openstack/ironic-inspector
Code Issues Proposed changes

Remove non-inclusive language in pxe filter

Browse Source 
Replaces the use of black/white-list with deny/allow-list
in the pxe filter.

Change-Id: I84e6343fc13e4c4c02521499632a07e782088057
This commit is contained in:
Harald Jensås 2020-07-09 00:01:42 +02:00
parent b1e79e0b4d
commit a1f8926cd1
6 changed files with 141 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CONTRIBUTING.rst
View File

@ -349,8 +349,7 @@ The contract between **inspector** and a PXE filter driver is described in the
internal driver state
* :meth:`~FilterDriver.sync` called both periodically and when a node starts or
finishes introspection to white or blacklist its ports MAC addresses in the
driver
finishes introspection to allow or deny its ports MAC addresses in the driver
* :meth:`~FilterDriver.tear_down_filter` called on service exit to reset the
internal driver state

4
doc/source/admin/dnsmasq-pxe-filter.rst
View File

@ -24,7 +24,7 @@ file parsing. The content of the file determines the MAC address access policy.
Thanks to the ``inotify`` facility, **dnsmasq** is notified once a new file is
*created* or an existing file is *modified* in the DHCP hosts directory. Thus,
to white-list a MAC address, the filter removes the ``ignore`` directive::
to allow a MAC address, the filter removes the ``ignore`` directive::
$ cat /etc/dnsmasq.d/de-ad-be-ef-de-ad
de:ad:be:ef:de:ad
@ -121,5 +121,5 @@ start-up.
Although the filter driver tries its best to always stop the **dnsmasq**
service, it is recommended that the operator configures the **dnsmasq**
service in such a way that it terminates upon **ironic-inspector**
(unexpected) exit to prevent a stale blacklist from being used by the
(unexpected) exit to prevent a stale deny list from being used by the
**dnsmasq** service.

110
ironic_inspector/pxe_filter/dnsmasq.py
View File

@ -44,18 +44,18 @@ _EXCLUSIVE_WRITE_ATTEMPTS = 10
_EXCLUSIVE_WRITE_ATTEMPTS_DELAY = 0.01
_ROOTWRAP_COMMAND = 'sudo ironic-inspector-rootwrap {rootwrap_config!s}'
_MACBL_LEN = len('ff:ff:ff:ff:ff:ff,ignore\n')
_MACWL_LEN = len('ff:ff:ff:ff:ff:ff\n')
_MAC_DENY_LEN = len('ff:ff:ff:ff:ff:ff,ignore\n')
_MAC_ALLOW_LEN = len('ff:ff:ff:ff:ff:ff\n')
_UNKNOWN_HOSTS_FILE = 'unknown_hosts_filter'
_BLACKLIST_UNKNOWN_HOSTS = '*:*:*:*:*:*,ignore\n'
_WHITELIST_UNKNOWN_HOSTS = '*:*:*:*:*:*\n'
_DENY_UNKNOWN_HOSTS = '*:*:*:*:*:*,ignore\n'
_ALLOW_UNKNOWN_HOSTS = '*:*:*:*:*:*\n'
def _should_enable_unknown_hosts():
"""Check whether we should enable DHCP for unknown hosts
We blacklist unknown hosts unless one or more nodes are on introspection
and node_not_found_hook is not set.
We add unknown hosts to the deny list unless one or more nodes are on
introspection and node_not_found_hook is not set.
"""
return (node_cache.introspection_active() or
CONF.processing.node_not_found_hook is not None)
@ -89,24 +89,24 @@ class DnsmasqFilter(pxe_filter.BaseFilter):
ironic_macs = set(port.address for port in
ir_utils.call_with_retries(ironic.ports, limit=None,
fields=['address']))
blacklist, whitelist = _get_black_white_lists()
# removedlist are the MACs that are in either blacklist or whitelist,
denylist, allowlist = _get_deny_allow_lists()
# removedlist are the MACs that are in either in allow or denylist,
# but not kept in ironic (ironic_macs) any more
removedlist = blacklist.union(whitelist).difference(ironic_macs)
removedlist = denylist.union(allowlist).difference(ironic_macs)
# Whitelist active MACs that are not already whitelisted
for mac in active_macs.difference(whitelist):
_whitelist_mac(mac)
# Blacklist any ironic MACs that is not active for introspection unless
# it is already blacklisted
for mac in ironic_macs.difference(blacklist.union(active_macs)):
_blacklist_mac(mac)
# Add active MACs that are not already in the allowlist
for mac in active_macs.difference(allowlist):
_add_mac_to_allowlist(mac)
# Add any ironic MACs that is not active for introspection to the
# deny list unless it is already present
for mac in ironic_macs.difference(denylist.union(active_macs)):
_add_mac_to_denylist(mac)
# Whitelist or Blacklist unknown hosts and MACs not kept in ironic
# Allow or deny unknown hosts and MACs not kept in ironic
# NOTE(hjensas): Treat unknown hosts and MACs not kept in ironic the
# same. Neither should boot the inspection image unless introspection
# is active. Deleted MACs must be whitelisted when introspection is
# active in case the host is re-enrolled.
# is active. Deleted MACs must be added to the allow list when
# introspection is active in case the host is re-enrolled.
_configure_unknown_hosts()
_configure_removedlist(removedlist)
@ -119,8 +119,8 @@ class DnsmasqFilter(pxe_filter.BaseFilter):
"""Sync dnsmasq configuration with current Ironic&Inspector state.
Polls all ironic ports. Those being inspected, the active ones, are
whitelisted while the rest are blacklisted in the dnsmasq
configuration.
added to the allow list while the rest are added to the deny list in
the dnsmasq configuration.
:param ironic: an ironic client instance.
:raises: OSError, IOError.
@ -133,8 +133,8 @@ class DnsmasqFilter(pxe_filter.BaseFilter):
"""Performs an initial sync with ironic and starts dnsmasq.
The initial _sync() call reduces the chances dnsmasq might lose
some inotify blacklist events by prefetching the blacklist before
the dnsmasq is started.
some inotify deny list events by prefetching the list before dnsmasq
is started.
:raises: OSError, IOError.
:returns: None.
@ -166,23 +166,23 @@ def _purge_dhcp_hostsdir():
LOG.debug('Removed %s', path)
def _get_black_white_lists():
"""Get addresses currently blacklisted in dnsmasq.
def _get_deny_allow_lists():
"""Get addresses currently denied by dnsmasq.
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid.
:returns: a set of MACs currently blacklisted in dnsmasq.
:returns: a set of MACs currently denied by dnsmasq.
"""
hostsdir = CONF.dnsmasq_pxe_filter.dhcp_hostsdir
# whitelisted MACs lack the ,ignore directive
blacklist = set()
whitelist = set()
# MACs in the allow list lack the ,ignore directive
denylist = set()
allowlist = set()
for mac in os.listdir(hostsdir):
if os.stat(os.path.join(hostsdir, mac)).st_size == _MACBL_LEN:
blacklist.add(mac)
if os.stat(os.path.join(hostsdir, mac)).st_size == _MACWL_LEN:
whitelist.add(mac)
if os.stat(os.path.join(hostsdir, mac)).st_size == _MAC_DENY_LEN:
denylist.add(mac)
if os.stat(os.path.join(hostsdir, mac)).st_size == _MAC_ALLOW_LEN:
allowlist.add(mac)
return blacklist, whitelist
return denylist, allowlist
def _exclusive_write_or_pass(path, buf):
@ -225,7 +225,7 @@ def _exclusive_write_or_pass(path, buf):
def _configure_removedlist(macs):
"""Manages a dhcp_hostsdir ignore/not-ignore record for removed macs
"""Manages a dhcp_hostsdir allow/deny record for removed macs
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
:returns: None.
@ -235,16 +235,16 @@ def _configure_removedlist(macs):
if _should_enable_unknown_hosts():
for mac in macs:
if os.stat(os.path.join(hostsdir, mac)).st_size != _MACWL_LEN:
_whitelist_mac(mac)
if os.stat(os.path.join(hostsdir, mac)).st_size != _MAC_ALLOW_LEN:
_add_mac_to_allowlist(mac)
else:
for mac in macs:
if os.stat(os.path.join(hostsdir, mac)).st_size != _MACBL_LEN:
_blacklist_mac(mac)
if os.stat(os.path.join(hostsdir, mac)).st_size != _MAC_DENY_LEN:
_add_mac_to_denylist(mac)
def _configure_unknown_hosts():
"""Manages a dhcp_hostsdir ignore/not-ignore record for unknown macs.
"""Manages a dhcp_hostsdir allow/deny record for unknown macs.
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
IOError in case the dhcp host unknown file isn't writable.
@ -254,13 +254,13 @@ def _configure_unknown_hosts():
_UNKNOWN_HOSTS_FILE)
if _should_enable_unknown_hosts():
wildcard_filter = _WHITELIST_UNKNOWN_HOSTS
log_wildcard_filter = 'whitelist'
wildcard_filter = _ALLOW_UNKNOWN_HOSTS
log_wildcard_filter = 'allow'
else:
wildcard_filter = _BLACKLIST_UNKNOWN_HOSTS
log_wildcard_filter = 'blacklist'
wildcard_filter = _DENY_UNKNOWN_HOSTS
log_wildcard_filter = 'deny'
# Don't update if unknown hosts are already black/white-listed
# Don't update if unknown hosts are already in the deny/allow-list
try:
if os.stat(path).st_size == len(wildcard_filter):
return
@ -276,8 +276,8 @@ def _configure_unknown_hosts():
'retrying next periodic sync time', log_wildcard_filter)
def _blacklist_mac(mac):
"""Creates a dhcp_hostsdir ignore record for the MAC.
def _add_mac_to_denylist(mac):
"""Creates a dhcp_hostsdir deny record for the MAC.
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
IOError in case the dhcp host MAC file isn't writable.
@ -285,14 +285,14 @@ def _blacklist_mac(mac):
"""
path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac)
if _exclusive_write_or_pass(path, '%s,ignore\n' % mac):
LOG.debug('Blacklisted %s', mac)
LOG.debug('MAC %s added to the deny list', mac)
else:
LOG.warning('Failed to blacklist %s; retrying next periodic sync '
'time', mac)
LOG.warning('Failed to add MAC %s to the deny list; retrying next '
'periodic sync time', mac)
def _whitelist_mac(mac):
"""Un-ignores the dhcp_hostsdir record for the MAC.
def _add_mac_to_allowlist(mac):
"""Update the dhcp_hostsdir record for the MAC adding it to allow list
:raises: FileNotFoundError in case the dhcp_hostsdir is invalid,
IOError in case the dhcp host MAC file isn't writable.
@ -301,10 +301,10 @@ def _whitelist_mac(mac):
path = os.path.join(CONF.dnsmasq_pxe_filter.dhcp_hostsdir, mac)
# remove the ,ignore directive
if _exclusive_write_or_pass(path, '%s\n' % mac):
LOG.debug('Whitelisted %s', mac)
LOG.debug('MAC %s removed from the deny list', mac)
else:
LOG.warning('Failed to whitelist %s; retrying next periodic sync '
'time', mac)
LOG.warning('Failed to remove MAC %s from the deny list; retrying '
'next periodic sync time', mac)
def _execute(cmd=None, ignore_errors=False):

28
ironic_inspector/pxe_filter/iptables.py
View File

@ -45,7 +45,7 @@ class IptablesFilter(pxe_filter.BaseFilter):
def __init__(self):
super(IptablesFilter, self).__init__()
self.blacklist_cache = None
self.denylist_cache = None
self.enabled = True
self.interface = CONF.iptables.dnsmasq_interface
self.chain = CONF.iptables.firewall_chain
@ -65,7 +65,7 @@ class IptablesFilter(pxe_filter.BaseFilter):
def reset(self):
self.enabled = True
self.blacklist_cache = None
self.denylist_cache = None
for chain in (self.chain, self.new_chain):
try:
self._clean_up(chain)
@ -114,26 +114,26 @@ class IptablesFilter(pxe_filter.BaseFilter):
self._disable_dhcp()
return
to_blacklist = _get_blacklist(ironic)
if to_blacklist == self.blacklist_cache:
to_deny = _get_denylist(ironic)
if to_deny == self.denylist_cache:
LOG.debug('Not updating iptables - no changes in MAC list %s',
to_blacklist)
to_deny)
return
LOG.debug('Blacklisting active MAC\'s %s', to_blacklist)
LOG.debug('Adding active MAC\'s %s to the deny list', to_deny)
with self._temporary_chain(self.new_chain, self.chain):
# Force update on the next iteration if this attempt fails
self.blacklist_cache = None
# - Blacklist active macs, so that nova can boot them
for mac in to_blacklist:
self.denylist_cache = None
# - Add active macs to the deny list, so that nova can boot them
for mac in to_deny:
self._iptables('-A', self.new_chain, '-m', 'mac',
'--mac-source', mac, '-j', 'DROP')
# - Whitelist everything else
# - Add everything else to the allow list
self._iptables('-A', self.new_chain, '-j', 'ACCEPT')
# Cache result of successful iptables update
self.enabled = True
self.blacklist_cache = to_blacklist
self.denylist_cache = to_deny
LOG.debug('The iptables filter was synchronized')
@contextlib.contextmanager
@ -185,9 +185,9 @@ class IptablesFilter(pxe_filter.BaseFilter):
LOG.debug('No nodes on introspection and node_not_found_hook is '
'not set - disabling DHCP')
self.blacklist_cache = None
self.denylist_cache = None
with self._temporary_chain(self.new_chain, self.chain):
# Blacklist everything
# deny everything
self._iptables('-A', self.new_chain, '-j', 'REJECT')
self.enabled = False
@ -230,7 +230,7 @@ def _ib_mac_to_rmac_mapping(ports):
port.address = match.group(1)
def _get_blacklist(ironic):
def _get_denylist(ironic):
ports = [port for port in
ir_utils.call_with_retries(ironic.ports, limit=None,
fields=['address', 'extra'])

84
ironic_inspector/test/unit/test_dnsmasq_pxe_filter.py
View File

@ -221,7 +221,7 @@ class TestMACHandlers(test_base.BaseTest):
self.mock_introspection_active = self.useFixture(
fixtures.MockPatchObject(node_cache, 'introspection_active')).mock
def test__whitelist_unknown_hosts(self):
def test__allowlist_unknown_hosts(self):
self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir,
dnsmasq._UNKNOWN_HOSTS_FILE)
self.mock_introspection_active.return_value = True
@ -231,12 +231,12 @@ class TestMACHandlers(test_base.BaseTest):
dnsmasq._UNKNOWN_HOSTS_FILE)
self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value,
'%s' % dnsmasq._WHITELIST_UNKNOWN_HOSTS)
'%s' % dnsmasq._ALLOW_UNKNOWN_HOSTS)
self.mock_log.debug.assert_called_once_with(
'A %s record for all unknown hosts using wildcard mac '
'created', 'whitelist')
'created', 'allow')
def test__blacklist_unknown_hosts(self):
def test__denylist_unknown_hosts(self):
self.mock_join.return_value = "%s/%s" % (self.dhcp_hostsdir,
dnsmasq._UNKNOWN_HOSTS_FILE)
self.mock_introspection_active.return_value = False
@ -246,14 +246,14 @@ class TestMACHandlers(test_base.BaseTest):
dnsmasq._UNKNOWN_HOSTS_FILE)
self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value,
'%s' % dnsmasq._BLACKLIST_UNKNOWN_HOSTS)
'%s' % dnsmasq._DENY_UNKNOWN_HOSTS)
self.mock_log.debug.assert_called_once_with(
'A %s record for all unknown hosts using wildcard mac '
'created', 'blacklist')
'created', 'deny')
def test__configure_removedlist_whitelist(self):
def test__configure_removedlist_allowlist(self):
self.mock_introspection_active.return_value = True
self.mock_stat.return_value.st_size = dnsmasq._MACBL_LEN
self.mock_stat.return_value.st_size = dnsmasq._MAC_DENY_LEN
dnsmasq._configure_removedlist({self.mac})
@ -261,9 +261,9 @@ class TestMACHandlers(test_base.BaseTest):
self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, '%s\n' % self.mac)
def test__configure_removedlist_blacklist(self):
def test__configure_removedlist_denylist(self):
self.mock_introspection_active.return_value = False
self.mock_stat.return_value.st_size = dnsmasq._MACWL_LEN
self.mock_stat.return_value.st_size = dnsmasq._MAC_ALLOW_LEN
dnsmasq._configure_removedlist({self.mac})
@ -271,56 +271,56 @@ class TestMACHandlers(test_base.BaseTest):
self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, '%s,ignore\n' % self.mac)
def test__whitelist_mac(self):
dnsmasq._whitelist_mac(self.mac)
def test__allowlist_mac(self):
dnsmasq._add_mac_to_allowlist(self.mac)
self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac)
self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, '%s\n' % self.mac)
def test__blacklist_mac(self):
dnsmasq._blacklist_mac(self.mac)
def test__denylist_mac(self):
dnsmasq._add_mac_to_denylist(self.mac)
self.mock_join.assert_called_once_with(self.dhcp_hostsdir, self.mac)
self.mock__exclusive_write_or_pass.assert_called_once_with(
self.mock_join.return_value, '%s,ignore\n' % self.mac)
def test__get_blacklist(self):
def test__get_denylist(self):
self.mock_listdir.return_value = [self.mac]
self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac)
blacklist, whitelist = dnsmasq._get_black_white_lists()
denylist, allowlist = dnsmasq._get_deny_allow_lists()
self.assertEqual({self.mac}, blacklist)
self.assertEqual({self.mac}, denylist)
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
self.mock_stat.assert_called_with(self.mock_join.return_value)
def test__get_whitelist(self):
def test__get_allowlist(self):
self.mock_listdir.return_value = [self.mac]
self.mock_stat.return_value.st_size = len('%s\n' % self.mac)
blacklist, whitelist = dnsmasq._get_black_white_lists()
denylist, allowlist = dnsmasq._get_deny_allow_lists()
self.assertEqual({self.mac}, whitelist)
self.assertEqual({self.mac}, allowlist)
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
self.mock_stat.assert_called_with(self.mock_join.return_value)
def test__get_no_blacklist(self):
def test__get_no_denylist(self):
self.mock_listdir.return_value = [self.mac]
self.mock_stat.return_value.st_size = len('%s\n' % self.mac)
blacklist, whitelist = dnsmasq._get_black_white_lists()
denylist, allowlist = dnsmasq._get_deny_allow_lists()
self.assertEqual(set(), blacklist)
self.assertEqual(set(), denylist)
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
self.mock_stat.assert_called_with(self.mock_join.return_value)
def test__get_no_whitelist(self):
def test__get_no_allowlist(self):
self.mock_listdir.return_value = [self.mac]
self.mock_stat.return_value.st_size = len('%s,ignore\n' % self.mac)
blacklist, whitelist = dnsmasq._get_black_white_lists()
denylist, allowlist = dnsmasq._get_deny_allow_lists()
self.assertEqual(set(), whitelist)
self.assertEqual(set(), allowlist)
self.mock_listdir.assert_called_once_with(self.dhcp_hostsdir)
self.mock_join.assert_called_with(self.dhcp_hostsdir, self.mac)
self.mock_stat.assert_called_with(self.mock_join.return_value)
@ -348,12 +348,12 @@ class TestMACHandlers(test_base.BaseTest):
class TestSync(DnsmasqTestBase):
def setUp(self):
super(TestSync, self).setUp()
self.mock__get_black_white_lists = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_get_black_white_lists')).mock
self.mock__whitelist_mac = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_whitelist_mac')).mock
self.mock__blacklist_mac = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_blacklist_mac')).mock
self.mock__get_deny_allow_lists = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_get_deny_allow_lists')).mock
self.mock__add_mac_to_allowlist = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_add_mac_to_allowlist')).mock
self.mock__add_mac_to_denylist = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_add_mac_to_denylist')).mock
self.mock__configure_unknown_hosts = self.useFixture(
fixtures.MockPatchObject(dnsmasq, '_configure_unknown_hosts')).mock
self.mock__configure_removedlist = self.useFixture(
@ -376,10 +376,10 @@ class TestSync(DnsmasqTestBase):
fixtures.MockPatchObject(node_cache, 'active_macs')).mock
self.ironic_macs = {'new_mac', 'active_mac'}
self.active_macs = {'active_mac'}
self.blacklist = {'gone_mac', 'active_mac'}
self.whitelist = {}
self.mock__get_black_white_lists.return_value = (self.blacklist,
self.whitelist)
self.denylist = {'gone_mac', 'active_mac'}
self.allowlist = {}
self.mock__get_deny_allow_lists.return_value = (self.denylist,
self.allowlist)
self.mock_ironic.ports.return_value = [
mock.Mock(address=address) for address in self.ironic_macs]
self.mock_active_macs.return_value = self.active_macs
@ -403,13 +403,13 @@ class TestSync(DnsmasqTestBase):
def test__sync(self):
self.driver._sync(self.mock_ironic)
self.mock__whitelist_mac.assert_called_once_with('active_mac')
self.mock__blacklist_mac.assert_called_once_with('new_mac')
self.mock__add_mac_to_allowlist.assert_called_once_with('active_mac')
self.mock__add_mac_to_denylist.assert_called_once_with('new_mac')
self.mock_ironic.ports.assert_called_once_with(
limit=None, fields=['address'])
self.mock_active_macs.assert_called_once_with()
self.mock__get_black_white_lists.assert_called_once_with()
self.mock__get_deny_allow_lists.assert_called_once_with()
self.mock__configure_unknown_hosts.assert_called_once_with()
self.mock__configure_removedlist.assert_called_once_with({'gone_mac'})
self.mock_log.debug.assert_has_calls([
@ -426,13 +426,13 @@ class TestSync(DnsmasqTestBase):
]
self.driver._sync(self.mock_ironic)
self.mock__whitelist_mac.assert_called_once_with('active_mac')
self.mock__blacklist_mac.assert_called_once_with('new_mac')
self.mock__add_mac_to_allowlist.assert_called_once_with('active_mac')
self.mock__add_mac_to_denylist.assert_called_once_with('new_mac')
self.mock_ironic.ports.assert_called_with(
limit=None, fields=['address'])
self.mock_active_macs.assert_called_once_with()
self.mock__get_black_white_lists.assert_called_once_with()
self.mock__get_deny_allow_lists.assert_called_once_with()
self.mock__configure_removedlist.assert_called_once_with({'gone_mac'})
self.mock_log.debug.assert_has_calls([
mock.call('Syncing the driver'),

54
ironic_inspector/test/unit/test_iptables.py
View File

@ -44,9 +44,9 @@ class TestIptablesDriver(test_base.NodeTest):
fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock_should_enable_dhcp = self.useFixture(
fixtures.MockPatchObject(iptables, '_should_enable_dhcp')).mock
self.mock__get_blacklist = self.useFixture(
fixtures.MockPatchObject(iptables, '_get_blacklist')).mock
self.mock__get_blacklist.return_value = []
self.mock__get_denylist = self.useFixture(
fixtures.MockPatchObject(iptables, '_get_denylist')).mock
self.mock__get_denylist.return_value = []
self.mock_ironic = mock.Mock()
def check_fsm(self, events):
@ -143,7 +143,7 @@ class TestIptablesDriver(test_base.NodeTest):
for (args, call) in zip(_iptables_expected_args,
call_args_list):
self.assertEqual(args, call[0])
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync])
def test__iptables_args_ipv4(self):
@ -175,11 +175,11 @@ class TestIptablesDriver(test_base.NodeTest):
self.assertEqual(kwargs, call[1])
self.check_fsm([pxe_filter.Events.sync])
def _test_sync_with_blacklist(self, expected_port):
def _test_sync_with_denylist(self, expected_port):
self.driver = iptables.IptablesFilter()
self.mock_iptables = self.useFixture(
fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock__get_blacklist.return_value = ['AA:BB:CC:DD:EE:FF']
self.mock__get_denylist.return_value = ['AA:BB:CC:DD:EE:FF']
self.mock_should_enable_dhcp.return_value = True
_iptables_expected_args = [
@ -188,9 +188,9 @@ class TestIptablesDriver(test_base.NodeTest):
('-F', self.driver.new_chain),
('-X', self.driver.new_chain),
('-N', self.driver.new_chain),
# Blacklist
# deny
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
self.mock__get_blacklist.return_value[0], '-j', 'DROP'),
self.mock__get_denylist.return_value[0], '-j', 'DROP'),
('-A', self.driver.new_chain, '-j', 'ACCEPT'),
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain),
@ -208,36 +208,36 @@ class TestIptablesDriver(test_base.NodeTest):
for (args, call) in zip(_iptables_expected_args,
call_args_list):
self.assertEqual(args, call[0])
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
# check caching
self.mock_iptables.reset_mock()
self.mock__get_blacklist.reset_mock()
self.mock__get_denylist.reset_mock()
self.driver.sync(self.mock_ironic)
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
self.assertFalse(self.mock_iptables.called)
def test_sync_with_blacklist_ipv4(self):
def test_sync_with_denylist_ipv4(self):
CONF.set_override('ip_version', '4', 'iptables')
self._test_sync_with_blacklist('67')
self._test_sync_with_denylist('67')
def test_sync_with_blacklist_ipv6(self):
def test_sync_with_denylist_ipv6(self):
CONF.set_override('ip_version', '6', 'iptables')
self._test_sync_with_blacklist('547')
self._test_sync_with_denylist('547')
def _test__iptables_clean_cache_on_error(self, expected_port):
self.driver = iptables.IptablesFilter()
self.mock_iptables = self.useFixture(
fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock__get_blacklist.return_value = ['AA:BB:CC:DD:EE:FF']
self.mock__get_denylist.return_value = ['AA:BB:CC:DD:EE:FF']
self.mock_should_enable_dhcp.return_value = True
self.mock_iptables.side_effect = [None, None, RuntimeError('Oops!'),
None, None, None, None, None, None]
self.assertRaises(RuntimeError, self.driver.sync, self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync, pxe_filter.Events.reset])
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
# check caching
syncs_expected_args = [
@ -247,9 +247,9 @@ class TestIptablesDriver(test_base.NodeTest):
('-F', self.driver.new_chain),
('-X', self.driver.new_chain),
('-N', self.driver.new_chain),
# Blacklist
# deny
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
self.mock__get_blacklist.return_value[0], '-j', 'DROP'),
self.mock__get_denylist.return_value[0], '-j', 'DROP'),
('-A', self.driver.new_chain, '-j', 'ACCEPT'),
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain),
@ -262,7 +262,7 @@ class TestIptablesDriver(test_base.NodeTest):
self.mock_iptables.reset_mock()
self.mock_iptables.side_effect = None
self.mock__get_blacklist.reset_mock()
self.mock__get_denylist.reset_mock()
self.mock_fsm.reset_mock()
self.driver.sync(self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync])
@ -271,7 +271,7 @@ class TestIptablesDriver(test_base.NodeTest):
for (idx, (args, call)) in enumerate(zip(syncs_expected_args,
call_args_list)):
self.assertEqual(args, call[0], 'idx: %s' % idx)
self.mock__get_blacklist.assert_called_once_with(self.mock_ironic)
self.mock__get_denylist.assert_called_once_with(self.mock_ironic)
def test__iptables_clean_cache_on_error_ipv4(self):
CONF.set_override('ip_version', '4', 'iptables')
@ -377,9 +377,9 @@ class TestIBMapping(test_base.BaseTest):
mock_open.assert_not_called()
class TestGetBlacklist(test_base.BaseTest):
class TestGetDenylist(test_base.BaseTest):
def setUp(self):
super(TestGetBlacklist, self).setUp()
super(TestGetDenylist, self).setUp()
self.mock__ib_mac_to_rmac_mapping = self.useFixture(
fixtures.MockPatchObject(iptables, '_ib_mac_to_rmac_mapping')).mock
self.mock_active_macs = self.useFixture(
@ -394,8 +394,8 @@ class TestGetBlacklist(test_base.BaseTest):
self.mock_ironic.ports.return_value = mock_ports_list
self.mock_active_macs.return_value = {'foo'}
ports = iptables._get_blacklist(self.mock_ironic)
# foo is an active address so we expect the blacklist contains only bar
ports = iptables._get_denylist(self.mock_ironic)
# foo is an active address so we expect the denylist contain only bar
self.assertEqual(['bar'], ports)
self.mock_ironic.ports.assert_called_once_with(
limit=None, fields=['address', 'extra'])
@ -414,8 +414,8 @@ class TestGetBlacklist(test_base.BaseTest):
]
self.mock_active_macs.return_value = {'foo'}
ports = iptables._get_blacklist(self.mock_ironic)
# foo is an active address so we expect the blacklist contains only bar
ports = iptables._get_denylist(self.mock_ironic)
# foo is an active address so we expect the denylist contain only bar
self.assertEqual(['bar'], ports)
self.mock_ironic.ports.assert_called_with(
limit=None, fields=['address', 'extra'])