Keystone is moving away from using either project-scope or domain-scope
for the main cloud administrator user, and instead moving toward the
admin user having a role assignment on the "system" scope. This will
mean that no particular project or domain is special, and instead the
cloud administrator scopes to the system in order to make
deployment-wide changes. Keystone has now migrated all of its policies
to understand system scope, and if a deployment sets
[oslo_policy]/enforce_scope=true in keystone.conf and uses the new
policies, an admin user scoped to the admin project will not be able to
create dynamic credentials for tempest.
This patch adds a new parameter ``[auth]/admin_system`` to indicate that
neither the ``admin_project`` or ``admin_domain`` parameters apply to
the admin user and that the user should instead authenticate with the
system scope. This also adds ``admin_user_domain_name`` so that the
admin user can be found in its domain (namespace) without setting
``domain_name``, and for completeness also adds
``admin_project_domain_name`` so that ``domain_name`` could be omitted
even if using project scope.
The test_attach_scsi_disk_with_config_drive test cases is racy at volume
detach. Nova first detach the volume in cinder then later deletes the
BlockDeviceMapping from the nova DB. Test waits for the volume to become
available and then checks the list of volume attachments in the nova API
then it can see that the attachment is still there.
Due to issue described in related bug report, it seems that it may
happen sometimes that tempest will start trying to ssh to the instance
before ssh key will be really configured in the instance and in such
case it may happened that there will be AuthenticationFailure error
always there. Even if ssh key will be configured properly later during
To workaround that issue and avoid failures of tests, this patch adds
check if the vm is really booted and ready to ssh. It is done by
checking console log of the VM and looking for specific string "login:"
which appears at least in case of Cirros and Ubuntu images used in our
In case when such string will not be found, test will continue to run
and will still try to ssh to the instance. So in worst case it may slow
ssh to the instance a bit but shouldn't really have any bad impact on
test as before this patch it would probably also wait similar amount of
time but on trying to SSH to the instance.
Similar workaround was introduced in the neutron-tempest-plugin with
. After it was merged number of failed jobs due to ssh "Authentication
failure" issues lower down significantly.
Historically Neutron had API extensions to make it clear what feature
is available and what is not. There are however features without new
API extensions, see  and .
To avoid having lots of config options that makes it possible in a
branchless tempest to detect if a given feature is available or not on
a given Neutron branch this patch proposes a list config option similar
to api_extensions: available_features.
available_features is a list option with the special all entry, and new
tests that depend on API extensionless features can use this to be
skipped on older branches.
The instance may have been deleted when calling 'force_delete_server'.
So this patch ignores exception 'lib_exc.NotFound' that avoid
error in tearing down stage.
A volume attached to multiple servers has multiple attachment structures
that are distinguished by their "attachment_id" field, not the "id" one.
So when setting up a waiter watching for an attachment being removed,
the "attachment_id" field must be passed. Thus, when attaching a volume,
it is necessary to wait until the attachment shows up in the volume's
data and then use the "attachment_id" field of that record to pass to
the waiter invoked at tear-down time.
Some tests fail when Accept-Range header is not present in the
response of the API. This is not necesseary as the Accept-Range
header is not mandatory according to RFC .
As explained in  it is not legitimate to require a Transfer-Encoding
header in Swift responses. That prevents running some tests
successfully in the case where Swift is behind a proxy/load-balancer
that does not use any Transfer-Encoding in its responses.
This change hence removes the checks for the presence of a
"Transfer-Encoding" header, and replaces them by the use
of the existing check methods, after modifying the
custom_matcher checks on which these methods rely on to accept
either a Content-Length or a Transfer-Encoding header.
Some adaptation was also required to avoid trying to process 'etag'
for DELETE requests.
A side-effect of this change is a code simplification and
cleanup since the specific header checks in the corresponding
tests are replaced by the generic check methods.
- Fix noVNC failed TCs tempest.api.compute.servers.test_novnc.NoVNCConsoleTestJSON.test_novnc:
* Current noVNC request miss the / prefix in GET header in the websocket upgrade request.
* Current GET header GET ?token=xxx HTTP/1 can cause "HTTP/1.1 400 Bad Request" error.
* Fix the issue by adding / prefix and
# updated request format is: GET /?token=xxx HTTP/1.1 or GET /websockify HTTP/1.1
This change adds a specific waiter for tracking the removal of
attachments from a volume. This should allow callers to track the
detaching of multiattached volumes from instances while the volume
remains in an `in-use` state.
This patch removes CONF.compute.volume_device_name dependency and
use modified list_disks method to get the newly attached
device name and use that for mkfs rather than the user supplied
device name which is based on assumtion.
Also modfied test_attach_detach testcase and unit test
for remote_client accordingly.
If reclaim_instance_interval > 0 in nova.conf, some testcases will
fail cause of resource's state is 'in-use'. This patch adds the logic
in `wait_for_server_termination` that if the virtual machine state is
SOFT_DELETED, then call `force_delete`.
This patch removes user provided and libvirt assigned
value as that was based on assumption rather count the
disk name before and after attach/detach based on output
generated using 'lsblk' command in the running instance
with the help of new method list_disks in client and
existing util remote client for remote ssh.
we observer this test case failing when the instance boot
with config drive format "vfat" enabled with two volume
vda and vdb volume disk name, so whatever test case boot with
config drive as well as ephemeral disk was not be able to
use this testcase.
At the moment, tempest assumes that mke2fs will reside at /usr/sbin.
This is not necessarily true, for which reason it's safer to just
avoid using the full path.
The review allows related non-scenario tests which create
volumes and servers to read and use
If the tests don't use the option and tested environment has
multiple availability_zones, the tests fail.
Now we can get error messages like "Resource 595f6527-d84c-
4e14-a86f-c7be186a864c failed to delete and is in ERROR status",
and this has two problems:
1. It doesn't indicate which kind of resource, e.g., volume or server
2. For DeleteErrorException raised in volumes_client, the volume
status is error_deleting, not ERROR.
So this is to pass full and accurate message to DeleteErrorException
to avoid the confusion.
When extending volume reaches status error_extending, we should
return from wait_for_volume_resource_status immediately instead
of waiting for the TimeoutException.
Starting in v1.1.0 of noVNC, it no longer forwards a token from the
URI via a cookie and we must instead specify the token as part of the
'path' query parameter.
This adds handling of the 'path' query parameter so the test_novnc
tests will be able to work with a console access url that has the token
in the 'path' query parameter instead of in a cookie and thus work with
noVNC >= v1.1.0.
This change introduces a true cinder host to host attached volume
migration test in addition to the existing attached volume retype test.
To enable this two new calls are introduced to the v3 volume client to
allow all volume backends to be listed per project and to also call for
a direct volume migration between backends.
autopep8 is an automated code formatting tool for python,
it does not know everything, also not super fast,
but it is faster than I can manually reformat the code.
tools/format.sh will call the formatting,
the tox will check did you called it.
Also adding a tox -eautopep8 way to use it.
autopep8 formats the lines in one way,
where tempest used a another way it was changed.
We need to know the result of the command run
in get_nic_name_by_ip to see what is getting parsed
since we are returning the empty string in some
cases which results in an error because
/var/run/udhcpc..pid does not exist in the guest.
When creating a test server and the volume fails to build
a VolumeResourceBuildErrorException is raised causing a resource
leak on the testing system
This change aims to remove the volume before raising the exception
to the calling test so that the system is properly cleaned up of
testing resources before exiting.
Previously, Tempest's default for scheduler_available_filters was
'all'. This was different from Nova's default enabled_filters, which
does *not* include all possible filters available in Nova. Thus, in a
deployment where both options were kept at their default value,
Tempest's is_scheduler_filter_enabled() would return True for all
filters, even if those filters weren't enabled in Nova. In addition,
the 'available' wording could be made clearer. This patch deprecates
scheduler_available_filters, replacing it with
scheduler_enabled_filters. The latter has its default value set to
Nova's enabled_filters default.
This is next step patch from https://review.openstack.org/#/c/573118/
which makes all the volume service clients alias with _latest suffix.
As all the volume clients point to v3 service client only, having
alias with _v2_ or _v3_ name are confusing.
This commit provide alias with _latest suffix and use them in
tempest. As old alias are being used in tempest plugins also,
we keep the old alias also and slowly will move each plugins to
start using new alias.
The method waits for an interface to be detached from a server.
It will be used in the subsequent patch that tests tagged device
attach and detach (nova API 2.49).
If the VNC is running at a default port and the address returned
is an address which does not contain a port, then the VNC tests
fail to connect because they attempt to call a socket connect
without an IP listed.
In addition, this makes sure that the Host header does not include
a port if we are hitting the default port so things are clean.
Config option 'resources_prefix' was deprecated. It is
used by only manila plugin which fix has been commited.
This commit removes this config option and hardcode the
resource prefix as 'tempest'
This commit removes a confusing comment. This "l.58" indicated that
around line 126 - `if multiple_create_request:` condition, originally.
(The condition has been modified from the original one, though.) And, we
shouldn't fix it to 'l.126' because it isn't stable.