openstack
/
ironic-inspector
Code Issues Proposed changes

Remove non-inclusive language in pxe filter 

Replaces the use of black/white-list with deny/allow-list
in the pxe filter.

Change-Id: I84e6343fc13e4c4c02521499632a07e782088057
This commit is contained in:
Harald Jensås 2020-07-09 00:01:42 +02:00
parent b1e79e0b4d
commit a1f8926cd1
6 changed files with 141 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CONTRIBUTING.rst
View File

@ -349,8 +349,7 @@ The contract between **inspector** and a PXE filter driver is described in the
internal driver state internal driver state
* :meth:`~FilterDriver.sync` called both periodically and when a node starts or * :meth:`~FilterDriver.sync` called both periodically and when a node starts or
finishes introspection to white or blacklist its ports MAC addresses in the finishes introspection to allow or deny its ports MAC addresses in the driver
driver
* :meth:`~FilterDriver.tear_down_filter` called on service exit to reset the * :meth:`~FilterDriver.tear_down_filter` called on service exit to reset the
internal driver state internal driver state

4
doc/source/admin/dnsmasq-pxe-filter.rst
View File

@ -24,7 +24,7 @@ file parsing. The content of the file determines the MAC address access policy.
Thanks to the ``inotify`` facility, **dnsmasq** is notified once a new file is Thanks to the ``inotify`` facility, **dnsmasq** is notified once a new file is
*created* or an existing file is *modified* in the DHCP hosts directory. Thus, *created* or an existing file is *modified* in the DHCP hosts directory. Thus,
to white-list a MAC address, the filter removes the ``ignore`` directive:: to allow a MAC address, the filter removes the ``ignore`` directive::
$ cat /etc/dnsmasq.d/de-ad-be-ef-de-ad $ cat /etc/dnsmasq.d/de-ad-be-ef-de-ad
de:ad:be:ef:de:ad de:ad:be:ef:de:ad
@ -121,5 +121,5 @@ start-up.
Although the filter driver tries its best to always stop the **dnsmasq** Although the filter driver tries its best to always stop the **dnsmasq**
service, it is recommended that the operator configures the **dnsmasq** service, it is recommended that the operator configures the **dnsmasq**
service in such a way that it terminates upon **ironic-inspector** service in such a way that it terminates upon **ironic-inspector**
(unexpected) exit to prevent a stale blacklist from being used by the (unexpected) exit to prevent a stale deny list from being used by the
**dnsmasq** service. **dnsmasq** service.

110
ironic_inspector/pxe_filter/dnsmasq.py
View File

@ -44,18 +44,18 @@ _EXCLUSIVE_WRITE_ATTEMPTS = 10
_EXCLUSIVE_WRITE_ATTEMPTS_DELAY = 0.01 _EXCLUSIVE_WRITE_ATTEMPTS_DELAY = 0.01
_ROOTWRAP_COMMAND = 'sudo ironic-inspector-rootwrap {rootwrap_config!s}' _ROOTWRAP_COMMAND = 'sudo ironic-inspector-rootwrap {rootwrap_config!s}'
_MACBL_LEN = len('ff:ff:ff:ff:ff:ff,ignore\n') _MAC_DENY_LEN = len('ff:ff:ff:ff:ff:ff,ignore\n')
_MACWL_LEN = len('ff:ff:ff:ff:ff:ff\n') _MAC_ALLOW_LEN = len('ff:ff:ff:ff:ff:ff\n')
_UNKNOWN_HOSTS_FILE = 'unknown_hosts_filter' _UNKNOWN_HOSTS_FILE = 'unknown_hosts_filter'
_BLACKLIST_UNKNOWN_HOSTS = '*:*:*:*:*:*,ignore\n' _DENY_UNKNOWN_HOSTS = '*:*:*:*:*:*,ignore\n'
_WHITELIST_UNKNOWN_HOSTS = '*:*:*:*:*:*\n' _ALLOW_UNKNOWN_HOSTS = '*:*:*:*:*:*\n'
def _should_enable_unknown_hosts(): def _should_enable_unknown_hosts():
"""Check whether we should enable DHCP for unknown hosts """Check whether we should enable DHCP for unknown hosts
We blacklist unknown hosts unless one or more nodes are on introspection We add unknown hosts to the deny list unless one or more nodes are on
and node_not_found_hook is not set. introspection and node_not_found_hook is not set.
""" """
return (node_cache.introspection_active() or return (node_cache.introspection_active() or
CONF.processing.node_not_found_hook is not None) CONF.processing.node_not_found_hook is not None)
@ -89,24 +89,24 @@ class DnsmasqFilter(pxe_filter.BaseFilter):
ironic_macs = set(port.address for port in ironic_macs = set(port.address for port in
ir_utils.call_with_retries(ironic.ports, limit=None, ir_utils.call_with_retries(ironic.ports, limit=None,
fields=['address'])) fields=['address']))
blacklist, whitelist = _get_black_white_lists() denylist, allowlist = _get_deny_allow_lists()
# removedlist are the MACs that are in either blacklist or whitelist, # removedlist are the MACs that are in either in allow or denylist,
# but not kept in ironic (ironic_macs) any more # but not kept in ironic (ironic_macs) any more
removedlist = blacklist.union(whitelist).difference(ironic_macs) removedlist = denylist.union(allowlist).difference(ironic_macs)
# Whitelist active MACs that are not already whitelisted # Add active MACs that are not already in the allowlist
for mac in active_macs.difference(whitelist): for mac in active_macs.difference(allowlist):
_whitelist_mac(mac) _add_mac_to_allowlist(mac)
# Blacklist any ironic MACs that is not active for introspection unless # Add any ironic MACs that is not active for introspection to the
# it is already blacklisted # deny list unless it is already present
for mac in ironic_macs.difference(blacklist.union(active_macs)): for mac in ironic_macs.difference(denylist.union(active_macs)):
_blacklist_mac(mac) _add_mac_to_denylist(mac)
# Whitelist or Blacklist unknown hosts and MACs not kept in ironic # Allow or deny unknown hosts and MACs not kept in ironic
# NOTE(hjensas): Treat unknown hosts and MACs not kept in ironic the # NOTE(hjensas): Treat unknown hosts and MACs not kept in ironic the
# same. Neither should boot the inspection image unless introspection # same. Neither should boot the inspection image unless introspection
# is active. Deleted MACs must be whitelisted when introspection is # is active. Deleted MACs must be added to the allow list when
# active in case the host is re-enrolled. # introspection is active in case the host is re-enrolled.
_configure_unknown_hosts() _configure_unknown_hosts()
_configure_removedlist(removedlist) _configure_removedlist(removedlist)
@ -119,8 +119,8 @@ class DnsmasqFilter(pxe_filter.BaseFilter):
"""Sync dnsmasq configuration with current Ironic&Inspector state. """Sync dnsmasq configuration with current Ironic&Inspector state.
Polls all ironic ports. Those being inspected, the active ones, are Polls all ironic ports. Those being inspected, the active ones, are
whitelisted while the rest are blacklisted in the dnsmasq added to the allow list while the rest are added to the deny list in
configuration. the dnsmasq configuration.
:param ironic: an ironic client instance. :param ironic: an ironic client instance.
:raises: OSError, IOError. :raises: OSError, IOError.
@ -133,8 +133,8 @@ class DnsmasqFilter(pxe_filter.BaseFilter):
"""Performs an initial sync with ironic and starts dnsmasq. """Performs an initial sync with ironic and starts dnsmasq.
The initial _sync() call reduces the chances dnsmasq might lose The initial _sync() call reduces the chances dnsmasq might lose
some inotify blacklist events by prefetching the blacklist before some inotify deny list events by prefetching the list before dnsmasq
the dnsmasq is started. is started.
:raises: OSError, IOError. :raises: OSError, IOError.
:returns: None. :returns: None.
@ -166,23 +166,23 @@ def _purge_dhcp_hostsdir():
LOG.debug('Removed %s', path) LOG.debug('Removed %s', path)
def _get_black_white_lists(): def _get_deny_allow_lists():
"""Get addresses currently blacklisted in dnsmasq. """Get addresses currently denied by dnsmasq.
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid. :raises: FileNotFoundError in case the dhcp_hostsdir is invalid.
:returns: a set of MACs currently blacklisted in dnsmasq. :returns: a set of MACs currently denied by dnsmasq.
""" """
hostsdir = CONF.dnsmasq_pxe_filter.dhcp_hostsdir hostsdir = CONF.dnsmasq_pxe_filter.dhcp_hostsdir
# whitelisted MACs lack the ,ignore directive # MACs in the allow list lack the ,ignore directive
blacklist = set() denylist = set()
whitelist = set() allowlist = set()
for mac in os.listdir(hostsdir): for mac in os.listdir(hostsdir):
if os.stat(os.path.join(hostsdir, mac)).st_size == _MACBL_LEN: if os.stat(os.path.join(hostsdir, mac)).st_size == _MAC_DENY_LEN:
blacklist.add(mac) denylist.add(mac)
if os.stat(os.path.join(hostsdir, mac)).st_size == _MACWL_LEN: if os.stat(os.path.join(hostsdir, mac)).st_size == _MAC_ALLOW_LEN:
whitelist.add(mac) allowlist.add(mac)
return blacklist, whitelist return denylist, allowlist
def _exclusive_write_or_pass(path, buf): def _exclusive_write_or_pass(path, buf):
@ -225,7 +225,7 @@ def _exclusive_write_or_pass(path, buf):
def _configure_removedlist(macs): def _configure_removedlist(macs):
"""Manages a dhcp_hostsdir ignore/not-ignore record for removed macs """Manages a dhcp_hostsdir allow/deny record for removed macs
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid, :raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
:returns: None. :returns: None.
@ -235,16 +235,16 @@ def _configure_removedlist(macs):
if _should_enable_unknown_hosts(): if _should_enable_unknown_hosts():
for mac in macs: for mac in macs:
if os.stat(os.path.join(hostsdir, mac)).st_size != _MACWL_LEN: if os.stat(os.path.join(hostsdir, mac)).st_size != _MAC_ALLOW_LEN:
_whitelist_mac(mac) _add_mac_to_allowlist(mac)
else: else:
for mac in macs: for mac in macs:
if os.stat(os.path.join(hostsdir, mac)).st_size != _MACBL_LEN: if os.stat(os.path.join(hostsdir, mac)).st_size != _MAC_DENY_LEN:
_blacklist_mac(mac) _add_mac_to_denylist(mac)
def _configure_unknown_hosts(): def _configure_unknown_hosts():
"""Manages a dhcp_hostsdir ignore/not-ignore record for unknown macs. """Manages a dhcp_hostsdir allow/deny record for unknown macs.
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid, :raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
IOError in case the dhcp host unknown file isn't writable. IOError in case the dhcp host unknown file isn't writable.
@ -254,13 +254,13 @@ def _configure_unknown_hosts():
_UNKNOWN_HOSTS_FILE) _UNKNOWN_HOSTS_FILE)
if _should_enable_unknown_hosts(): if _should_enable_unknown_hosts():
wildcard_filter = _WHITELIST_UNKNOWN_HOSTS wildcard_filter = _ALLOW_UNKNOWN_HOSTS
log_wildcard_filter = 'whitelist' log_wildcard_filter = 'allow'
else: else:
wildcard_filter = _BLACKLIST_UNKNOWN_HOSTS wildcard_filter = _DENY_UNKNOWN_HOSTS
log_wildcard_filter = 'blacklist' log_wildcard_filter = 'deny'
# Don't update if unknown hosts are already black/white-listed # Don't update if unknown hosts are already in the deny/allow-list
try: try:
if os.stat(path).st_size == len(wildcard_filter): if os.stat(path).st_size == len(wildcard_filter):
return return
@ -276,8 +276,8 @@ def _configure_unknown_hosts():
'retrying next periodic sync time', log_wildcard_filter) 'retrying next periodic sync time', log_wildcard_filter)
def _blacklist_mac(mac): def _add_mac_to_denylist(mac):
"""Creates a dhcp_hostsdir ignore record for the MAC. """Creates a dhcp_hostsdir deny record for the MAC.
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid, :raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
IOError in case the dhcp host MAC file isn't writable. IOError in case the dhcp host MAC file isn't writable.
@ -285,14 +285,14 @@ def _blacklist_mac(mac):
""" """
path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac) path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac)
if _exclusive_write_or_pass(path, '%s,ignore\n' % mac): if _exclusive_write_or_pass(path, '%s,ignore\n' % mac):
LOG.debug('Blacklisted %s', mac) LOG.debug('MAC %s added to the deny list', mac)
else: else:
LOG.warning('Failed to blacklist %s; retrying next periodic sync ' LOG.warning('Failed to add MAC %s to the deny list; retrying next '
'time', mac) 'periodic sync time', mac)
def _whitelist_mac(mac): def _add_mac_to_allowlist(mac):
"""Un-ignores the dhcp_hostsdir record for the MAC. """Update the dhcp_hostsdir record for the MAC adding it to allow list
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid, :raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
IOError in case the dhcp host MAC file isn't writable. IOError in case the dhcp host MAC file isn't writable.
@ -301,10 +301,10 @@ def _whitelist_mac(mac):
path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac) path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac)
# remove the ,ignore directive # remove the ,ignore directive
if _exclusive_write_or_pass(path, '%s\n' % mac): if _exclusive_write_or_pass(path, '%s\n' % mac):
LOG.debug('Whitelisted %s', mac) LOG.debug('MAC %s removed from the deny list', mac)
else: else:
LOG.warning('Failed to whitelist %s; retrying next periodic sync ' LOG.warning('Failed to remove MAC %s from the deny list; retrying '
'time', mac) 'next periodic sync time', mac)
def _execute(cmd=None, ignore_errors=False): def _execute(cmd=None, ignore_errors=False):

28
ironic_inspector/pxe_filter/iptables.py
View File

@ -45,7 +45,7 @@ class IptablesFilter(pxe_filter.BaseFilter):
def __init__(self): def __init__(self):
super(IptablesFilter, self).__init__() super(IptablesFilter, self).__init__()
self.blacklist_cache = None self.denylist_cache = None
self.enabled = True self.enabled = True
self.interface = CONF.iptables.dnsmasq_interface self.interface = CONF.iptables.dnsmasq_interface
self.chain = CONF.iptables.firewall_chain self.chain = CONF.iptables.firewall_chain
@ -65,7 +65,7 @@ class IptablesFilter(pxe_filter.BaseFilter):
def reset(self): def reset(self):
self.enabled = True self.enabled = True
self.blacklist_cache = None self.denylist_cache = None
for chain in (self.chain, self.new_chain): for chain in (self.chain, self.new_chain):
try: try:
self._clean_up(chain) self._clean_up(chain)
@ -114,26 +114,26 @@ class IptablesFilter(pxe_filter.BaseFilter):
self._disable_dhcp() self._disable_dhcp()
return return
to_blacklist = _get_blacklist(ironic) to_deny = _get_denylist(ironic)
if to_blacklist == self.blacklist_cache: if to_deny == self.denylist_cache:
LOG.debug('Not updating iptables - no changes in MAC list %s', LOG.debug('Not updating iptables - no changes in MAC list %s',
to_blacklist) to_deny)
return return
LOG.debug('Blacklisting active MAC\'s %s', to_blacklist) LOG.debug('Adding active MAC\'s %s to the deny list', to_deny)
with self._temporary_chain(self.new_chain, self.chain): with self._temporary_chain(self.new_chain, self.chain):
# Force update on the next iteration if this attempt fails # Force update on the next iteration if this attempt fails
self.blacklist_cache = None self.denylist_cache = None
# - Blacklist active macs, so that nova can boot them # - Add active macs to the deny list, so that nova can boot them
for mac in to_blacklist: for mac in to_deny:
self._iptables('-A', self.new_chain, '-m', 'mac', self._iptables('-A', self.new_chain, '-m', 'mac',
'--mac-source', mac, '-j', 'DROP') '--mac-source', mac, '-j', 'DROP')
# - Whitelist everything else # - Add everything else to the allow list
self._iptables('-A', self.new_chain, '-j', 'ACCEPT') self._iptables('-A', self.new_chain, '-j', 'ACCEPT')
# Cache result of successful iptables update # Cache result of successful iptables update
self.enabled = True self.enabled = True
self.blacklist_cache = to_blacklist self.denylist_cache = to_deny
LOG.debug('The iptables filter was synchronized') LOG.debug('The iptables filter was synchronized')
@contextlib.contextmanager @contextlib.contextmanager
@ -185,9 +185,9 @@ class IptablesFilter(pxe_filter.BaseFilter):
LOG.debug('No nodes on introspection and node_not_found_hook is ' LOG.debug('No nodes on introspection and node_not_found_hook is '
'not set - disabling DHCP') 'not set - disabling DHCP')
self.blacklist_cache = None self.denylist_cache = None
with self._temporary_chain(self.new_chain, self.chain): with self._temporary_chain(self.new_chain, self.chain):
# Blacklist everything # deny everything
self._iptables('-A', self.new_chain, '-j', 'REJECT') self._iptables('-A', self.new_chain, '-j', 'REJECT')
self.enabled = False self.enabled = False
@ -230,7 +230,7 @@ def _ib_mac_to_rmac_mapping(ports):
port.address = match.group(1) port.address = match.group(1)
def _get_blacklist(ironic): def _get_denylist(ironic):
ports = [port for port in ports = [port for port in
ir_utils.call_with_retries(ironic.ports, limit=None, ir_utils.call_with_retries(ironic.ports, limit=None,
fields=['address', 'extra']) fields=['address', 'extra'])

84
ironic_inspector/test/unit/test_dnsmasq_pxe_filter.py
View File

@ -221,7 +221,7 @@ class TestMACHandlers(test_base.BaseTest):
self.mock_introspection_active = self.useFixture( self.mock_introspection_active = self.useFixture(
fixtures.MockPatchObject(node_cache, 'introspection_active')).mock fixtures.MockPatchObject(node_cache, 'introspection_active')).mock
def test__whitelist_unknown_hosts(self): def test__allowlist_unknown_hosts(self):
self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir, self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir,
dnsmasq._UNKNOWN_HOSTS_FILE) dnsmasq._UNKNOWN_HOSTS_FILE)
self.mock_introspection_active.return_value = True self.mock_introspection_active.return_value = True
@ -231,12 +231,12 @@ class TestMACHandlers(test_base.BaseTest):
dnsmasq._UNKNOWN_HOSTS_FILE) dnsmasq._UNKNOWN_HOSTS_FILE)
self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, self.mock_join.return_value,
'%s' % dnsmasq._WHITELIST_UNKNOWN_HOSTS) '%s' % dnsmasq._ALLOW_UNKNOWN_HOSTS)
self.mock_log.debug.assert_called_once_with( self.mock_log.debug.assert_called_once_with(
'A %s record for all unknown hosts using wildcard mac ' 'A %s record for all unknown hosts using wildcard mac '
'created', 'whitelist') 'created', 'allow')
def test__blacklist_unknown_hosts(self): def test__denylist_unknown_hosts(self):
self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir, self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir,
dnsmasq._UNKNOWN_HOSTS_FILE) dnsmasq._UNKNOWN_HOSTS_FILE)
self.mock_introspection_active.return_value = False self.mock_introspection_active.return_value = False
@ -246,14 +246,14 @@ class TestMACHandlers(test_base.BaseTest):
dnsmasq._UNKNOWN_HOSTS_FILE) dnsmasq._UNKNOWN_HOSTS_FILE)
self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, self.mock_join.return_value,
'%s' % dnsmasq._BLACKLIST_UNKNOWN_HOSTS) '%s' % dnsmasq._DENY_UNKNOWN_HOSTS)
self.mock_log.debug.assert_called_once_with( self.mock_log.debug.assert_called_once_with(
'A %s record for all unknown hosts using wildcard mac ' 'A %s record for all unknown hosts using wildcard mac '
'created', 'blacklist') 'created', 'deny')
def test__configure_removedlist_whitelist(self): def test__configure_removedlist_allowlist(self):
self.mock_introspection_active.return_value = True self.mock_introspection_active.return_value = True
self.mock_stat.return_value.st_size = dnsmasq._MACBL_LEN self.mock_stat.return_value.st_size = dnsmasq._MAC_DENY_LEN
dnsmasq._configure_removedlist({self.mac}) dnsmasq._configure_removedlist({self.mac})
@ -261,9 +261,9 @@ class TestMACHandlers(test_base.BaseTest):
self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, '%s\n' % self.mac) self.mock_join.return_value, '%s\n' % self.mac)
def test__configure_removedlist_blacklist(self): def test__configure_removedlist_denylist(self):
self.mock_introspection_active.return_value = False self.mock_introspection_active.return_value = False
self.mock_stat.return_value.st_size = dnsmasq._MACWL_LEN self.mock_stat.return_value.st_size = dnsmasq._MAC_ALLOW_LEN
dnsmasq._configure_removedlist({self.mac}) dnsmasq._configure_removedlist({self.mac})
@ -271,56 +271,56 @@ class TestMACHandlers(test_base.BaseTest):
self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, '%s,ignore\n' % self.mac) self.mock_join.return_value, '%s,ignore\n' % self.mac)
def test__whitelist_mac(self): def test__allowlist_mac(self):
dnsmasq._whitelist_mac(self.mac) dnsmasq._add_mac_to_allowlist(self.mac)
self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac) self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac)
self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, '%s\n' % self.mac) self.mock_join.return_value, '%s\n' % self.mac)
def test__blacklist_mac(self): def test__denylist_mac(self):
dnsmasq._blacklist_mac(self.mac) dnsmasq._add_mac_to_denylist(self.mac)
self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac) self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac)
self.mock__exclusive_write_or_pass.assert_called_once_with( self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, '%s,ignore\n' % self.mac) self.mock_join.return_value, '%s,ignore\n' % self.mac)
def test__get_blacklist(self): def test__get_denylist(self):
self.mock_listdir.return_value = [self.mac] self.mock_listdir.return_value = [self.mac]
self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac) self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac)
blacklist, whitelist = dnsmasq._get_black_white_lists() denylist, allowlist = dnsmasq._get_deny_allow_lists()
self.assertEqual({self.mac}, blacklist) self.assertEqual({self.mac}, denylist)
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir) self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac) self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
self.mock_stat.assert_called_with(self.mock_join.return_value) self.mock_stat.assert_called_with(self.mock_join.return_value)
def test__get_whitelist(self): def test__get_allowlist(self):
self.mock_listdir.return_value = [self.mac] self.mock_listdir.return_value = [self.mac]
self.mock_stat.return_value.st_size = len('%s\n' % self.mac) self.mock_stat.return_value.st_size = len('%s\n' % self.mac)
blacklist, whitelist = dnsmasq._get_black_white_lists() denylist, allowlist = dnsmasq._get_deny_allow_lists()
self.assertEqual({self.mac}, whitelist) self.assertEqual({self.mac}, allowlist)
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir) self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac) self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
self.mock_stat.assert_called_with(self.mock_join.return_value) self.mock_stat.assert_called_with(self.mock_join.return_value)
def test__get_no_blacklist(self): def test__get_no_denylist(self):
self.mock_listdir.return_value = [self.mac] self.mock_listdir.return_value = [self.mac]
self.mock_stat.return_value.st_size = len('%s\n' % self.mac) self.mock_stat.return_value.st_size = len('%s\n' % self.mac)
blacklist, whitelist = dnsmasq._get_black_white_lists() denylist, allowlist = dnsmasq._get_deny_allow_lists()
self.assertEqual(set(), blacklist) self.assertEqual(set(), denylist)
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir) self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac) self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
self.mock_stat.assert_called_with(self.mock_join.return_value) self.mock_stat.assert_called_with(self.mock_join.return_value)
def test__get_no_whitelist(self): def test__get_no_allowlist(self):
self.mock_listdir.return_value = [self.mac] self.mock_listdir.return_value = [self.mac]
self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac) self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac)
blacklist, whitelist = dnsmasq._get_black_white_lists() denylist, allowlist = dnsmasq._get_deny_allow_lists()
self.assertEqual(set(), whitelist) self.assertEqual(set(), allowlist)
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir) self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac) self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
self.mock_stat.assert_called_with(self.mock_join.return_value) self.mock_stat.assert_called_with(self.mock_join.return_value)
@ -348,12 +348,12 @@ class TestMACHandlers(test_base.BaseTest):
class TestSync(DnsmasqTestBase): class TestSync(DnsmasqTestBase):
def setUp(self): def setUp(self):
super(TestSync, self).setUp() super(TestSync, self).setUp()
self.mock__get_black_white_lists = self.useFixture( self.mock__get_deny_allow_lists = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_get_black_white_lists')).mock fixtures.MockPatchObject(dnsmasq, '_get_deny_allow_lists')).mock
self.mock__whitelist_mac = self.useFixture( self.mock__add_mac_to_allowlist = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_whitelist_mac')).mock fixtures.MockPatchObject(dnsmasq, '_add_mac_to_allowlist')).mock
self.mock__blacklist_mac = self.useFixture( self.mock__add_mac_to_denylist = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_blacklist_mac')).mock fixtures.MockPatchObject(dnsmasq, '_add_mac_to_denylist')).mock
self.mock__configure_unknown_hosts = self.useFixture( self.mock__configure_unknown_hosts = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_configure_unknown_hosts')).mock fixtures.MockPatchObject(dnsmasq, '_configure_unknown_hosts')).mock
self.mock__configure_removedlist = self.useFixture( self.mock__configure_removedlist = self.useFixture(
@ -376,10 +376,10 @@ class TestSync(DnsmasqTestBase):
fixtures.MockPatchObject(node_cache, 'active_macs')).mock fixtures.MockPatchObject(node_cache, 'active_macs')).mock
self.ironic_macs = {'new_mac', 'active_mac'} self.ironic_macs = {'new_mac', 'active_mac'}
self.active_macs = {'active_mac'} self.active_macs = {'active_mac'}
self.blacklist = {'gone_mac', 'active_mac'} self.denylist = {'gone_mac', 'active_mac'}
self.whitelist = {} self.allowlist = {}
self.mock__get_black_white_lists.return_value = (self.blacklist, self.mock__get_deny_allow_lists.return_value = (self.denylist,
self.whitelist) self.allowlist)
self.mock_ironic.ports.return_value = [ self.mock_ironic.ports.return_value = [
mock.Mock(address=address) for address in self.ironic_macs] mock.Mock(address=address) for address in self.ironic_macs]
self.mock_active_macs.return_value = self.active_macs self.mock_active_macs.return_value = self.active_macs
@ -403,13 +403,13 @@ class TestSync(DnsmasqTestBase):
def test__sync(self): def test__sync(self):
self.driver._sync(self.mock_ironic) self.driver._sync(self.mock_ironic)
self.mock__whitelist_mac.assert_called_once_with('active_mac') self.mock__add_mac_to_allowlist.assert_called_once_with('active_mac')
self.mock__blacklist_mac.assert_called_once_with('new_mac') self.mock__add_mac_to_denylist.assert_called_once_with('new_mac')
self.mock_ironic.ports.assert_called_once_with( self.mock_ironic.ports.assert_called_once_with(
limit=None, fields=['address']) limit=None, fields=['address'])
self.mock_active_macs.assert_called_once_with() self.mock_active_macs.assert_called_once_with()
self.mock__get_black_white_lists.assert_called_once_with() self.mock__get_deny_allow_lists.assert_called_once_with()
self.mock__configure_unknown_hosts.assert_called_once_with() self.mock__configure_unknown_hosts.assert_called_once_with()
self.mock__configure_removedlist.assert_called_once_with({'gone_mac'}) self.mock__configure_removedlist.assert_called_once_with({'gone_mac'})
self.mock_log.debug.assert_has_calls([ self.mock_log.debug.assert_has_calls([
@ -426,13 +426,13 @@ class TestSync(DnsmasqTestBase):
] ]
self.driver._sync(self.mock_ironic) self.driver._sync(self.mock_ironic)
self.mock__whitelist_mac.assert_called_once_with('active_mac') self.mock__add_mac_to_allowlist.assert_called_once_with('active_mac')
self.mock__blacklist_mac.assert_called_once_with('new_mac') self.mock__add_mac_to_denylist.assert_called_once_with('new_mac')
self.mock_ironic.ports.assert_called_with( self.mock_ironic.ports.assert_called_with(
limit=None, fields=['address']) limit=None, fields=['address'])
self.mock_active_macs.assert_called_once_with() self.mock_active_macs.assert_called_once_with()
self.mock__get_black_white_lists.assert_called_once_with() self.mock__get_deny_allow_lists.assert_called_once_with()
self.mock__configure_removedlist.assert_called_once_with({'gone_mac'}) self.mock__configure_removedlist.assert_called_once_with({'gone_mac'})
self.mock_log.debug.assert_has_calls([ self.mock_log.debug.assert_has_calls([
mock.call('Syncing the driver'), mock.call('Syncing the driver'),

54
ironic_inspector/test/unit/test_iptables.py
View File

@ -44,9 +44,9 @@ class TestIptablesDriver(test_base.NodeTest):
fixtures.MockPatchObject(self.driver, '_iptables')).mock fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock_should_enable_dhcp = self.useFixture( self.mock_should_enable_dhcp = self.useFixture(
fixtures.MockPatchObject(iptables, '_should_enable_dhcp')).mock fixtures.MockPatchObject(iptables, '_should_enable_dhcp')).mock
self.mock__get_blacklist = self.useFixture( self.mock__get_denylist = self.useFixture(
fixtures.MockPatchObject(iptables, '_get_blacklist')).mock fixtures.MockPatchObject(iptables, '_get_denylist')).mock
self.mock__get_blacklist.return_value = [] self.mock__get_denylist.return_value = []
self.mock_ironic = mock.Mock() self.mock_ironic = mock.Mock()
def check_fsm(self, events): def check_fsm(self, events):
@ -143,7 +143,7 @@ class TestIptablesDriver(test_base.NodeTest):
for (args, call) in zip(_iptables_expected_args, for (args, call) in zip(_iptables_expected_args,
call_args_list): call_args_list):
self.assertEqual(args, call[0]) self.assertEqual(args, call[0])
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync]) self.check_fsm([pxe_filter.Events.sync])
def test__iptables_args_ipv4(self): def test__iptables_args_ipv4(self):
@ -175,11 +175,11 @@ class TestIptablesDriver(test_base.NodeTest):
self.assertEqual(kwargs, call[1]) self.assertEqual(kwargs, call[1])
self.check_fsm([pxe_filter.Events.sync]) self.check_fsm([pxe_filter.Events.sync])
def _test_sync_with_blacklist(self, expected_port): def _test_sync_with_denylist(self, expected_port):
self.driver = iptables.IptablesFilter() self.driver = iptables.IptablesFilter()
self.mock_iptables = self.useFixture( self.mock_iptables = self.useFixture(
fixtures.MockPatchObject(self.driver, '_iptables')).mock fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock__get_blacklist.return_value = ['AA:BB:CC:DD:EE:FF'] self.mock__get_denylist.return_value = ['AA:BB:CC:DD:EE:FF']
self.mock_should_enable_dhcp.return_value = True self.mock_should_enable_dhcp.return_value = True
_iptables_expected_args = [ _iptables_expected_args = [
@ -188,9 +188,9 @@ class TestIptablesDriver(test_base.NodeTest):
('-F', self.driver.new_chain), ('-F', self.driver.new_chain),
('-X', self.driver.new_chain), ('-X', self.driver.new_chain),
('-N', self.driver.new_chain), ('-N', self.driver.new_chain),
# Blacklist # deny
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source', ('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
self.mock__get_blacklist.return_value[0], '-j', 'DROP'), self.mock__get_denylist.return_value[0], '-j', 'DROP'),
('-A', self.driver.new_chain, '-j', 'ACCEPT'), ('-A', self.driver.new_chain, '-j', 'ACCEPT'),
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport', ('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain), expected_port, '-j', self.driver.new_chain),
@ -208,36 +208,36 @@ class TestIptablesDriver(test_base.NodeTest):
for (args, call) in zip(_iptables_expected_args, for (args, call) in zip(_iptables_expected_args,
call_args_list): call_args_list):
self.assertEqual(args, call[0]) self.assertEqual(args, call[0])
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
# check caching # check caching
self.mock_iptables.reset_mock() self.mock_iptables.reset_mock()
self.mock__get_blacklist.reset_mock() self.mock__get_denylist.reset_mock()
self.driver.sync(self.mock_ironic) self.driver.sync(self.mock_ironic)
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
self.assertFalse(self.mock_iptables.called) self.assertFalse(self.mock_iptables.called)
def test_sync_with_blacklist_ipv4(self): def test_sync_with_denylist_ipv4(self):
CONF.set_override('ip_version', '4', 'iptables') CONF.set_override('ip_version', '4', 'iptables')
self._test_sync_with_blacklist('67') self._test_sync_with_denylist('67')
def test_sync_with_blacklist_ipv6(self): def test_sync_with_denylist_ipv6(self):
CONF.set_override('ip_version', '6', 'iptables') CONF.set_override('ip_version', '6', 'iptables')
self._test_sync_with_blacklist('547') self._test_sync_with_denylist('547')
def _test__iptables_clean_cache_on_error(self, expected_port): def _test__iptables_clean_cache_on_error(self, expected_port):
self.driver = iptables.IptablesFilter() self.driver = iptables.IptablesFilter()
self.mock_iptables = self.useFixture( self.mock_iptables = self.useFixture(
fixtures.MockPatchObject(self.driver, '_iptables')).mock fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock__get_blacklist.return_value = ['AA:BB:CC:DD:EE:FF'] self.mock__get_denylist.return_value = ['AA:BB:CC:DD:EE:FF']
self.mock_should_enable_dhcp.return_value = True self.mock_should_enable_dhcp.return_value = True
self.mock_iptables.side_effect = [None, None, RuntimeError('Oops!'), self.mock_iptables.side_effect = [None, None, RuntimeError('Oops!'),
None, None, None, None, None, None] None, None, None, None, None, None]
self.assertRaises(RuntimeError, self.driver.sync, self.mock_ironic) self.assertRaises(RuntimeError, self.driver.sync, self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync, pxe_filter.Events.reset]) self.check_fsm([pxe_filter.Events.sync, pxe_filter.Events.reset])
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
# check caching # check caching
syncs_expected_args = [ syncs_expected_args = [
@ -247,9 +247,9 @@ class TestIptablesDriver(test_base.NodeTest):
('-F', self.driver.new_chain), ('-F', self.driver.new_chain),
('-X', self.driver.new_chain), ('-X', self.driver.new_chain),
('-N', self.driver.new_chain), ('-N', self.driver.new_chain),
# Blacklist # deny
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source', ('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
self.mock__get_blacklist.return_value[0], '-j', 'DROP'), self.mock__get_denylist.return_value[0], '-j', 'DROP'),
('-A', self.driver.new_chain, '-j', 'ACCEPT'), ('-A', self.driver.new_chain, '-j', 'ACCEPT'),
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport', ('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain), expected_port, '-j', self.driver.new_chain),
@ -262,7 +262,7 @@ class TestIptablesDriver(test_base.NodeTest):
self.mock_iptables.reset_mock() self.mock_iptables.reset_mock()
self.mock_iptables.side_effect = None self.mock_iptables.side_effect = None
self.mock__get_blacklist.reset_mock() self.mock__get_denylist.reset_mock()
self.mock_fsm.reset_mock() self.mock_fsm.reset_mock()
self.driver.sync(self.mock_ironic) self.driver.sync(self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync]) self.check_fsm([pxe_filter.Events.sync])
@ -271,7 +271,7 @@ class TestIptablesDriver(test_base.NodeTest):
for (idx, (args, call)) in enumerate(zip(syncs_expected_args, for (idx, (args, call)) in enumerate(zip(syncs_expected_args,
call_args_list)): call_args_list)):
self.assertEqual(args, call[0], 'idx: %s' % idx) self.assertEqual(args, call[0], 'idx: %s' % idx)
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic) self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
def test__iptables_clean_cache_on_error_ipv4(self): def test__iptables_clean_cache_on_error_ipv4(self):
CONF.set_override('ip_version', '4', 'iptables') CONF.set_override('ip_version', '4', 'iptables')
@ -377,9 +377,9 @@ class TestIBMapping(test_base.BaseTest):
mock_open.assert_not_called() mock_open.assert_not_called()
class TestGetBlacklist(test_base.BaseTest): class TestGetDenylist(test_base.BaseTest):
def setUp(self): def setUp(self):
super(TestGetBlacklist, self).setUp() super(TestGetDenylist, self).setUp()
self.mock__ib_mac_to_rmac_mapping = self.useFixture( self.mock__ib_mac_to_rmac_mapping = self.useFixture(
fixtures.MockPatchObject(iptables, '_ib_mac_to_rmac_mapping')).mock fixtures.MockPatchObject(iptables, '_ib_mac_to_rmac_mapping')).mock
self.mock_active_macs = self.useFixture( self.mock_active_macs = self.useFixture(
@ -394,8 +394,8 @@ class TestGetBlacklist(test_base.BaseTest):
self.mock_ironic.ports.return_value = mock_ports_list self.mock_ironic.ports.return_value = mock_ports_list
self.mock_active_macs.return_value = {'foo'} self.mock_active_macs.return_value = {'foo'}
ports = iptables._get_blacklist(self.mock_ironic) ports = iptables._get_denylist(self.mock_ironic)
# foo is an active address so we expect the blacklist contains only bar # foo is an active address so we expect the denylist contain only bar
self.assertEqual(['bar'], ports) self.assertEqual(['bar'], ports)
self.mock_ironic.ports.assert_called_once_with( self.mock_ironic.ports.assert_called_once_with(
limit=None, fields=['address', 'extra']) limit=None, fields=['address', 'extra'])
@ -414,8 +414,8 @@ class TestGetBlacklist(test_base.BaseTest):
] ]
self.mock_active_macs.return_value = {'foo'} self.mock_active_macs.return_value = {'foo'}
ports = iptables._get_blacklist(self.mock_ironic) ports = iptables._get_denylist(self.mock_ironic)
# foo is an active address so we expect the blacklist contains only bar # foo is an active address so we expect the denylist contain only bar
self.assertEqual(['bar'], ports) self.assertEqual(['bar'], ports)
self.mock_ironic.ports.assert_called_with( self.mock_ironic.ports.assert_called_with(
limit=None, fields=['address', 'extra']) limit=None, fields=['address', 'extra'])