Merge "CI: add host configure tests for firewalld"

This commit is contained in:
Zuul 2021-10-21 14:21:28 +00:00 committed by Gerrit Code Review
commit b150f57a4e
2 changed files with 101 additions and 0 deletions

View File

@ -46,26 +46,31 @@ test_net_eth_vlan_rules:
- from: 192.168.35.0/24 - from: 192.168.35.0/24
table: kayobe-test-route-table table: kayobe-test-route-table
{% endif %} {% endif %}
test_net_eth_vlan_zone: test-zone1
# br0: bridge with ports dummy3, dummy4. # br0: bridge with ports dummy3, dummy4.
test_net_bridge_cidr: 192.168.36.0/24 test_net_bridge_cidr: 192.168.36.0/24
test_net_bridge_interface: br0 test_net_bridge_interface: br0
test_net_bridge_bridge_ports: [dummy3, dummy4] test_net_bridge_bridge_ports: [dummy3, dummy4]
test_net_bridge_zone: test-zone2
# br0.43: VLAN subinterface of br0. # br0.43: VLAN subinterface of br0.
test_net_bridge_vlan_cidr: 192.168.37.0/24 test_net_bridge_vlan_cidr: 192.168.37.0/24
test_net_bridge_vlan_interface: "{% raw %}{{ test_net_bridge_interface }}.{{ test_net_bridge_vlan_vlan }}{% endraw %}" test_net_bridge_vlan_interface: "{% raw %}{{ test_net_bridge_interface }}.{{ test_net_bridge_vlan_vlan }}{% endraw %}"
test_net_bridge_vlan_vlan: 43 test_net_bridge_vlan_vlan: 43
test_net_bridge_vlan_zone: test-zone3
# bond0: bond with slaves dummy5, dummy6. # bond0: bond with slaves dummy5, dummy6.
test_net_bond_cidr: 192.168.38.0/24 test_net_bond_cidr: 192.168.38.0/24
test_net_bond_interface: bond0 test_net_bond_interface: bond0
test_net_bond_bond_slaves: [dummy5, dummy6] test_net_bond_bond_slaves: [dummy5, dummy6]
test_net_bond_zone: test-zone3
# bond0.44: VLAN subinterface of bond0. # bond0.44: VLAN subinterface of bond0.
test_net_bond_vlan_cidr: 192.168.39.0/24 test_net_bond_vlan_cidr: 192.168.39.0/24
test_net_bond_vlan_interface: "{% raw %}{{ test_net_bond_interface }}.{{ test_net_bond_vlan_vlan }}{% endraw %}" test_net_bond_vlan_interface: "{% raw %}{{ test_net_bond_interface }}.{{ test_net_bond_vlan_vlan }}{% endraw %}"
test_net_bond_vlan_vlan: 44 test_net_bond_vlan_vlan: 44
test_net_bond_vlan_zone: public
# Define a software RAID device consisting of two loopback devices. # Define a software RAID device consisting of two loopback devices.
controller_mdadm_arrays: controller_mdadm_arrays:
@ -130,3 +135,21 @@ chrony_ntp_servers:
options: options:
- option: maxsources - option: maxsources
val: 2 val: 2
# Enable firewalld (CentOS only).
controller_firewalld_enabled: true
controller_firewalld_zones:
- zone: test-zone1
- zone: test-zone2
- zone: test-zone3
controller_firewalld_default_zone:
controller_firewalld_rules:
- port: 8080/tcp
zone: test-zone1
- service: http
zone: test-zone2
- icmp_block: echo-request
zone: test-zone3
- service: cockpit
state: disabled
zone: public

View File

@ -5,11 +5,17 @@
import ipaddress import ipaddress
import os import os
import time
import distro import distro
import pytest import pytest
def _is_firewalld_supported():
info = distro.linux_distribution()
return info[0].startswith('CentOS')
def _is_dnf(): def _is_dnf():
info = distro.linux_distribution() info = distro.linux_distribution()
return info[0].startswith('CentOS') return info[0].startswith('CentOS')
@ -204,3 +210,75 @@ def test_dnf_automatic(host):
def test_tuned_profile_is_active(host): def test_tuned_profile_is_active(host):
tuned_output = host.check_output("tuned-adm active") tuned_output = host.check_output("tuned-adm active")
assert "throughput-performance" in tuned_output assert "throughput-performance" in tuned_output
@pytest.mark.skipif(not _is_firewalld_supported(),
reason="Firewalld only supported on CentOS")
def test_firewalld_running(host):
assert host.package("firewalld").is_installed
assert host.service("firewalld.service").is_enabled
assert host.service("firewalld.service").is_running
@pytest.mark.skipif(not _is_firewalld_supported(),
reason="Firewalld only supported on CentOS")
def test_firewalld_zones(host):
# Verify that interfaces are on correct zones.
expected_zones = {
'dummy2.42': 'test-zone1',
'br0': 'test-zone2',
'br0.43': 'test-zone3',
'bond0': 'test-zone3',
'bond0.44': 'public'
}
for interface, expected_zone in expected_zones.items():
with host.sudo():
zone = host.check_output(
"firewall-cmd --get-zone-of-interface %s", interface)
assert zone == expected_zone
zone = host.check_output(
"firewall-cmd --permanent --get-zone-of-interface %s",
interface)
assert zone == expected_zone
@pytest.mark.skipif(not _is_firewalld_supported(),
reason="Firewalld only supported on CentOS")
def test_firewalld_rules(host):
# Verify that expected rules are present.
expected_info = {
'test-zone1': [
' services: ',
' ports: 8080/tcp',
' icmp-blocks: ',
],
'test-zone2': [
' services: http',
' ports: ',
' icmp-blocks: ',
],
'test-zone3': [
' services: ',
' ports: ',
' icmp-blocks: echo-request',
],
'public': [
' services: dhcpv6-client ssh',
' ports: ',
' icmp-blocks: ',
],
}
for zone, expected_lines in expected_info.items():
with host.sudo():
info = host.check_output(
"firewall-cmd --info-zone %s", zone)
info = info.splitlines()
perm_info = host.check_output(
"firewall-cmd --permanent --info-zone %s", zone)
perm_info = perm_info.splitlines()
for expected_line in expected_lines:
assert expected_line in info
assert expected_line in perm_info