Add firewall behavior assertions to testinfra testing

This attempts to exercise our firewall rules externally via the bridge
host in our testinfra testing. If we like this style of rule we can add
a number of tests for various firewall behaviors that we want to ensure.

Change-Id: I4ee63bc6f15af9b68fc1c690c5d92f4bf9c756c3
This commit is contained in:
Clark Boylan 2021-12-14 15:28:31 -08:00
parent b044cba65a
commit 53522910fb
2 changed files with 34 additions and 0 deletions

View File

@ -13,6 +13,7 @@
# under the License. # under the License.
import json import json
import util
testinfra_hosts = ['zk04.opendev.org'] testinfra_hosts = ['zk04.opendev.org']
@ -53,3 +54,23 @@ def test_zookeeper_statsd_running(host):
out = json.loads(cmd.stdout) out = json.loads(cmd.stdout)
assert out[0]["State"]["Status"] == "running" assert out[0]["State"]["Status"] == "running"
assert out[0]["RestartCount"] == 0 assert out[0]["RestartCount"] == 0
def test_zk_2181_accessibility(host):
# Ask the host to report its own IP addresses. This will use our test
# local /etc/hosts values and not DNS.
zk = host.addr("zk04.opendev.org")
# Verify it is using our local /etc/hosts values
print(zk.ipv4_addresses)
print(zk.ipv6_addresses)
for addr in zk.ipv4_addresses + zk.ipv6_addresses:
if addr.startswith("::ffff:"):
# This is an ipv4 address mapped to ipv6 and is covered by
# the ipv4_addresses list
continue
if addr.startswith("127.") or addr == "::1":
# We don't want to talk to localhost as we are connecting
# from our test bridge instance.
continue
util.check_unreachable(addr, 2181)
util.check_unreachable(addr, 2281)

View File

@ -121,3 +121,16 @@ def verify_iptables(host):
assert snmp in ip6rules assert snmp in ip6rules
return rules return rules
def check_unreachable(addr, port, errno=113):
# errno 113 is no route to host
try:
s = socket.create_connection((addr, port), timeout=10)
except OSError as e:
# No route to host
assert e.errno == errno
else:
s.close()
# We should always error.
assert False