1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
# Copyright (c) 2018 Intel, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import mock
import os_resource_classes as orc
import os_traits as ost
from nova import conf
from nova.db import constants as db_const
from nova import test
from nova.tests.fixtures import libvirt as fakelibvirt
from nova.tests.functional.libvirt import integrated_helpers
from nova.virt.libvirt.host import SEV_KERNEL_PARAM_FILE
CONF = conf.CONF
class LibvirtReportTraitsTestBase(
integrated_helpers.LibvirtProviderUsageBaseTestCase):
pass
def assertMemEncryptionSlotsEqual(self, slots):
inventory = self._get_provider_inventory(self.host_uuid)
if slots == 0:
self.assertNotIn(orc.MEM_ENCRYPTION_CONTEXT, inventory)
else:
self.assertEqual(
inventory[orc.MEM_ENCRYPTION_CONTEXT],
{
'total': slots,
'min_unit': 1,
'max_unit': 1,
'step_size': 1,
'allocation_ratio': 1.0,
'reserved': 0,
}
)
class LibvirtReportTraitsTests(LibvirtReportTraitsTestBase):
# These must match the capabilities in
# nova.virt.libvirt.driver.LibvirtDriver.capabilities
expected_libvirt_driver_capability_traits = set([
trait for trait in [
ost.COMPUTE_ACCELERATORS,
ost.COMPUTE_DEVICE_TAGGING,
ost.COMPUTE_NET_ATTACH_INTERFACE,
ost.COMPUTE_NET_ATTACH_INTERFACE_WITH_TAG,
ost.COMPUTE_VOLUME_ATTACH_WITH_TAG,
ost.COMPUTE_VOLUME_EXTEND,
ost.COMPUTE_VOLUME_MULTI_ATTACH,
ost.COMPUTE_TRUSTED_CERTS,
ost.COMPUTE_IMAGE_TYPE_AKI,
ost.COMPUTE_IMAGE_TYPE_AMI,
ost.COMPUTE_IMAGE_TYPE_ARI,
ost.COMPUTE_IMAGE_TYPE_ISO,
ost.COMPUTE_IMAGE_TYPE_QCOW2,
ost.COMPUTE_IMAGE_TYPE_RAW,
ost.COMPUTE_RESCUE_BFV,
]
])
def test_report_cpu_traits(self):
self.assertEqual([], self._get_all_providers())
self.start_compute()
# Test CPU traits reported on initial node startup, these specific
# trait values are coming from fakelibvirt's baselineCPU result.
# COMPUTE_NODE is always set on the compute node provider.
traits = self._get_provider_traits(self.host_uuid)
for trait in (
'HW_CPU_X86_VMX', 'HW_CPU_X86_INTEL_VMX', 'HW_CPU_X86_AESNI',
'COMPUTE_NODE',
):
self.assertIn(trait, traits)
self._create_trait('CUSTOM_TRAITS')
new_traits = ['CUSTOM_TRAITS', 'HW_CPU_X86_AVX']
self._set_provider_traits(self.host_uuid, new_traits)
# The above is an out-of-band placement operation, as if the operator
# used the CLI. So now we have to "SIGHUP the compute process" to clear
# the report client cache so the subsequent update picks up the change.
self.compute.manager.reset()
self._run_periodics()
# HW_CPU_X86_AVX is filtered out because nova-compute owns CPU traits
# and it's not in the baseline for the host.
traits = set(self._get_provider_traits(self.host_uuid))
expected_traits = self.expected_libvirt_driver_capability_traits.union(
[
'HW_CPU_X86_VMX',
'HW_CPU_X86_INTEL_VMX',
'HW_CPU_X86_AESNI',
'CUSTOM_TRAITS',
# The periodic restored the COMPUTE_NODE trait.
'COMPUTE_NODE',
])
for trait in expected_traits:
self.assertIn(trait, traits)
class LibvirtReportNoSevTraitsTests(LibvirtReportTraitsTestBase):
STUB_INIT_HOST = False
@test.patch_exists(SEV_KERNEL_PARAM_FILE, False)
def setUp(self):
super(LibvirtReportNoSevTraitsTests, self).setUp()
self.start_compute()
def test_sev_trait_off_on(self):
"""Test that the compute service reports the SEV trait in the list of
global traits, but doesn't immediately register it on the
compute host resource provider in the placement API, due to
the kvm-amd kernel module's sev parameter file being (mocked
as) absent.
Then test that if the SEV capability appears (again via
mocking), after a restart of the compute service, the trait
gets registered on the compute host.
Also test that on both occasions, the inventory of the
MEM_ENCRYPTION_CONTEXT resource class on the compute host
corresponds to the absence or presence of the SEV capability.
"""
self.assertFalse(self.compute.driver._host.supports_amd_sev)
sev_trait = ost.HW_CPU_X86_AMD_SEV
global_traits = self._get_all_traits()
self.assertIn(sev_trait, global_traits)
traits = self._get_provider_traits(self.host_uuid)
self.assertNotIn(sev_trait, traits)
self.assertMemEncryptionSlotsEqual(0)
# Now simulate the host gaining SEV functionality. Here we
# simulate a kernel update or reconfiguration which causes the
# kvm-amd kernel module's "sev" parameter to become available
# and set to 1, however it could also happen via a libvirt
# upgrade, for instance.
sev_features = \
fakelibvirt.virConnect._domain_capability_features_with_SEV
with test.nested(
self.patch_exists(SEV_KERNEL_PARAM_FILE, True),
self.patch_open(SEV_KERNEL_PARAM_FILE, "1\n"),
mock.patch.object(fakelibvirt.virConnect,
'_domain_capability_features',
new=sev_features)
) as (mock_exists, mock_open, mock_features):
# Retrigger the detection code. In the real world this
# would be a restart of the compute service.
# As we are changing the domain caps we need to clear the
# cache in the host object.
self.compute.driver._host._domain_caps = None
self.compute.driver._host._supports_amd_sev = None
self.assertTrue(self.compute.driver._host.supports_amd_sev)
mock_exists.assert_has_calls([mock.call(SEV_KERNEL_PARAM_FILE)])
mock_open.assert_has_calls([mock.call(SEV_KERNEL_PARAM_FILE)])
# However it won't disappear in the provider tree and get synced
# back to placement until we force a reinventory:
self.compute.manager.reset()
# reset cached traits so they are recalculated.
self.compute.driver._static_traits = None
self._run_periodics()
traits = self._get_provider_traits(self.host_uuid)
self.assertIn(sev_trait, traits)
# Sanity check that we've still got the trait globally.
self.assertIn(sev_trait, self._get_all_traits())
self.assertMemEncryptionSlotsEqual(db_const.MAX_INT)
class LibvirtReportSevTraitsTests(LibvirtReportTraitsTestBase):
STUB_INIT_HOST = False
@test.patch_exists(SEV_KERNEL_PARAM_FILE, True)
@test.patch_open(SEV_KERNEL_PARAM_FILE, "1\n")
@mock.patch.object(
fakelibvirt.virConnect, '_domain_capability_features',
new=fakelibvirt.virConnect._domain_capability_features_with_SEV)
def setUp(self):
super(LibvirtReportSevTraitsTests, self).setUp()
self.flags(num_memory_encrypted_guests=16, group='libvirt')
self.start_compute()
def test_sev_trait_on_off(self):
"""Test that the compute service reports the SEV trait in the list of
global traits, and immediately registers it on the compute
host resource provider in the placement API, due to the SEV
capability being (mocked as) present.
Then test that if the SEV capability disappears (again via
mocking), after a restart of the compute service, the trait
gets removed from the compute host.
Also test that on both occasions, the inventory of the
MEM_ENCRYPTION_CONTEXT resource class on the compute host
corresponds to the absence or presence of the SEV capability.
"""
self.assertTrue(self.compute.driver._host.supports_amd_sev)
sev_trait = ost.HW_CPU_X86_AMD_SEV
global_traits = self._get_all_traits()
self.assertIn(sev_trait, global_traits)
traits = self._get_provider_traits(self.host_uuid)
self.assertIn(sev_trait, traits)
self.assertMemEncryptionSlotsEqual(16)
# Now simulate the host losing SEV functionality. Here we
# simulate a kernel downgrade or reconfiguration which causes
# the kvm-amd kernel module's "sev" parameter to become
# unavailable, however it could also happen via a libvirt
# downgrade, for instance.
with self.patch_exists(SEV_KERNEL_PARAM_FILE, False) as mock_exists:
# Retrigger the detection code. In the real world this
# would be a restart of the compute service.
self.compute.driver._host._domain_caps = None
self.compute.driver._host._supports_amd_sev = None
self.assertFalse(self.compute.driver._host.supports_amd_sev)
mock_exists.assert_has_calls([mock.call(SEV_KERNEL_PARAM_FILE)])
# However it won't disappear in the provider tree and get synced
# back to placement until we force a reinventory:
self.compute.manager.reset()
# reset cached traits so they are recalculated.
self.compute.driver._static_traits = None
self._run_periodics()
traits = self._get_provider_traits(self.host_uuid)
self.assertNotIn(sev_trait, traits)
# Sanity check that we've still got the trait globally.
self.assertIn(sev_trait, self._get_all_traits())
self.assertMemEncryptionSlotsEqual(0)
|
