From 3d6cefe9ddb5d5725ba1db74fe7b5f97a52718ad Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Wed, 3 Jun 2020 14:20:36 -0700
Subject: [PATCH] Stop using backend hostname in zuul testinfra tests

Tests that call host.backend.get_hostname() to switch on test
assertions are likely to fail open.  Stop using this in zuul tests
and instead add new files for each of the types of zuul hosts
where we want to do additional verification.

Share the iptables related code between all the tests that perform
iptables checks.

Also, some extra merger test and some negative assertions are added.

Move multi-node-hosts-file to after set-hostname. multi-node-hosts-file
is designed to append, and set-hostname is designed to write.

When we write the gate version of the inventory, map the nodepool
private_ipv4 address as the public_v4 address of the inventory host
since that's what is written to /etc/hosts, and is therefore, in the
context of a gate job, the "public" address.

Change-Id: Id2dad08176865169272a8c135d232c2b58a7a2c1
---
 playbooks/zuul/run-base-pre.yaml    |  2 +-
 playbooks/zuul/run-base.yaml        |  2 +-
 testinfra/test_base.py              | 44 ++---------------------------
 testinfra/test_zuul_executor.py     | 31 ++++++++++++++++++++
 testinfra/test_zuul_merger.py       | 26 +++++++++++++++++
 testinfra/test_zuul_scheduler.py    | 34 ++++++++++++++++++++++
 testinfra/{test_zuul.py => util.py} | 19 ++-----------
 zuul.d/system-config-run.yaml       | 11 ++++++++
 8 files changed, 109 insertions(+), 60 deletions(-)
 create mode 100644 testinfra/test_zuul_executor.py
 create mode 100644 testinfra/test_zuul_merger.py
 create mode 100644 testinfra/test_zuul_scheduler.py
 rename testinfra/{test_zuul.py => util.py} (80%)

diff --git a/playbooks/zuul/run-base-pre.yaml b/playbooks/zuul/run-base-pre.yaml
index 8a42caf410..ead0fe3dcc 100644
--- a/playbooks/zuul/run-base-pre.yaml
+++ b/playbooks/zuul/run-base-pre.yaml
@@ -2,10 +2,10 @@
   roles:
     - ensure-tox
     - multi-node-known-hosts
-    - multi-node-hosts-file
     - copy-build-sshkey
     - use-docker-mirror
     - set-hostname
+    - multi-node-hosts-file
   tasks:
     - include_role:
         name: use-buildset-registry
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index 18a45100d1..c74b7612cf 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -16,7 +16,7 @@
           - ansible_user
           - ansible_python_interpreter
         write_inventory_additional_hostvars:
-          public_v4: nodepool.public_ipv4
+          public_v4: nodepool.private_ipv4
           public_v6: nodepool.public_ipv6
     - name: Add groups config for test nodes
       template:
diff --git a/testinfra/test_base.py b/testinfra/test_base.py
index 8a5428a16f..4fde49cb7a 100644
--- a/testinfra/test_base.py
+++ b/testinfra/test_base.py
@@ -12,22 +12,11 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-import socket
+import util
 
 testinfra_hosts = ['all']
 
 
-def get_ips(value, family=None):
-    ret = set()
-    try:
-        addr_info = socket.getaddrinfo(value, None, family)
-    except socket.gaierror:
-        return ret
-    for addr in addr_info:
-        ret.add(addr[4][0])
-    return ret
-
-
 def test_exim_is_installed(host):
     if host.system_info.distribution in ['ubuntu', 'debian']:
         exim = host.package("exim4-base")
@@ -40,42 +29,13 @@ def test_exim_is_installed(host):
 
 
 def test_iptables(host):
-    rules = host.iptables.rules()
-    rules = [x.strip() for x in rules]
-
-    needed_rules = [
-        '-P INPUT ACCEPT',
-        '-P FORWARD DROP',
-        '-P OUTPUT ACCEPT',
-        '-N openstack-INPUT',
-        '-A INPUT -j openstack-INPUT',
-        '-A openstack-INPUT -i lo -j ACCEPT',
-        '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
-        '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
-        '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
-        '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
-    ]
-    for rule in needed_rules:
-        assert rule in rules
+    rules = util.verify_iptables(host)
 
     # Make sure that the zuul console stream rule is still present
     zuul = ('-A openstack-INPUT -p tcp -m state --state NEW'
             ' -m tcp --dport 19885 -j ACCEPT')
     assert zuul in rules
 
-    # Ensure all IPv4+6 addresses for cacti are allowed
-    for ip in get_ips('cacti.openstack.org', socket.AF_INET):
-        snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
-                ' --dport 161 -j ACCEPT' % ip)
-        assert snmp in rules
-
-    # TODO(ianw) add ip6tables support to testinfra iptables module
-    ip6rules = host.check_output('ip6tables -S')
-    for ip in get_ips('cacti.openstack.org', socket.AF_INET6):
-        snmp = ('-A openstack-INPUT -s %s/128 -p udp -m udp'
-                ' --dport 161 -j ACCEPT' % ip)
-        assert snmp in ip6rules
-
 
 def test_ntp(host):
     package = host.package("ntp")
diff --git a/testinfra/test_zuul_executor.py b/testinfra/test_zuul_executor.py
new file mode 100644
index 0000000000..0ad8280f53
--- /dev/null
+++ b/testinfra/test_zuul_executor.py
@@ -0,0 +1,31 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import util
+
+testinfra_hosts = ['ze01.opendev.org']
+
+
+def test_iptables(host):
+    rules = util.verify_iptables(host)
+
+    needed_rules = [
+        '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 79 -j ACCEPT',
+        '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 7900 -j ACCEPT',
+    ]
+    for rule in needed_rules:
+        assert rule in rules
+
+    for rule in rules:
+        assert '--dport 4730' not in rule
diff --git a/testinfra/test_zuul_merger.py b/testinfra/test_zuul_merger.py
new file mode 100644
index 0000000000..81336d0f79
--- /dev/null
+++ b/testinfra/test_zuul_merger.py
@@ -0,0 +1,26 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import util
+
+testinfra_hosts = ['zm01.opendev.org']
+
+
+def test_iptables(host):
+    rules = util.verify_iptables(host)
+
+    for rule in rules:
+        assert '--dport 4730' not in rule
+        assert '--dport 79' not in rule
+        assert '--dport 7900' not in rule
diff --git a/testinfra/test_zuul_scheduler.py b/testinfra/test_zuul_scheduler.py
new file mode 100644
index 0000000000..ae1ed676bb
--- /dev/null
+++ b/testinfra/test_zuul_scheduler.py
@@ -0,0 +1,34 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import util
+import socket
+
+testinfra_hosts = ['zuul01.openstack.org']
+
+
+def test_iptables(host):
+    rules = util.verify_iptables(host)
+
+    ips = util.get_ips('ze01.opendev.org', socket.AF_INET)
+    assert len(ips) > 0
+
+    # Make sure that the gearman port is open to executors on the scheduler
+    for ip in util.get_ips('ze01.opendev.org', socket.AF_INET):
+        zuul = ('-A openstack-INPUT -s %s/32 -p tcp -m state --state NEW'
+                ' -m tcp --dport 4730 -j ACCEPT' % ip)
+        assert zuul in rules
+
+    for rule in rules:
+        assert '--dport 7900' not in rule
diff --git a/testinfra/test_zuul.py b/testinfra/util.py
similarity index 80%
rename from testinfra/test_zuul.py
rename to testinfra/util.py
index 73cbff4825..865861c7e1 100644
--- a/testinfra/test_zuul.py
+++ b/testinfra/util.py
@@ -14,14 +14,6 @@
 
 import socket
 
-
-testinfra_hosts = [
-    'ze01.opendev.org',
-    'zm01.openstack.org',
-    'zuul01.openstack.org',
-]
-
-
 def get_ips(value, family=None):
     ret = set()
     try:
@@ -33,7 +25,7 @@ def get_ips(value, family=None):
     return ret
 
 
-def test_iptables(host):
+def verify_iptables(host):
     rules = host.iptables.rules()
     rules = [x.strip() for x in rules]
 
@@ -52,13 +44,6 @@ def test_iptables(host):
     for rule in needed_rules:
         assert rule in rules
 
-    # Make sure that the gearman port is open to executors on the scheduler
-    if host.backend.get_hostname() == 'zuul01.openstack.org':
-        for ip in get_ips('ze01.opendev.org', socket.AF_INET):
-            zuul = ('-A openstack-INPUT -s %s/32 -p tcp -m state --state NEW'
-                    ' -m tcp --dport 4730 -j ACCEPT' % ip)
-            assert zuul in rules
-
     # Ensure all IPv4+6 addresses for cacti are allowed
     for ip in get_ips('cacti.openstack.org', socket.AF_INET):
         snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
@@ -71,3 +56,5 @@ def test_iptables(host):
         snmp = ('-A openstack-INPUT -s %s/128 -p udp -m udp'
                 ' --dport 161 -j ACCEPT' % ip)
         assert snmp in ip6rules
+
+    return rules
diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml
index d67b6a7223..2ecb3ee974 100644
--- a/zuul.d/system-config-run.yaml
+++ b/zuul.d/system-config-run.yaml
@@ -647,20 +647,27 @@
     host-vars:
       zm01.openstack.org:
         host_copy_output:
+          '/etc/hosts': logs
           '/etc/zuul/zuul.conf': logs
           '/var/log/zuul/merger-debug.log': logs
       ze01.opendev.org:
         host_copy_output:
+          '/etc/hosts': logs
           '/etc/zuul/zuul.conf': logs
           '/var/log/zuul/executor-debug.log': logs
       ze01.openstack.org:
         host_copy_output:
+          '/etc/hosts': logs
           '/etc/zuul/zuul.conf': logs
           '/var/log/zuul/executor-debug.log': logs
       zuul01.openstack.org:
         host_copy_output:
+          '/etc/hosts': logs
           '/etc/zuul/zuul.conf': logs
           '/var/log/zuul/debug.log': logs
+      bridge.openstack.org:
+        host_copy_output:
+          '/etc/hosts': logs
     files:
       - playbooks/install-ansible.yaml
       - playbooks/service-zookeeper.yaml
@@ -672,6 +679,10 @@
       - playbooks/roles/zookeeper/
       - playbooks/roles/install-apt-repo
       - playbooks/roles/zuul
+      - testinfra/test_zuul_executor.py
+      - testinfra/test_zuul_scheduler.py
+      - testinfra/test_zuul_merger.py
+      - testinfra/util.py
 
 - job:
     name: system-config-run-review