Merge "CI: add host configure tests for firewalld"
This commit is contained in:
commit
b150f57a4e
@ -46,26 +46,31 @@ test_net_eth_vlan_rules:
|
|||||||
- from: 192.168.35.0/24
|
- from: 192.168.35.0/24
|
||||||
table: kayobe-test-route-table
|
table: kayobe-test-route-table
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
test_net_eth_vlan_zone: test-zone1
|
||||||
|
|
||||||
# br0: bridge with ports dummy3, dummy4.
|
# br0: bridge with ports dummy3, dummy4.
|
||||||
test_net_bridge_cidr: 192.168.36.0/24
|
test_net_bridge_cidr: 192.168.36.0/24
|
||||||
test_net_bridge_interface: br0
|
test_net_bridge_interface: br0
|
||||||
test_net_bridge_bridge_ports: [dummy3, dummy4]
|
test_net_bridge_bridge_ports: [dummy3, dummy4]
|
||||||
|
test_net_bridge_zone: test-zone2
|
||||||
|
|
||||||
# br0.43: VLAN subinterface of br0.
|
# br0.43: VLAN subinterface of br0.
|
||||||
test_net_bridge_vlan_cidr: 192.168.37.0/24
|
test_net_bridge_vlan_cidr: 192.168.37.0/24
|
||||||
test_net_bridge_vlan_interface: "{% raw %}{{ test_net_bridge_interface }}.{{ test_net_bridge_vlan_vlan }}{% endraw %}"
|
test_net_bridge_vlan_interface: "{% raw %}{{ test_net_bridge_interface }}.{{ test_net_bridge_vlan_vlan }}{% endraw %}"
|
||||||
test_net_bridge_vlan_vlan: 43
|
test_net_bridge_vlan_vlan: 43
|
||||||
|
test_net_bridge_vlan_zone: test-zone3
|
||||||
|
|
||||||
# bond0: bond with slaves dummy5, dummy6.
|
# bond0: bond with slaves dummy5, dummy6.
|
||||||
test_net_bond_cidr: 192.168.38.0/24
|
test_net_bond_cidr: 192.168.38.0/24
|
||||||
test_net_bond_interface: bond0
|
test_net_bond_interface: bond0
|
||||||
test_net_bond_bond_slaves: [dummy5, dummy6]
|
test_net_bond_bond_slaves: [dummy5, dummy6]
|
||||||
|
test_net_bond_zone: test-zone3
|
||||||
|
|
||||||
# bond0.44: VLAN subinterface of bond0.
|
# bond0.44: VLAN subinterface of bond0.
|
||||||
test_net_bond_vlan_cidr: 192.168.39.0/24
|
test_net_bond_vlan_cidr: 192.168.39.0/24
|
||||||
test_net_bond_vlan_interface: "{% raw %}{{ test_net_bond_interface }}.{{ test_net_bond_vlan_vlan }}{% endraw %}"
|
test_net_bond_vlan_interface: "{% raw %}{{ test_net_bond_interface }}.{{ test_net_bond_vlan_vlan }}{% endraw %}"
|
||||||
test_net_bond_vlan_vlan: 44
|
test_net_bond_vlan_vlan: 44
|
||||||
|
test_net_bond_vlan_zone: public
|
||||||
|
|
||||||
# Define a software RAID device consisting of two loopback devices.
|
# Define a software RAID device consisting of two loopback devices.
|
||||||
controller_mdadm_arrays:
|
controller_mdadm_arrays:
|
||||||
@ -130,3 +135,21 @@ chrony_ntp_servers:
|
|||||||
options:
|
options:
|
||||||
- option: maxsources
|
- option: maxsources
|
||||||
val: 2
|
val: 2
|
||||||
|
|
||||||
|
# Enable firewalld (CentOS only).
|
||||||
|
controller_firewalld_enabled: true
|
||||||
|
controller_firewalld_zones:
|
||||||
|
- zone: test-zone1
|
||||||
|
- zone: test-zone2
|
||||||
|
- zone: test-zone3
|
||||||
|
controller_firewalld_default_zone:
|
||||||
|
controller_firewalld_rules:
|
||||||
|
- port: 8080/tcp
|
||||||
|
zone: test-zone1
|
||||||
|
- service: http
|
||||||
|
zone: test-zone2
|
||||||
|
- icmp_block: echo-request
|
||||||
|
zone: test-zone3
|
||||||
|
- service: cockpit
|
||||||
|
state: disabled
|
||||||
|
zone: public
|
||||||
|
@ -5,11 +5,17 @@
|
|||||||
|
|
||||||
import ipaddress
|
import ipaddress
|
||||||
import os
|
import os
|
||||||
|
import time
|
||||||
|
|
||||||
import distro
|
import distro
|
||||||
import pytest
|
import pytest
|
||||||
|
|
||||||
|
|
||||||
|
def _is_firewalld_supported():
|
||||||
|
info = distro.linux_distribution()
|
||||||
|
return info[0].startswith('CentOS')
|
||||||
|
|
||||||
|
|
||||||
def _is_dnf():
|
def _is_dnf():
|
||||||
info = distro.linux_distribution()
|
info = distro.linux_distribution()
|
||||||
return info[0].startswith('CentOS')
|
return info[0].startswith('CentOS')
|
||||||
@ -204,3 +210,75 @@ def test_dnf_automatic(host):
|
|||||||
def test_tuned_profile_is_active(host):
|
def test_tuned_profile_is_active(host):
|
||||||
tuned_output = host.check_output("tuned-adm active")
|
tuned_output = host.check_output("tuned-adm active")
|
||||||
assert "throughput-performance" in tuned_output
|
assert "throughput-performance" in tuned_output
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skipif(not _is_firewalld_supported(),
|
||||||
|
reason="Firewalld only supported on CentOS")
|
||||||
|
def test_firewalld_running(host):
|
||||||
|
assert host.package("firewalld").is_installed
|
||||||
|
assert host.service("firewalld.service").is_enabled
|
||||||
|
assert host.service("firewalld.service").is_running
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skipif(not _is_firewalld_supported(),
|
||||||
|
reason="Firewalld only supported on CentOS")
|
||||||
|
def test_firewalld_zones(host):
|
||||||
|
# Verify that interfaces are on correct zones.
|
||||||
|
expected_zones = {
|
||||||
|
'dummy2.42': 'test-zone1',
|
||||||
|
'br0': 'test-zone2',
|
||||||
|
'br0.43': 'test-zone3',
|
||||||
|
'bond0': 'test-zone3',
|
||||||
|
'bond0.44': 'public'
|
||||||
|
}
|
||||||
|
for interface, expected_zone in expected_zones.items():
|
||||||
|
with host.sudo():
|
||||||
|
zone = host.check_output(
|
||||||
|
"firewall-cmd --get-zone-of-interface %s", interface)
|
||||||
|
assert zone == expected_zone
|
||||||
|
|
||||||
|
zone = host.check_output(
|
||||||
|
"firewall-cmd --permanent --get-zone-of-interface %s",
|
||||||
|
interface)
|
||||||
|
assert zone == expected_zone
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.skipif(not _is_firewalld_supported(),
|
||||||
|
reason="Firewalld only supported on CentOS")
|
||||||
|
def test_firewalld_rules(host):
|
||||||
|
# Verify that expected rules are present.
|
||||||
|
expected_info = {
|
||||||
|
'test-zone1': [
|
||||||
|
' services: ',
|
||||||
|
' ports: 8080/tcp',
|
||||||
|
' icmp-blocks: ',
|
||||||
|
],
|
||||||
|
'test-zone2': [
|
||||||
|
' services: http',
|
||||||
|
' ports: ',
|
||||||
|
' icmp-blocks: ',
|
||||||
|
],
|
||||||
|
'test-zone3': [
|
||||||
|
' services: ',
|
||||||
|
' ports: ',
|
||||||
|
' icmp-blocks: echo-request',
|
||||||
|
],
|
||||||
|
'public': [
|
||||||
|
' services: dhcpv6-client ssh',
|
||||||
|
' ports: ',
|
||||||
|
' icmp-blocks: ',
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
||||||
|
for zone, expected_lines in expected_info.items():
|
||||||
|
with host.sudo():
|
||||||
|
info = host.check_output(
|
||||||
|
"firewall-cmd --info-zone %s", zone)
|
||||||
|
info = info.splitlines()
|
||||||
|
perm_info = host.check_output(
|
||||||
|
"firewall-cmd --permanent --info-zone %s", zone)
|
||||||
|
perm_info = perm_info.splitlines()
|
||||||
|
|
||||||
|
for expected_line in expected_lines:
|
||||||
|
assert expected_line in info
|
||||||
|
assert expected_line in perm_info
|
||||||
|
Loading…
Reference in New Issue
Block a user