-api',
'neutron-api:neutron-api')['private-address']
cc_endpoint = 'http://{}:8774/v2'.format(cc_ip)
expected = {
'private-address': cc_ip,
'nova_url': cc_endpoint,
}
ret = u.validate_relation_data(unit, relation, expected)
if ret:
message = u.relation_error('nova-cc neutron-api', ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_300_neutron_config(self):
"""Verify the data in the neutron config file."""
u.log.debug('Checking neutron gateway config file data...')
unit = self.neutron_gateway_sentry
rmq_ng_rel = self.rmq_sentry.relation(
'amqp', 'neutron-gateway:amqp')
conf = '/etc/neutron/neutron.conf'
expected = {
'DEFAULT': {
'verbose': 'False',
'debug': 'False',
'core_plugin': 'ml2',
'control_exchange': 'neutron',
'notification_driver': 'neutron.openstack.common.notifier.'
'list_notifier',
'list_notifier_drivers': 'neutron.openstack.common.'
'notifier.rabbit_notifier',
},
'agent': {
'root_helper': 'sudo /usr/bin/neutron-rootwrap '
'/etc/neutron/rootwrap.conf'
}
}
if self._get_openstack_release() >= self.trusty_kilo:
# Kilo or later
expected['oslo_messaging_rabbit'] = {
'rabbit_userid': 'neutron',
'rabbit_virtual_host': 'openstack',
'rabbit_password': rmq_ng_rel['password'],
'rabbit_host': rmq_ng_rel['hostname'],
}
expected['oslo_concurrency'] = {
'lock_path': '/var/lock/neutron'
}
else:
# Juno or earlier
expected['DEFAULT'].update({
'rabbit_userid': 'neutron',
'rabbit_virtual_host': 'openstack',
'rabbit_password': rmq_ng_rel['password'],
'rabbit_host': rmq_ng_rel['hostname'],
'lock_path': '/var/lock/neutron',
})
for section, pairs in expected.iteritems():
ret = u.validate_config_data(unit, conf, section, pairs)
if ret:
message = "neutron config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_301_neutron_ml2_config(self):
"""Verify the data in the ml2 config file. This is only available
since icehouse."""
u.log.debug('Checking neutron gateway ml2 config file data...')
if self._get_openstack_release() < self.precise_icehouse:
return
unit = self.neutron_gateway_sentry
if self._get_openstack_release() < self.trusty_mitaka:
conf = '/etc/neutron/plugins/ml2/ml2_conf.ini'
expected = {
'ml2': {
'type_drivers': 'gre,vxlan,vlan,flat',
'tenant_network_types': 'gre,vxlan,vlan,flat',
'mechanism_drivers': 'openvswitch,hyperv,l2population'
},
'ml2_type_gre': {
'tunnel_id_ranges': '1:1000'
},
'ml2_type_vxlan': {
'vni_ranges': '1001:2000'
},
'ovs': {
'enable_tunneling': 'True',
'local_ip': self.get_private_address(unit)
},
'agent': {
'tunnel_types': 'gre',
'l2_population': 'False'
},
'securitygroup': {
'firewall_driver': 'neutron.agent.linux.iptables_firewall.'
'OVSHybridIptablesFirewallDriver'
}
}
else:
conf = '/etc/neutron/plugins/ml2/openvswitch_agent.ini'
expected = {
'ovs': {
'enable_tunneling': 'True',
'local_ip': self.get_private_address(unit)
},
'agent': {
'tunnel_types': 'gre',
'l2_population': 'False'
},
'securitygroup': {
'firewall_driver': 'neutron.agent.linux.iptables_firewall.'
'OVSHybridIptablesFirewallDriver'
}
}
for section, pairs in expected.iteritems():
ret = u.validate_config_data(unit, conf, section, pairs)
if ret:
message = "ml2 config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_302_neutron_dhcp_agent_config(self):
"""Verify the data in the dhcp agent config file."""
u.log.debug('Checking neutron gateway dhcp agent config file data...')
unit = self.neutron_gateway_sentry
conf = '/etc/neutron/dhcp_agent.ini'
expected = {
'state_path': '/var/lib/neutron',
'interface_driver': 'neutron.agent.linux.interface.'
'OVSInterfaceDriver',
'dhcp_driver': 'neutron.agent.linux.dhcp.Dnsmasq',
'root_helper': 'sudo /usr/bin/neutron-rootwrap '
'/etc/neutron/rootwrap.conf',
'ovs_use_veth': 'True'
}
section = 'DEFAULT'
ret = u.validate_config_data(unit, conf, section, expected)
if ret:
message = "dhcp agent config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_303_neutron_fwaas_driver_config(self):
"""Verify the data in the fwaas driver config file. This is only
available since havana."""
u.log.debug('Checking neutron gateway fwaas config file data...')
unit = self.neutron_gateway_sentry
conf = '/etc/neutron/fwaas_driver.ini'
expected = {
'enabled': 'True'
}
section = 'fwaas'
if self._get_openstack_release() >= self.trusty_kilo:
# Kilo or later
expected['driver'] = ('neutron_fwaas.services.firewall.drivers.'
'linux.iptables_fwaas.IptablesFwaasDriver')
else:
# Juno or earlier
expected['driver'] = ('neutron.services.firewall.drivers.linux.'
'iptables_fwaas.IptablesFwaasDriver')
ret = u.validate_config_data(unit, conf, section, expected)
if ret:
message = "fwaas driver config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_304_neutron_l3_agent_config(self):
"""Verify the data in the l3 agent config file."""
u.log.debug('Checking neutron gateway l3 agent config file data...')
unit = self.neutron_gateway_sentry
ncc_ng_rel = self.nova_cc_sentry.relation(
'quantum-network-service',
'neutron-gateway:quantum-network-service')
ep = self.keystone.service_catalog.url_for(service_type='identity',
endpoint_type='publicURL')
conf = '/etc/neutron/l3_agent.ini'
expected = {
'interface_driver': 'neutron.agent.linux.interface.'
'OVSInterfaceDriver',
'auth_url': ep,
'auth_region': 'RegionOne',
'admin_tenant_name': 'services',
'admin_password': ncc_ng_rel['service_password'],
'root_helper': 'sudo /usr/bin/neutron-rootwrap '
'/etc/neutron/rootwrap.conf',
'ovs_use_veth': 'True',
'handle_internal_only_routers': 'True'
}
section = 'DEFAULT'
if self._get_openstack_release() >= self.trusty_kilo:
# Kilo or later
expected['admin_user'] = 'nova'
else:
# Juno or earlier
expected['admin_user'] = 's3_ec2_nova'
ret = u.validate_config_data(unit, conf, section, expected)
if ret:
message = "l3 agent config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_305_neutron_lbaas_agent_config(self):
"""Verify the data in the lbaas agent config file. This is only
available since havana."""
u.log.debug('Checking neutron gateway lbaas config file data...')
if self._get_openstack_release() < self.precise_havana:
return
unit = self.neutron_gateway_sentry
conf = '/etc/neutron/lbaas_agent.ini'
expected = {
'DEFAULT': {
'interface_driver': 'neutron.agent.linux.interface.'
'OVSInterfaceDriver',
'periodic_interval': '10',
'ovs_use_veth': 'False',
},
'haproxy': {
'loadbalancer_state_path': '$state_path/lbaas',
'user_group': 'nogroup'
}
}
if self._get_openstack_release() >= self.trusty_kilo:
# Kilo or later
expected['DEFAULT']['device_driver'] = \
('neutron_lbaas.services.loadbalancer.drivers.haproxy.'
'namespace_driver.HaproxyNSDriver')
else:
# Juno or earlier
expected['DEFAULT']['device_driver'] = \
('neutron.services.loadbalancer.drivers.haproxy.'
'namespace_driver.HaproxyNSDriver')
for section, pairs in expected.iteritems():
ret = u.validate_config_data(unit, conf, section, pairs)
if ret:
message = "lbaas agent config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_306_neutron_metadata_agent_config(self):
"""Verify the data in the metadata agent config file."""
u.log.debug('Checking neutron gateway metadata agent '
'config file data...')
unit = self.neutron_gateway_sentry
ep = self.keystone.service_catalog.url_for(service_type='identity',
endpoint_type='publicURL')
nova_cc_relation = self.nova_cc_sentry.relation(
'quantum-network-service',
'neutron-gateway:quantum-network-service')
conf = '/etc/neutron/metadata_agent.ini'
expected = {
'auth_url': ep,
'auth_region': 'RegionOne',
'admin_tenant_name': 'services',
'admin_password': nova_cc_relation['service_password'],
'root_helper': 'sudo neutron-rootwrap '
'/etc/neutron/rootwrap.conf',
'state_path': '/var/lib/neutron',
'nova_metadata_ip': self.get_private_address(unit),
'nova_metadata_port': '8775',
'cache_url': 'memory://?default_ttl=5'
}
section = 'DEFAULT'
if self._get_openstack_release() >= self.trusty_kilo:
# Kilo or later
expected['admin_user'] = 'nova'
else:
# Juno or earlier
expected['admin_user'] = 's3_ec2_nova'
ret = u.validate_config_data(unit, conf, section, expected)
if ret:
message = "metadata agent config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_307_neutron_metering_agent_config(self):
"""Verify the data in the metering agent config file. This is only
available since havana."""
u.log.debug('Checking neutron gateway metering agent '
'config file data...')
unit = self.neutron_gateway_sentry
conf = '/etc/neutron/metering_agent.ini'
expected = {
'driver': 'neutron.services.metering.drivers.iptables.'
'iptables_driver.IptablesMeteringDriver',
'measure_interval': '30',
'report_interval': '300',
'interface_driver': 'neutron.agent.linux.interface.'
'OVSInterfaceDriver',
'use_namespaces': 'True'
}
section = 'DEFAULT'
ret = u.validate_config_data(unit, conf, section, expected)
if ret:
message = "metering agent config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_308_neutron_nova_config(self):
"""Verify the data in the nova config file."""
u.log.debug('Checking neutron gateway nova config file data...')
unit = self.neutron_gateway_sentry
conf = '/etc/nova/nova.conf'
rabbitmq_relation = self.rmq_sentry.relation(
'amqp', 'neutron-gateway:amqp')
nova_cc_relation = self.nova_cc_sentry.relation(
'quantum-network-service',
'neutron-gateway:quantum-network-service')
ep = self.keystone.service_catalog.url_for(service_type='identity',
endpoint_type='publicURL')
expected = {
'DEFAULT': {
'logdir': '/var/log/nova',
'state_path': '/var/lib/nova',
'root_helper': 'sudo nova-rootwrap /etc/nova/rootwrap.conf',
'verbose': 'False',
'use_syslog': 'False',
'api_paste_config': '/etc/nova/api-paste.ini',
'enabled_apis': 'metadata',
'multi_host': 'True',
'network_api_class': 'nova.network.neutronv2.api.API',
}
}
if self._get_openstack_release() >= self.trusty_kilo:
# Kilo or later
expected['oslo_messaging_rabbit'] = {
'rabbit_userid': 'neutron',
'rabbit_virtual_host': 'openstack',
'rabbit_password': rabbitmq_relation['password'],
'rabbit_host': rabbitmq_relation['hostname'],
}
expected['oslo_concurrency'] = {
'lock_path': '/var/lock/nova'
}
if self._get_openstack_release() >= self.trusty_mitaka:
expected['neutron'] = {
'url': nova_cc_relation['quantum_url'],
'auth_plugin': 'password',
'project_name': 'services',
'username': 'nova',
'password': nova_cc_relation['service_password'],
'auth_url': ep.split('/v')[0],
'region': 'RegionOne',
'service_metadata_proxy': 'True',
'metadata_proxy_shared_secret': u.not_null
}
else:
expected['neutron'] = {
'auth_strategy': 'keystone',
'url': nova_cc_relation['quantum_url'],
'admin_tenant_name': 'services',
'admin_username': 'nova',
'admin_password': nova_cc_relation['service_password'],
'admin_auth_url': ep,
'service_metadata_proxy': 'True',
'metadata_proxy_shared_secret': u.not_null
}
else:
# Juno or earlier
expected['DEFAULT'].update({
'rabbit_userid': 'neutron',
'rabbit_virtual_host': 'openstack',
'rabbit_password': rabbitmq_relation['password'],
'rabbit_host': rabbitmq_relation['hostname'],
'lock_path': '/var/lock/nova',
'neutron_auth_strategy': 'keystone',
'neutron_url': nova_cc_relation['quantum_url'],
'neutron_admin_tenant_name': 'services',
'neutron_admin_username': 's3_ec2_nova',
'neutron_admin_password': nova_cc_relation['service_password'],
'neutron_admin_auth_url': ep,
'service_neutron_metadata_proxy': 'True',
})
for section, pairs in expected.iteritems():
ret = u.validate_config_data(unit, conf, section, pairs)
if ret:
message = "nova config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_309_neutron_vpn_agent_config(self):
"""Verify the data in the vpn agent config file. This isn't available
prior to havana."""
u.log.debug('Checking neutron gateway vpn agent config file data...')
unit = self.neutron_gateway_sentry
conf = '/etc/neutron/vpn_agent.ini'
expected = {
'ipsec': {
'ipsec_status_check_interval': '60'
}
}
if self._get_openstack_release() >= self.trusty_kilo:
# Kilo or later
expected['vpnagent'] = {
'vpn_device_driver': 'neutron_vpnaas.services.vpn.'
'device_drivers.ipsec.OpenSwanDriver'
}
else:
# Juno or earlier
expected['vpnagent'] = {
'vpn_device_driver': 'neutron.services.vpn.device_drivers.'
'ipsec.OpenSwanDriver'
}
for section, pairs in expected.iteritems():
ret = u.validate_config_data(unit, conf, section, pairs)
if ret:
message = "vpn agent config error: {}".format(ret)
amulet.raise_status(amulet.FAIL, msg=message)
def test_400_create_network(self):
"""Create a network, verify that it exists, and then delete it."""
u.log.debug('Creating neutron network...')
self.neutron.format = 'json'
net_name = 'ext_net'
# Verify that the network doesn't exist
networks = self.neutron.list_networks(name=net_name)
net_count = len(networks['networks'])
if net_count != 0:
msg = "Expected zero networks, found {}".format(net_count)
amulet.raise_status(amulet.FAIL, msg=msg)
# Create a network and verify that it exists
network = {'name': net_name}
self.neutron.create_network({'network': network})
networks = self.neutron.list_networks(name=net_name)
u.log.debug('Networks: {}'.format(networks))
net_len = len(networks['networks'])
if net_len != 1:
msg = "Expected 1 network, found {}".format(net_len)
amulet.raise_status(amulet.FAIL, msg=msg)
u.log.debug('Confirming new neutron network...')
network = networks['networks'][0]
if network['name'] != net_name:
amulet.raise_status(amulet.FAIL, msg="network ext_net not found")
# Cleanup
u.log.debug('Deleting neutron network...')
self.neutron.delete_network(network['id'])
def test_900_restart_on_config_change(self):
"""Verify that the specified services are restarted when the
config is changed."""
sentry = self.neutron_gateway_sentry
juju_service = 'neutron-gateway'
# Expected default and alternate values
set_default = {'debug': 'False'}
set_alternate = {'debug': 'True'}
# Services which are expected to restart upon config change,
# and corresponding config files affected by the change
conf_file = '/etc/neutron/neutron.conf'
services = {
'neutron-dhcp-agent': conf_file,
'neutron-lbaas-agent': conf_file,
'neutron-metadata-agent': conf_file,
'neutron-metering-agent': conf_file,
'neutron-openvswitch-agent': conf_file,
}
if self._get_openstack_release() <= self.trusty_juno:
services.update({'neutron-vpn-agent': conf_file})
# Make config change, check for svc restart, conf file mod time change
u.log.debug('Making config change on {}...'.format(juju_service))
mtime = u.get_sentry_time(sentry)
self.d.configure(juju_service, set_alternate)
# sleep_time = 90
for s, conf_file in services.iteritems():
u.log.debug("Checking that service restarted: {}".format(s))
if not u.validate_service_config_changed(sentry, mtime, s,
conf_file):
self.d.configure(juju_service, set_default)
msg = "service {} didn't restart after config change".format(s)
amulet.raise_status(amulet.FAIL, msg=msg)
# Only do initial sleep on first service check
# sleep_time = 0
self.d.configure(juju_service, set_default)