Remove non-inclusive language in pxe filter
Replaces the use of black/white-list with deny/allow-list in the pxe filter. Change-Id: I84e6343fc13e4c4c02521499632a07e782088057
This commit is contained in:
parent
b1e79e0b4d
commit
a1f8926cd1
|
@ -349,8 +349,7 @@ The contract between **inspector** and a PXE filter driver is described in the
|
||||||
internal driver state
|
internal driver state
|
||||||
|
|
||||||
* :meth:`~FilterDriver.sync` called both periodically and when a node starts or
|
* :meth:`~FilterDriver.sync` called both periodically and when a node starts or
|
||||||
finishes introspection to white or blacklist its ports MAC addresses in the
|
finishes introspection to allow or deny its ports MAC addresses in the driver
|
||||||
driver
|
|
||||||
|
|
||||||
* :meth:`~FilterDriver.tear_down_filter` called on service exit to reset the
|
* :meth:`~FilterDriver.tear_down_filter` called on service exit to reset the
|
||||||
internal driver state
|
internal driver state
|
||||||
|
|
|
@ -24,7 +24,7 @@ file parsing. The content of the file determines the MAC address access policy.
|
||||||
|
|
||||||
Thanks to the ``inotify`` facility, **dnsmasq** is notified once a new file is
|
Thanks to the ``inotify`` facility, **dnsmasq** is notified once a new file is
|
||||||
*created* or an existing file is *modified* in the DHCP hosts directory. Thus,
|
*created* or an existing file is *modified* in the DHCP hosts directory. Thus,
|
||||||
to white-list a MAC address, the filter removes the ``ignore`` directive::
|
to allow a MAC address, the filter removes the ``ignore`` directive::
|
||||||
|
|
||||||
$ cat /etc/dnsmasq.d/de-ad-be-ef-de-ad
|
$ cat /etc/dnsmasq.d/de-ad-be-ef-de-ad
|
||||||
de:ad:be:ef:de:ad
|
de:ad:be:ef:de:ad
|
||||||
|
@ -121,5 +121,5 @@ start-up.
|
||||||
Although the filter driver tries its best to always stop the **dnsmasq**
|
Although the filter driver tries its best to always stop the **dnsmasq**
|
||||||
service, it is recommended that the operator configures the **dnsmasq**
|
service, it is recommended that the operator configures the **dnsmasq**
|
||||||
service in such a way that it terminates upon **ironic-inspector**
|
service in such a way that it terminates upon **ironic-inspector**
|
||||||
(unexpected) exit to prevent a stale blacklist from being used by the
|
(unexpected) exit to prevent a stale deny list from being used by the
|
||||||
**dnsmasq** service.
|
**dnsmasq** service.
|
||||||
|
|
|
@ -44,18 +44,18 @@ _EXCLUSIVE_WRITE_ATTEMPTS = 10
|
||||||
_EXCLUSIVE_WRITE_ATTEMPTS_DELAY = 0.01
|
_EXCLUSIVE_WRITE_ATTEMPTS_DELAY = 0.01
|
||||||
|
|
||||||
_ROOTWRAP_COMMAND = 'sudo ironic-inspector-rootwrap {rootwrap_config!s}'
|
_ROOTWRAP_COMMAND = 'sudo ironic-inspector-rootwrap {rootwrap_config!s}'
|
||||||
_MACBL_LEN = len('ff:ff:ff:ff:ff:ff,ignore\n')
|
_MAC_DENY_LEN = len('ff:ff:ff:ff:ff:ff,ignore\n')
|
||||||
_MACWL_LEN = len('ff:ff:ff:ff:ff:ff\n')
|
_MAC_ALLOW_LEN = len('ff:ff:ff:ff:ff:ff\n')
|
||||||
_UNKNOWN_HOSTS_FILE = 'unknown_hosts_filter'
|
_UNKNOWN_HOSTS_FILE = 'unknown_hosts_filter'
|
||||||
_BLACKLIST_UNKNOWN_HOSTS = '*:*:*:*:*:*,ignore\n'
|
_DENY_UNKNOWN_HOSTS = '*:*:*:*:*:*,ignore\n'
|
||||||
_WHITELIST_UNKNOWN_HOSTS = '*:*:*:*:*:*\n'
|
_ALLOW_UNKNOWN_HOSTS = '*:*:*:*:*:*\n'
|
||||||
|
|
||||||
|
|
||||||
def _should_enable_unknown_hosts():
|
def _should_enable_unknown_hosts():
|
||||||
"""Check whether we should enable DHCP for unknown hosts
|
"""Check whether we should enable DHCP for unknown hosts
|
||||||
|
|
||||||
We blacklist unknown hosts unless one or more nodes are on introspection
|
We add unknown hosts to the deny list unless one or more nodes are on
|
||||||
and node_not_found_hook is not set.
|
introspection and node_not_found_hook is not set.
|
||||||
"""
|
"""
|
||||||
return (node_cache.introspection_active() or
|
return (node_cache.introspection_active() or
|
||||||
CONF.processing.node_not_found_hook is not None)
|
CONF.processing.node_not_found_hook is not None)
|
||||||
|
@ -89,24 +89,24 @@ class DnsmasqFilter(pxe_filter.BaseFilter):
|
||||||
ironic_macs = set(port.address for port in
|
ironic_macs = set(port.address for port in
|
||||||
ir_utils.call_with_retries(ironic.ports, limit=None,
|
ir_utils.call_with_retries(ironic.ports, limit=None,
|
||||||
fields=['address']))
|
fields=['address']))
|
||||||
blacklist, whitelist = _get_black_white_lists()
|
denylist, allowlist = _get_deny_allow_lists()
|
||||||
# removedlist are the MACs that are in either blacklist or whitelist,
|
# removedlist are the MACs that are in either in allow or denylist,
|
||||||
# but not kept in ironic (ironic_macs) any more
|
# but not kept in ironic (ironic_macs) any more
|
||||||
removedlist = blacklist.union(whitelist).difference(ironic_macs)
|
removedlist = denylist.union(allowlist).difference(ironic_macs)
|
||||||
|
|
||||||
# Whitelist active MACs that are not already whitelisted
|
# Add active MACs that are not already in the allowlist
|
||||||
for mac in active_macs.difference(whitelist):
|
for mac in active_macs.difference(allowlist):
|
||||||
_whitelist_mac(mac)
|
_add_mac_to_allowlist(mac)
|
||||||
# Blacklist any ironic MACs that is not active for introspection unless
|
# Add any ironic MACs that is not active for introspection to the
|
||||||
# it is already blacklisted
|
# deny list unless it is already present
|
||||||
for mac in ironic_macs.difference(blacklist.union(active_macs)):
|
for mac in ironic_macs.difference(denylist.union(active_macs)):
|
||||||
_blacklist_mac(mac)
|
_add_mac_to_denylist(mac)
|
||||||
|
|
||||||
# Whitelist or Blacklist unknown hosts and MACs not kept in ironic
|
# Allow or deny unknown hosts and MACs not kept in ironic
|
||||||
# NOTE(hjensas): Treat unknown hosts and MACs not kept in ironic the
|
# NOTE(hjensas): Treat unknown hosts and MACs not kept in ironic the
|
||||||
# same. Neither should boot the inspection image unless introspection
|
# same. Neither should boot the inspection image unless introspection
|
||||||
# is active. Deleted MACs must be whitelisted when introspection is
|
# is active. Deleted MACs must be added to the allow list when
|
||||||
# active in case the host is re-enrolled.
|
# introspection is active in case the host is re-enrolled.
|
||||||
_configure_unknown_hosts()
|
_configure_unknown_hosts()
|
||||||
_configure_removedlist(removedlist)
|
_configure_removedlist(removedlist)
|
||||||
|
|
||||||
|
@ -119,8 +119,8 @@ class DnsmasqFilter(pxe_filter.BaseFilter):
|
||||||
"""Sync dnsmasq configuration with current Ironic&Inspector state.
|
"""Sync dnsmasq configuration with current Ironic&Inspector state.
|
||||||
|
|
||||||
Polls all ironic ports. Those being inspected, the active ones, are
|
Polls all ironic ports. Those being inspected, the active ones, are
|
||||||
whitelisted while the rest are blacklisted in the dnsmasq
|
added to the allow list while the rest are added to the deny list in
|
||||||
configuration.
|
the dnsmasq configuration.
|
||||||
|
|
||||||
:param ironic: an ironic client instance.
|
:param ironic: an ironic client instance.
|
||||||
:raises: OSError, IOError.
|
:raises: OSError, IOError.
|
||||||
|
@ -133,8 +133,8 @@ class DnsmasqFilter(pxe_filter.BaseFilter):
|
||||||
"""Performs an initial sync with ironic and starts dnsmasq.
|
"""Performs an initial sync with ironic and starts dnsmasq.
|
||||||
|
|
||||||
The initial _sync() call reduces the chances dnsmasq might lose
|
The initial _sync() call reduces the chances dnsmasq might lose
|
||||||
some inotify blacklist events by prefetching the blacklist before
|
some inotify deny list events by prefetching the list before dnsmasq
|
||||||
the dnsmasq is started.
|
is started.
|
||||||
|
|
||||||
:raises: OSError, IOError.
|
:raises: OSError, IOError.
|
||||||
:returns: None.
|
:returns: None.
|
||||||
|
@ -166,23 +166,23 @@ def _purge_dhcp_hostsdir():
|
||||||
LOG.debug('Removed %s', path)
|
LOG.debug('Removed %s', path)
|
||||||
|
|
||||||
|
|
||||||
def _get_black_white_lists():
|
def _get_deny_allow_lists():
|
||||||
"""Get addresses currently blacklisted in dnsmasq.
|
"""Get addresses currently denied by dnsmasq.
|
||||||
|
|
||||||
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid.
|
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid.
|
||||||
:returns: a set of MACs currently blacklisted in dnsmasq.
|
:returns: a set of MACs currently denied by dnsmasq.
|
||||||
"""
|
"""
|
||||||
hostsdir = CONF.dnsmasq_pxe_filter.dhcp_hostsdir
|
hostsdir = CONF.dnsmasq_pxe_filter.dhcp_hostsdir
|
||||||
# whitelisted MACs lack the ,ignore directive
|
# MACs in the allow list lack the ,ignore directive
|
||||||
blacklist = set()
|
denylist = set()
|
||||||
whitelist = set()
|
allowlist = set()
|
||||||
for mac in os.listdir(hostsdir):
|
for mac in os.listdir(hostsdir):
|
||||||
if os.stat(os.path.join(hostsdir, mac)).st_size == _MACBL_LEN:
|
if os.stat(os.path.join(hostsdir, mac)).st_size == _MAC_DENY_LEN:
|
||||||
blacklist.add(mac)
|
denylist.add(mac)
|
||||||
if os.stat(os.path.join(hostsdir, mac)).st_size == _MACWL_LEN:
|
if os.stat(os.path.join(hostsdir, mac)).st_size == _MAC_ALLOW_LEN:
|
||||||
whitelist.add(mac)
|
allowlist.add(mac)
|
||||||
|
|
||||||
return blacklist, whitelist
|
return denylist, allowlist
|
||||||
|
|
||||||
|
|
||||||
def _exclusive_write_or_pass(path, buf):
|
def _exclusive_write_or_pass(path, buf):
|
||||||
|
@ -225,7 +225,7 @@ def _exclusive_write_or_pass(path, buf):
|
||||||
|
|
||||||
|
|
||||||
def _configure_removedlist(macs):
|
def _configure_removedlist(macs):
|
||||||
"""Manages a dhcp_hostsdir ignore/not-ignore record for removed macs
|
"""Manages a dhcp_hostsdir allow/deny record for removed macs
|
||||||
|
|
||||||
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
|
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
|
||||||
:returns: None.
|
:returns: None.
|
||||||
|
@ -235,16 +235,16 @@ def _configure_removedlist(macs):
|
||||||
|
|
||||||
if _should_enable_unknown_hosts():
|
if _should_enable_unknown_hosts():
|
||||||
for mac in macs:
|
for mac in macs:
|
||||||
if os.stat(os.path.join(hostsdir, mac)).st_size != _MACWL_LEN:
|
if os.stat(os.path.join(hostsdir, mac)).st_size != _MAC_ALLOW_LEN:
|
||||||
_whitelist_mac(mac)
|
_add_mac_to_allowlist(mac)
|
||||||
else:
|
else:
|
||||||
for mac in macs:
|
for mac in macs:
|
||||||
if os.stat(os.path.join(hostsdir, mac)).st_size != _MACBL_LEN:
|
if os.stat(os.path.join(hostsdir, mac)).st_size != _MAC_DENY_LEN:
|
||||||
_blacklist_mac(mac)
|
_add_mac_to_denylist(mac)
|
||||||
|
|
||||||
|
|
||||||
def _configure_unknown_hosts():
|
def _configure_unknown_hosts():
|
||||||
"""Manages a dhcp_hostsdir ignore/not-ignore record for unknown macs.
|
"""Manages a dhcp_hostsdir allow/deny record for unknown macs.
|
||||||
|
|
||||||
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
|
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
|
||||||
IOError in case the dhcp host unknown file isn't writable.
|
IOError in case the dhcp host unknown file isn't writable.
|
||||||
|
@ -254,13 +254,13 @@ def _configure_unknown_hosts():
|
||||||
_UNKNOWN_HOSTS_FILE)
|
_UNKNOWN_HOSTS_FILE)
|
||||||
|
|
||||||
if _should_enable_unknown_hosts():
|
if _should_enable_unknown_hosts():
|
||||||
wildcard_filter = _WHITELIST_UNKNOWN_HOSTS
|
wildcard_filter = _ALLOW_UNKNOWN_HOSTS
|
||||||
log_wildcard_filter = 'whitelist'
|
log_wildcard_filter = 'allow'
|
||||||
else:
|
else:
|
||||||
wildcard_filter = _BLACKLIST_UNKNOWN_HOSTS
|
wildcard_filter = _DENY_UNKNOWN_HOSTS
|
||||||
log_wildcard_filter = 'blacklist'
|
log_wildcard_filter = 'deny'
|
||||||
|
|
||||||
# Don't update if unknown hosts are already black/white-listed
|
# Don't update if unknown hosts are already in the deny/allow-list
|
||||||
try:
|
try:
|
||||||
if os.stat(path).st_size == len(wildcard_filter):
|
if os.stat(path).st_size == len(wildcard_filter):
|
||||||
return
|
return
|
||||||
|
@ -276,8 +276,8 @@ def _configure_unknown_hosts():
|
||||||
'retrying next periodic sync time', log_wildcard_filter)
|
'retrying next periodic sync time', log_wildcard_filter)
|
||||||
|
|
||||||
|
|
||||||
def _blacklist_mac(mac):
|
def _add_mac_to_denylist(mac):
|
||||||
"""Creates a dhcp_hostsdir ignore record for the MAC.
|
"""Creates a dhcp_hostsdir deny record for the MAC.
|
||||||
|
|
||||||
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
|
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
|
||||||
IOError in case the dhcp host MAC file isn't writable.
|
IOError in case the dhcp host MAC file isn't writable.
|
||||||
|
@ -285,14 +285,14 @@ def _blacklist_mac(mac):
|
||||||
"""
|
"""
|
||||||
path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac)
|
path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac)
|
||||||
if _exclusive_write_or_pass(path, '%s,ignore\n' % mac):
|
if _exclusive_write_or_pass(path, '%s,ignore\n' % mac):
|
||||||
LOG.debug('Blacklisted %s', mac)
|
LOG.debug('MAC %s added to the deny list', mac)
|
||||||
else:
|
else:
|
||||||
LOG.warning('Failed to blacklist %s; retrying next periodic sync '
|
LOG.warning('Failed to add MAC %s to the deny list; retrying next '
|
||||||
'time', mac)
|
'periodic sync time', mac)
|
||||||
|
|
||||||
|
|
||||||
def _whitelist_mac(mac):
|
def _add_mac_to_allowlist(mac):
|
||||||
"""Un-ignores the dhcp_hostsdir record for the MAC.
|
"""Update the dhcp_hostsdir record for the MAC adding it to allow list
|
||||||
|
|
||||||
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
|
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
|
||||||
IOError in case the dhcp host MAC file isn't writable.
|
IOError in case the dhcp host MAC file isn't writable.
|
||||||
|
@ -301,10 +301,10 @@ def _whitelist_mac(mac):
|
||||||
path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac)
|
path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac)
|
||||||
# remove the ,ignore directive
|
# remove the ,ignore directive
|
||||||
if _exclusive_write_or_pass(path, '%s\n' % mac):
|
if _exclusive_write_or_pass(path, '%s\n' % mac):
|
||||||
LOG.debug('Whitelisted %s', mac)
|
LOG.debug('MAC %s removed from the deny list', mac)
|
||||||
else:
|
else:
|
||||||
LOG.warning('Failed to whitelist %s; retrying next periodic sync '
|
LOG.warning('Failed to remove MAC %s from the deny list; retrying '
|
||||||
'time', mac)
|
'next periodic sync time', mac)
|
||||||
|
|
||||||
|
|
||||||
def _execute(cmd=None, ignore_errors=False):
|
def _execute(cmd=None, ignore_errors=False):
|
||||||
|
|
|
@ -45,7 +45,7 @@ class IptablesFilter(pxe_filter.BaseFilter):
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
super(IptablesFilter, self).__init__()
|
super(IptablesFilter, self).__init__()
|
||||||
self.blacklist_cache = None
|
self.denylist_cache = None
|
||||||
self.enabled = True
|
self.enabled = True
|
||||||
self.interface = CONF.iptables.dnsmasq_interface
|
self.interface = CONF.iptables.dnsmasq_interface
|
||||||
self.chain = CONF.iptables.firewall_chain
|
self.chain = CONF.iptables.firewall_chain
|
||||||
|
@ -65,7 +65,7 @@ class IptablesFilter(pxe_filter.BaseFilter):
|
||||||
|
|
||||||
def reset(self):
|
def reset(self):
|
||||||
self.enabled = True
|
self.enabled = True
|
||||||
self.blacklist_cache = None
|
self.denylist_cache = None
|
||||||
for chain in (self.chain, self.new_chain):
|
for chain in (self.chain, self.new_chain):
|
||||||
try:
|
try:
|
||||||
self._clean_up(chain)
|
self._clean_up(chain)
|
||||||
|
@ -114,26 +114,26 @@ class IptablesFilter(pxe_filter.BaseFilter):
|
||||||
self._disable_dhcp()
|
self._disable_dhcp()
|
||||||
return
|
return
|
||||||
|
|
||||||
to_blacklist = _get_blacklist(ironic)
|
to_deny = _get_denylist(ironic)
|
||||||
if to_blacklist == self.blacklist_cache:
|
if to_deny == self.denylist_cache:
|
||||||
LOG.debug('Not updating iptables - no changes in MAC list %s',
|
LOG.debug('Not updating iptables - no changes in MAC list %s',
|
||||||
to_blacklist)
|
to_deny)
|
||||||
return
|
return
|
||||||
|
|
||||||
LOG.debug('Blacklisting active MAC\'s %s', to_blacklist)
|
LOG.debug('Adding active MAC\'s %s to the deny list', to_deny)
|
||||||
with self._temporary_chain(self.new_chain, self.chain):
|
with self._temporary_chain(self.new_chain, self.chain):
|
||||||
# Force update on the next iteration if this attempt fails
|
# Force update on the next iteration if this attempt fails
|
||||||
self.blacklist_cache = None
|
self.denylist_cache = None
|
||||||
# - Blacklist active macs, so that nova can boot them
|
# - Add active macs to the deny list, so that nova can boot them
|
||||||
for mac in to_blacklist:
|
for mac in to_deny:
|
||||||
self._iptables('-A', self.new_chain, '-m', 'mac',
|
self._iptables('-A', self.new_chain, '-m', 'mac',
|
||||||
'--mac-source', mac, '-j', 'DROP')
|
'--mac-source', mac, '-j', 'DROP')
|
||||||
# - Whitelist everything else
|
# - Add everything else to the allow list
|
||||||
self._iptables('-A', self.new_chain, '-j', 'ACCEPT')
|
self._iptables('-A', self.new_chain, '-j', 'ACCEPT')
|
||||||
|
|
||||||
# Cache result of successful iptables update
|
# Cache result of successful iptables update
|
||||||
self.enabled = True
|
self.enabled = True
|
||||||
self.blacklist_cache = to_blacklist
|
self.denylist_cache = to_deny
|
||||||
LOG.debug('The iptables filter was synchronized')
|
LOG.debug('The iptables filter was synchronized')
|
||||||
|
|
||||||
@contextlib.contextmanager
|
@contextlib.contextmanager
|
||||||
|
@ -185,9 +185,9 @@ class IptablesFilter(pxe_filter.BaseFilter):
|
||||||
|
|
||||||
LOG.debug('No nodes on introspection and node_not_found_hook is '
|
LOG.debug('No nodes on introspection and node_not_found_hook is '
|
||||||
'not set - disabling DHCP')
|
'not set - disabling DHCP')
|
||||||
self.blacklist_cache = None
|
self.denylist_cache = None
|
||||||
with self._temporary_chain(self.new_chain, self.chain):
|
with self._temporary_chain(self.new_chain, self.chain):
|
||||||
# Blacklist everything
|
# deny everything
|
||||||
self._iptables('-A', self.new_chain, '-j', 'REJECT')
|
self._iptables('-A', self.new_chain, '-j', 'REJECT')
|
||||||
self.enabled = False
|
self.enabled = False
|
||||||
|
|
||||||
|
@ -230,7 +230,7 @@ def _ib_mac_to_rmac_mapping(ports):
|
||||||
port.address = match.group(1)
|
port.address = match.group(1)
|
||||||
|
|
||||||
|
|
||||||
def _get_blacklist(ironic):
|
def _get_denylist(ironic):
|
||||||
ports = [port for port in
|
ports = [port for port in
|
||||||
ir_utils.call_with_retries(ironic.ports, limit=None,
|
ir_utils.call_with_retries(ironic.ports, limit=None,
|
||||||
fields=['address', 'extra'])
|
fields=['address', 'extra'])
|
||||||
|
|
|
@ -221,7 +221,7 @@ class TestMACHandlers(test_base.BaseTest):
|
||||||
self.mock_introspection_active = self.useFixture(
|
self.mock_introspection_active = self.useFixture(
|
||||||
fixtures.MockPatchObject(node_cache, 'introspection_active')).mock
|
fixtures.MockPatchObject(node_cache, 'introspection_active')).mock
|
||||||
|
|
||||||
def test__whitelist_unknown_hosts(self):
|
def test__allowlist_unknown_hosts(self):
|
||||||
self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir,
|
self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir,
|
||||||
dnsmasq._UNKNOWN_HOSTS_FILE)
|
dnsmasq._UNKNOWN_HOSTS_FILE)
|
||||||
self.mock_introspection_active.return_value = True
|
self.mock_introspection_active.return_value = True
|
||||||
|
@ -231,12 +231,12 @@ class TestMACHandlers(test_base.BaseTest):
|
||||||
dnsmasq._UNKNOWN_HOSTS_FILE)
|
dnsmasq._UNKNOWN_HOSTS_FILE)
|
||||||
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
||||||
self.mock_join.return_value,
|
self.mock_join.return_value,
|
||||||
'%s' % dnsmasq._WHITELIST_UNKNOWN_HOSTS)
|
'%s' % dnsmasq._ALLOW_UNKNOWN_HOSTS)
|
||||||
self.mock_log.debug.assert_called_once_with(
|
self.mock_log.debug.assert_called_once_with(
|
||||||
'A %s record for all unknown hosts using wildcard mac '
|
'A %s record for all unknown hosts using wildcard mac '
|
||||||
'created', 'whitelist')
|
'created', 'allow')
|
||||||
|
|
||||||
def test__blacklist_unknown_hosts(self):
|
def test__denylist_unknown_hosts(self):
|
||||||
self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir,
|
self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir,
|
||||||
dnsmasq._UNKNOWN_HOSTS_FILE)
|
dnsmasq._UNKNOWN_HOSTS_FILE)
|
||||||
self.mock_introspection_active.return_value = False
|
self.mock_introspection_active.return_value = False
|
||||||
|
@ -246,14 +246,14 @@ class TestMACHandlers(test_base.BaseTest):
|
||||||
dnsmasq._UNKNOWN_HOSTS_FILE)
|
dnsmasq._UNKNOWN_HOSTS_FILE)
|
||||||
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
||||||
self.mock_join.return_value,
|
self.mock_join.return_value,
|
||||||
'%s' % dnsmasq._BLACKLIST_UNKNOWN_HOSTS)
|
'%s' % dnsmasq._DENY_UNKNOWN_HOSTS)
|
||||||
self.mock_log.debug.assert_called_once_with(
|
self.mock_log.debug.assert_called_once_with(
|
||||||
'A %s record for all unknown hosts using wildcard mac '
|
'A %s record for all unknown hosts using wildcard mac '
|
||||||
'created', 'blacklist')
|
'created', 'deny')
|
||||||
|
|
||||||
def test__configure_removedlist_whitelist(self):
|
def test__configure_removedlist_allowlist(self):
|
||||||
self.mock_introspection_active.return_value = True
|
self.mock_introspection_active.return_value = True
|
||||||
self.mock_stat.return_value.st_size = dnsmasq._MACBL_LEN
|
self.mock_stat.return_value.st_size = dnsmasq._MAC_DENY_LEN
|
||||||
|
|
||||||
dnsmasq._configure_removedlist({self.mac})
|
dnsmasq._configure_removedlist({self.mac})
|
||||||
|
|
||||||
|
@ -261,9 +261,9 @@ class TestMACHandlers(test_base.BaseTest):
|
||||||
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
||||||
self.mock_join.return_value, '%s\n' % self.mac)
|
self.mock_join.return_value, '%s\n' % self.mac)
|
||||||
|
|
||||||
def test__configure_removedlist_blacklist(self):
|
def test__configure_removedlist_denylist(self):
|
||||||
self.mock_introspection_active.return_value = False
|
self.mock_introspection_active.return_value = False
|
||||||
self.mock_stat.return_value.st_size = dnsmasq._MACWL_LEN
|
self.mock_stat.return_value.st_size = dnsmasq._MAC_ALLOW_LEN
|
||||||
|
|
||||||
dnsmasq._configure_removedlist({self.mac})
|
dnsmasq._configure_removedlist({self.mac})
|
||||||
|
|
||||||
|
@ -271,56 +271,56 @@ class TestMACHandlers(test_base.BaseTest):
|
||||||
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
||||||
self.mock_join.return_value, '%s,ignore\n' % self.mac)
|
self.mock_join.return_value, '%s,ignore\n' % self.mac)
|
||||||
|
|
||||||
def test__whitelist_mac(self):
|
def test__allowlist_mac(self):
|
||||||
dnsmasq._whitelist_mac(self.mac)
|
dnsmasq._add_mac_to_allowlist(self.mac)
|
||||||
|
|
||||||
self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac)
|
self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac)
|
||||||
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
||||||
self.mock_join.return_value, '%s\n' % self.mac)
|
self.mock_join.return_value, '%s\n' % self.mac)
|
||||||
|
|
||||||
def test__blacklist_mac(self):
|
def test__denylist_mac(self):
|
||||||
dnsmasq._blacklist_mac(self.mac)
|
dnsmasq._add_mac_to_denylist(self.mac)
|
||||||
|
|
||||||
self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac)
|
self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac)
|
||||||
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
self.mock__exclusive_write_or_pass.assert_called_once_with(
|
||||||
self.mock_join.return_value, '%s,ignore\n' % self.mac)
|
self.mock_join.return_value, '%s,ignore\n' % self.mac)
|
||||||
|
|
||||||
def test__get_blacklist(self):
|
def test__get_denylist(self):
|
||||||
self.mock_listdir.return_value = [self.mac]
|
self.mock_listdir.return_value = [self.mac]
|
||||||
self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac)
|
self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac)
|
||||||
blacklist, whitelist = dnsmasq._get_black_white_lists()
|
denylist, allowlist = dnsmasq._get_deny_allow_lists()
|
||||||
|
|
||||||
self.assertEqual({self.mac}, blacklist)
|
self.assertEqual({self.mac}, denylist)
|
||||||
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
|
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
|
||||||
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
|
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
|
||||||
self.mock_stat.assert_called_with(self.mock_join.return_value)
|
self.mock_stat.assert_called_with(self.mock_join.return_value)
|
||||||
|
|
||||||
def test__get_whitelist(self):
|
def test__get_allowlist(self):
|
||||||
self.mock_listdir.return_value = [self.mac]
|
self.mock_listdir.return_value = [self.mac]
|
||||||
self.mock_stat.return_value.st_size = len('%s\n' % self.mac)
|
self.mock_stat.return_value.st_size = len('%s\n' % self.mac)
|
||||||
blacklist, whitelist = dnsmasq._get_black_white_lists()
|
denylist, allowlist = dnsmasq._get_deny_allow_lists()
|
||||||
|
|
||||||
self.assertEqual({self.mac}, whitelist)
|
self.assertEqual({self.mac}, allowlist)
|
||||||
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
|
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
|
||||||
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
|
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
|
||||||
self.mock_stat.assert_called_with(self.mock_join.return_value)
|
self.mock_stat.assert_called_with(self.mock_join.return_value)
|
||||||
|
|
||||||
def test__get_no_blacklist(self):
|
def test__get_no_denylist(self):
|
||||||
self.mock_listdir.return_value = [self.mac]
|
self.mock_listdir.return_value = [self.mac]
|
||||||
self.mock_stat.return_value.st_size = len('%s\n' % self.mac)
|
self.mock_stat.return_value.st_size = len('%s\n' % self.mac)
|
||||||
blacklist, whitelist = dnsmasq._get_black_white_lists()
|
denylist, allowlist = dnsmasq._get_deny_allow_lists()
|
||||||
|
|
||||||
self.assertEqual(set(), blacklist)
|
self.assertEqual(set(), denylist)
|
||||||
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
|
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
|
||||||
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
|
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
|
||||||
self.mock_stat.assert_called_with(self.mock_join.return_value)
|
self.mock_stat.assert_called_with(self.mock_join.return_value)
|
||||||
|
|
||||||
def test__get_no_whitelist(self):
|
def test__get_no_allowlist(self):
|
||||||
self.mock_listdir.return_value = [self.mac]
|
self.mock_listdir.return_value = [self.mac]
|
||||||
self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac)
|
self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac)
|
||||||
blacklist, whitelist = dnsmasq._get_black_white_lists()
|
denylist, allowlist = dnsmasq._get_deny_allow_lists()
|
||||||
|
|
||||||
self.assertEqual(set(), whitelist)
|
self.assertEqual(set(), allowlist)
|
||||||
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
|
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
|
||||||
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
|
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
|
||||||
self.mock_stat.assert_called_with(self.mock_join.return_value)
|
self.mock_stat.assert_called_with(self.mock_join.return_value)
|
||||||
|
@ -348,12 +348,12 @@ class TestMACHandlers(test_base.BaseTest):
|
||||||
class TestSync(DnsmasqTestBase):
|
class TestSync(DnsmasqTestBase):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(TestSync, self).setUp()
|
super(TestSync, self).setUp()
|
||||||
self.mock__get_black_white_lists = self.useFixture(
|
self.mock__get_deny_allow_lists = self.useFixture(
|
||||||
fixtures.MockPatchObject(dnsmasq, '_get_black_white_lists')).mock
|
fixtures.MockPatchObject(dnsmasq, '_get_deny_allow_lists')).mock
|
||||||
self.mock__whitelist_mac = self.useFixture(
|
self.mock__add_mac_to_allowlist = self.useFixture(
|
||||||
fixtures.MockPatchObject(dnsmasq, '_whitelist_mac')).mock
|
fixtures.MockPatchObject(dnsmasq, '_add_mac_to_allowlist')).mock
|
||||||
self.mock__blacklist_mac = self.useFixture(
|
self.mock__add_mac_to_denylist = self.useFixture(
|
||||||
fixtures.MockPatchObject(dnsmasq, '_blacklist_mac')).mock
|
fixtures.MockPatchObject(dnsmasq, '_add_mac_to_denylist')).mock
|
||||||
self.mock__configure_unknown_hosts = self.useFixture(
|
self.mock__configure_unknown_hosts = self.useFixture(
|
||||||
fixtures.MockPatchObject(dnsmasq, '_configure_unknown_hosts')).mock
|
fixtures.MockPatchObject(dnsmasq, '_configure_unknown_hosts')).mock
|
||||||
self.mock__configure_removedlist = self.useFixture(
|
self.mock__configure_removedlist = self.useFixture(
|
||||||
|
@ -376,10 +376,10 @@ class TestSync(DnsmasqTestBase):
|
||||||
fixtures.MockPatchObject(node_cache, 'active_macs')).mock
|
fixtures.MockPatchObject(node_cache, 'active_macs')).mock
|
||||||
self.ironic_macs = {'new_mac', 'active_mac'}
|
self.ironic_macs = {'new_mac', 'active_mac'}
|
||||||
self.active_macs = {'active_mac'}
|
self.active_macs = {'active_mac'}
|
||||||
self.blacklist = {'gone_mac', 'active_mac'}
|
self.denylist = {'gone_mac', 'active_mac'}
|
||||||
self.whitelist = {}
|
self.allowlist = {}
|
||||||
self.mock__get_black_white_lists.return_value = (self.blacklist,
|
self.mock__get_deny_allow_lists.return_value = (self.denylist,
|
||||||
self.whitelist)
|
self.allowlist)
|
||||||
self.mock_ironic.ports.return_value = [
|
self.mock_ironic.ports.return_value = [
|
||||||
mock.Mock(address=address) for address in self.ironic_macs]
|
mock.Mock(address=address) for address in self.ironic_macs]
|
||||||
self.mock_active_macs.return_value = self.active_macs
|
self.mock_active_macs.return_value = self.active_macs
|
||||||
|
@ -403,13 +403,13 @@ class TestSync(DnsmasqTestBase):
|
||||||
def test__sync(self):
|
def test__sync(self):
|
||||||
self.driver._sync(self.mock_ironic)
|
self.driver._sync(self.mock_ironic)
|
||||||
|
|
||||||
self.mock__whitelist_mac.assert_called_once_with('active_mac')
|
self.mock__add_mac_to_allowlist.assert_called_once_with('active_mac')
|
||||||
self.mock__blacklist_mac.assert_called_once_with('new_mac')
|
self.mock__add_mac_to_denylist.assert_called_once_with('new_mac')
|
||||||
|
|
||||||
self.mock_ironic.ports.assert_called_once_with(
|
self.mock_ironic.ports.assert_called_once_with(
|
||||||
limit=None, fields=['address'])
|
limit=None, fields=['address'])
|
||||||
self.mock_active_macs.assert_called_once_with()
|
self.mock_active_macs.assert_called_once_with()
|
||||||
self.mock__get_black_white_lists.assert_called_once_with()
|
self.mock__get_deny_allow_lists.assert_called_once_with()
|
||||||
self.mock__configure_unknown_hosts.assert_called_once_with()
|
self.mock__configure_unknown_hosts.assert_called_once_with()
|
||||||
self.mock__configure_removedlist.assert_called_once_with({'gone_mac'})
|
self.mock__configure_removedlist.assert_called_once_with({'gone_mac'})
|
||||||
self.mock_log.debug.assert_has_calls([
|
self.mock_log.debug.assert_has_calls([
|
||||||
|
@ -426,13 +426,13 @@ class TestSync(DnsmasqTestBase):
|
||||||
]
|
]
|
||||||
self.driver._sync(self.mock_ironic)
|
self.driver._sync(self.mock_ironic)
|
||||||
|
|
||||||
self.mock__whitelist_mac.assert_called_once_with('active_mac')
|
self.mock__add_mac_to_allowlist.assert_called_once_with('active_mac')
|
||||||
self.mock__blacklist_mac.assert_called_once_with('new_mac')
|
self.mock__add_mac_to_denylist.assert_called_once_with('new_mac')
|
||||||
|
|
||||||
self.mock_ironic.ports.assert_called_with(
|
self.mock_ironic.ports.assert_called_with(
|
||||||
limit=None, fields=['address'])
|
limit=None, fields=['address'])
|
||||||
self.mock_active_macs.assert_called_once_with()
|
self.mock_active_macs.assert_called_once_with()
|
||||||
self.mock__get_black_white_lists.assert_called_once_with()
|
self.mock__get_deny_allow_lists.assert_called_once_with()
|
||||||
self.mock__configure_removedlist.assert_called_once_with({'gone_mac'})
|
self.mock__configure_removedlist.assert_called_once_with({'gone_mac'})
|
||||||
self.mock_log.debug.assert_has_calls([
|
self.mock_log.debug.assert_has_calls([
|
||||||
mock.call('Syncing the driver'),
|
mock.call('Syncing the driver'),
|
||||||
|
|
|
@ -44,9 +44,9 @@ class TestIptablesDriver(test_base.NodeTest):
|
||||||
fixtures.MockPatchObject(self.driver, '_iptables')).mock
|
fixtures.MockPatchObject(self.driver, '_iptables')).mock
|
||||||
self.mock_should_enable_dhcp = self.useFixture(
|
self.mock_should_enable_dhcp = self.useFixture(
|
||||||
fixtures.MockPatchObject(iptables, '_should_enable_dhcp')).mock
|
fixtures.MockPatchObject(iptables, '_should_enable_dhcp')).mock
|
||||||
self.mock__get_blacklist = self.useFixture(
|
self.mock__get_denylist = self.useFixture(
|
||||||
fixtures.MockPatchObject(iptables, '_get_blacklist')).mock
|
fixtures.MockPatchObject(iptables, '_get_denylist')).mock
|
||||||
self.mock__get_blacklist.return_value = []
|
self.mock__get_denylist.return_value = []
|
||||||
self.mock_ironic = mock.Mock()
|
self.mock_ironic = mock.Mock()
|
||||||
|
|
||||||
def check_fsm(self, events):
|
def check_fsm(self, events):
|
||||||
|
@ -143,7 +143,7 @@ class TestIptablesDriver(test_base.NodeTest):
|
||||||
for (args, call) in zip(_iptables_expected_args,
|
for (args, call) in zip(_iptables_expected_args,
|
||||||
call_args_list):
|
call_args_list):
|
||||||
self.assertEqual(args, call[0])
|
self.assertEqual(args, call[0])
|
||||||
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
|
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
|
||||||
self.check_fsm([pxe_filter.Events.sync])
|
self.check_fsm([pxe_filter.Events.sync])
|
||||||
|
|
||||||
def test__iptables_args_ipv4(self):
|
def test__iptables_args_ipv4(self):
|
||||||
|
@ -175,11 +175,11 @@ class TestIptablesDriver(test_base.NodeTest):
|
||||||
self.assertEqual(kwargs, call[1])
|
self.assertEqual(kwargs, call[1])
|
||||||
self.check_fsm([pxe_filter.Events.sync])
|
self.check_fsm([pxe_filter.Events.sync])
|
||||||
|
|
||||||
def _test_sync_with_blacklist(self, expected_port):
|
def _test_sync_with_denylist(self, expected_port):
|
||||||
self.driver = iptables.IptablesFilter()
|
self.driver = iptables.IptablesFilter()
|
||||||
self.mock_iptables = self.useFixture(
|
self.mock_iptables = self.useFixture(
|
||||||
fixtures.MockPatchObject(self.driver, '_iptables')).mock
|
fixtures.MockPatchObject(self.driver, '_iptables')).mock
|
||||||
self.mock__get_blacklist.return_value = ['AA:BB:CC:DD:EE:FF']
|
self.mock__get_denylist.return_value = ['AA:BB:CC:DD:EE:FF']
|
||||||
self.mock_should_enable_dhcp.return_value = True
|
self.mock_should_enable_dhcp.return_value = True
|
||||||
|
|
||||||
_iptables_expected_args = [
|
_iptables_expected_args = [
|
||||||
|
@ -188,9 +188,9 @@ class TestIptablesDriver(test_base.NodeTest):
|
||||||
('-F', self.driver.new_chain),
|
('-F', self.driver.new_chain),
|
||||||
('-X', self.driver.new_chain),
|
('-X', self.driver.new_chain),
|
||||||
('-N', self.driver.new_chain),
|
('-N', self.driver.new_chain),
|
||||||
# Blacklist
|
# deny
|
||||||
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
|
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
|
||||||
self.mock__get_blacklist.return_value[0], '-j', 'DROP'),
|
self.mock__get_denylist.return_value[0], '-j', 'DROP'),
|
||||||
('-A', self.driver.new_chain, '-j', 'ACCEPT'),
|
('-A', self.driver.new_chain, '-j', 'ACCEPT'),
|
||||||
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
|
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
|
||||||
expected_port, '-j', self.driver.new_chain),
|
expected_port, '-j', self.driver.new_chain),
|
||||||
|
@ -208,36 +208,36 @@ class TestIptablesDriver(test_base.NodeTest):
|
||||||
for (args, call) in zip(_iptables_expected_args,
|
for (args, call) in zip(_iptables_expected_args,
|
||||||
call_args_list):
|
call_args_list):
|
||||||
self.assertEqual(args, call[0])
|
self.assertEqual(args, call[0])
|
||||||
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
|
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
|
||||||
|
|
||||||
# check caching
|
# check caching
|
||||||
|
|
||||||
self.mock_iptables.reset_mock()
|
self.mock_iptables.reset_mock()
|
||||||
self.mock__get_blacklist.reset_mock()
|
self.mock__get_denylist.reset_mock()
|
||||||
self.driver.sync(self.mock_ironic)
|
self.driver.sync(self.mock_ironic)
|
||||||
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
|
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
|
||||||
self.assertFalse(self.mock_iptables.called)
|
self.assertFalse(self.mock_iptables.called)
|
||||||
|
|
||||||
def test_sync_with_blacklist_ipv4(self):
|
def test_sync_with_denylist_ipv4(self):
|
||||||
CONF.set_override('ip_version', '4', 'iptables')
|
CONF.set_override('ip_version', '4', 'iptables')
|
||||||
self._test_sync_with_blacklist('67')
|
self._test_sync_with_denylist('67')
|
||||||
|
|
||||||
def test_sync_with_blacklist_ipv6(self):
|
def test_sync_with_denylist_ipv6(self):
|
||||||
CONF.set_override('ip_version', '6', 'iptables')
|
CONF.set_override('ip_version', '6', 'iptables')
|
||||||
self._test_sync_with_blacklist('547')
|
self._test_sync_with_denylist('547')
|
||||||
|
|
||||||
def _test__iptables_clean_cache_on_error(self, expected_port):
|
def _test__iptables_clean_cache_on_error(self, expected_port):
|
||||||
self.driver = iptables.IptablesFilter()
|
self.driver = iptables.IptablesFilter()
|
||||||
self.mock_iptables = self.useFixture(
|
self.mock_iptables = self.useFixture(
|
||||||
fixtures.MockPatchObject(self.driver, '_iptables')).mock
|
fixtures.MockPatchObject(self.driver, '_iptables')).mock
|
||||||
self.mock__get_blacklist.return_value = ['AA:BB:CC:DD:EE:FF']
|
self.mock__get_denylist.return_value = ['AA:BB:CC:DD:EE:FF']
|
||||||
self.mock_should_enable_dhcp.return_value = True
|
self.mock_should_enable_dhcp.return_value = True
|
||||||
|
|
||||||
self.mock_iptables.side_effect = [None, None, RuntimeError('Oops!'),
|
self.mock_iptables.side_effect = [None, None, RuntimeError('Oops!'),
|
||||||
None, None, None, None, None, None]
|
None, None, None, None, None, None]
|
||||||
self.assertRaises(RuntimeError, self.driver.sync, self.mock_ironic)
|
self.assertRaises(RuntimeError, self.driver.sync, self.mock_ironic)
|
||||||
self.check_fsm([pxe_filter.Events.sync, pxe_filter.Events.reset])
|
self.check_fsm([pxe_filter.Events.sync, pxe_filter.Events.reset])
|
||||||
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
|
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
|
||||||
|
|
||||||
# check caching
|
# check caching
|
||||||
syncs_expected_args = [
|
syncs_expected_args = [
|
||||||
|
@ -247,9 +247,9 @@ class TestIptablesDriver(test_base.NodeTest):
|
||||||
('-F', self.driver.new_chain),
|
('-F', self.driver.new_chain),
|
||||||
('-X', self.driver.new_chain),
|
('-X', self.driver.new_chain),
|
||||||
('-N', self.driver.new_chain),
|
('-N', self.driver.new_chain),
|
||||||
# Blacklist
|
# deny
|
||||||
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
|
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
|
||||||
self.mock__get_blacklist.return_value[0], '-j', 'DROP'),
|
self.mock__get_denylist.return_value[0], '-j', 'DROP'),
|
||||||
('-A', self.driver.new_chain, '-j', 'ACCEPT'),
|
('-A', self.driver.new_chain, '-j', 'ACCEPT'),
|
||||||
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
|
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
|
||||||
expected_port, '-j', self.driver.new_chain),
|
expected_port, '-j', self.driver.new_chain),
|
||||||
|
@ -262,7 +262,7 @@ class TestIptablesDriver(test_base.NodeTest):
|
||||||
|
|
||||||
self.mock_iptables.reset_mock()
|
self.mock_iptables.reset_mock()
|
||||||
self.mock_iptables.side_effect = None
|
self.mock_iptables.side_effect = None
|
||||||
self.mock__get_blacklist.reset_mock()
|
self.mock__get_denylist.reset_mock()
|
||||||
self.mock_fsm.reset_mock()
|
self.mock_fsm.reset_mock()
|
||||||
self.driver.sync(self.mock_ironic)
|
self.driver.sync(self.mock_ironic)
|
||||||
self.check_fsm([pxe_filter.Events.sync])
|
self.check_fsm([pxe_filter.Events.sync])
|
||||||
|
@ -271,7 +271,7 @@ class TestIptablesDriver(test_base.NodeTest):
|
||||||
for (idx, (args, call)) in enumerate(zip(syncs_expected_args,
|
for (idx, (args, call)) in enumerate(zip(syncs_expected_args,
|
||||||
call_args_list)):
|
call_args_list)):
|
||||||
self.assertEqual(args, call[0], 'idx: %s' % idx)
|
self.assertEqual(args, call[0], 'idx: %s' % idx)
|
||||||
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
|
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
|
||||||
|
|
||||||
def test__iptables_clean_cache_on_error_ipv4(self):
|
def test__iptables_clean_cache_on_error_ipv4(self):
|
||||||
CONF.set_override('ip_version', '4', 'iptables')
|
CONF.set_override('ip_version', '4', 'iptables')
|
||||||
|
@ -377,9 +377,9 @@ class TestIBMapping(test_base.BaseTest):
|
||||||
mock_open.assert_not_called()
|
mock_open.assert_not_called()
|
||||||
|
|
||||||
|
|
||||||
class TestGetBlacklist(test_base.BaseTest):
|
class TestGetDenylist(test_base.BaseTest):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(TestGetBlacklist, self).setUp()
|
super(TestGetDenylist, self).setUp()
|
||||||
self.mock__ib_mac_to_rmac_mapping = self.useFixture(
|
self.mock__ib_mac_to_rmac_mapping = self.useFixture(
|
||||||
fixtures.MockPatchObject(iptables, '_ib_mac_to_rmac_mapping')).mock
|
fixtures.MockPatchObject(iptables, '_ib_mac_to_rmac_mapping')).mock
|
||||||
self.mock_active_macs = self.useFixture(
|
self.mock_active_macs = self.useFixture(
|
||||||
|
@ -394,8 +394,8 @@ class TestGetBlacklist(test_base.BaseTest):
|
||||||
self.mock_ironic.ports.return_value = mock_ports_list
|
self.mock_ironic.ports.return_value = mock_ports_list
|
||||||
self.mock_active_macs.return_value = {'foo'}
|
self.mock_active_macs.return_value = {'foo'}
|
||||||
|
|
||||||
ports = iptables._get_blacklist(self.mock_ironic)
|
ports = iptables._get_denylist(self.mock_ironic)
|
||||||
# foo is an active address so we expect the blacklist contains only bar
|
# foo is an active address so we expect the denylist contain only bar
|
||||||
self.assertEqual(['bar'], ports)
|
self.assertEqual(['bar'], ports)
|
||||||
self.mock_ironic.ports.assert_called_once_with(
|
self.mock_ironic.ports.assert_called_once_with(
|
||||||
limit=None, fields=['address', 'extra'])
|
limit=None, fields=['address', 'extra'])
|
||||||
|
@ -414,8 +414,8 @@ class TestGetBlacklist(test_base.BaseTest):
|
||||||
]
|
]
|
||||||
self.mock_active_macs.return_value = {'foo'}
|
self.mock_active_macs.return_value = {'foo'}
|
||||||
|
|
||||||
ports = iptables._get_blacklist(self.mock_ironic)
|
ports = iptables._get_denylist(self.mock_ironic)
|
||||||
# foo is an active address so we expect the blacklist contains only bar
|
# foo is an active address so we expect the denylist contain only bar
|
||||||
self.assertEqual(['bar'], ports)
|
self.assertEqual(['bar'], ports)
|
||||||
self.mock_ironic.ports.assert_called_with(
|
self.mock_ironic.ports.assert_called_with(
|
||||||
limit=None, fields=['address', 'extra'])
|
limit=None, fields=['address', 'extra'])
|
||||||
|
|
Loading…
Reference in New Issue