diff options
author | Gorka Eguileor <geguileo@redhat.com> | 2022-03-31 10:59:17 +0200 |
---|---|---|
committer | Ghanshyam <gmann@ghanshyammann.com> | 2022-06-29 22:42:22 +0000 |
commit | 5e6fc7ab759ebb8ff5057da88251391ac7d10381 (patch) | |
tree | 975f741c4b9c4119b30ac53821b397163a6731bc /tempest/scenario | |
parent | 9fe5d38263629bbf95284d5b5c762d3b7337b9b6 (diff) | |
download | tempest-5e6fc7ab759ebb8ff5057da88251391ac7d10381.tar.gz |
Add LUKS v2 tests
We currently have cryptsetup and LUKS v1 tests, but we are missing LUKS
v2 tests.
Code paths for LUKS v1 and LUKS v2 are different, because Nova uses
libvirt to decode LUKS v1 volumes but os-brick to decode LUKS v2
volumes.
This means that not only the attach process is different, but also some
features such as extend volume, so one of them may work while the other
doesn't.
This patch adds LUKS v2 encryption tests for all backends except for RBD
volumes, because they are not connected to the host but directly through
libvirt, so they can only use LUKS v1.
Depends-On: Ia1411f11ec4bf44af6a42d5f96c8a0903846ed66
Depends-On: I351f1a7769c9f915e4cd280f05a8b8b87f40df84
Related-Bug: #1967157
Change-Id: I40c518c3a3e760867efd6b6338fa9c16945b28c4
Diffstat (limited to 'tempest/scenario')
-rw-r--r-- | tempest/scenario/test_encrypted_cinder_volumes.py | 17 | ||||
-rw-r--r-- | tempest/scenario/test_volume_boot_pattern.py | 28 |
2 files changed, 37 insertions, 8 deletions
diff --git a/tempest/scenario/test_encrypted_cinder_volumes.py b/tempest/scenario/test_encrypted_cinder_volumes.py index 6ee9f28a0..9788e1900 100644 --- a/tempest/scenario/test_encrypted_cinder_volumes.py +++ b/tempest/scenario/test_encrypted_cinder_volumes.py @@ -13,6 +13,8 @@ # License for the specific language governing permissions and limitations # under the License. +import testtools + from tempest.common import utils from tempest import config from tempest.lib import decorators @@ -27,7 +29,7 @@ class TestEncryptedCinderVolumes(manager.EncryptionScenarioTest): This test is for verifying the functionality of encrypted cinder volumes. - For both LUKS and cryptsetup encryption types, this test performs + For both LUKS (v1 & v2) and cryptsetup encryption types, this test performs the following: * Boots an instance from an image (CONF.compute.image_ref) @@ -55,11 +57,24 @@ class TestEncryptedCinderVolumes(manager.EncryptionScenarioTest): @decorators.attr(type='slow') @utils.services('compute', 'volume', 'image') def test_encrypted_cinder_volumes_luks(self): + """LUKs v1 decrypts volume through libvirt.""" server = self.launch_instance() volume = self.create_encrypted_volume('luks', volume_type='luks') self.attach_detach_volume(server, volume) + @decorators.idempotent_id('7abec0a3-61a0-42a5-9e36-ad3138fb38b4') + @testtools.skipIf(CONF.volume.storage_protocol == 'ceph', + 'Ceph only supports LUKSv2 if doing host attach.') + @decorators.attr(type='slow') + @utils.services('compute', 'volume', 'image') + def test_encrypted_cinder_volumes_luksv2(self): + """LUKs v2 decrypts volume through os-brick.""" + server = self.launch_instance() + volume = self.create_encrypted_volume('luks2', + volume_type='luksv2') + self.attach_detach_volume(server, volume) + @decorators.idempotent_id('cbc752ed-b716-4717-910f-956cce965722') @decorators.attr(type='slow') @utils.services('compute', 'volume', 'image') diff --git a/tempest/scenario/test_volume_boot_pattern.py b/tempest/scenario/test_volume_boot_pattern.py index 5a5cc2704..2e87c159b 100644 --- a/tempest/scenario/test_volume_boot_pattern.py +++ b/tempest/scenario/test_volume_boot_pattern.py @@ -246,14 +246,10 @@ class TestVolumeBootPattern(manager.EncryptionScenarioTest): # Assert that the underlying volume is gone. self.volumes_client.wait_for_resource_deletion(volume_origin['id']) - @decorators.idempotent_id('cb78919a-e553-4bab-b73b-10cf4d2eb125') - @testtools.skipUnless(CONF.compute_feature_enabled.attach_encrypted_volume, - 'Encrypted volume attach is not supported') - @utils.services('compute', 'volume') - def test_boot_server_from_encrypted_volume_luks(self): + def _do_test_boot_server_from_encrypted_volume_luks(self, provider): # Create an encrypted volume - volume = self.create_encrypted_volume('luks', - volume_type='luks') + volume = self.create_encrypted_volume(provider, + volume_type=provider) self.volumes_client.set_bootable_volume(volume['id'], bootable=True) @@ -266,3 +262,21 @@ class TestVolumeBootPattern(manager.EncryptionScenarioTest): server_info = self.servers_client.show_server(server['id'])['server'] created_volume = server_info['os-extended-volumes:volumes_attached'] self.assertEqual(volume['id'], created_volume[0]['id']) + + @decorators.idempotent_id('cb78919a-e553-4bab-b73b-10cf4d2eb125') + @testtools.skipUnless(CONF.compute_feature_enabled.attach_encrypted_volume, + 'Encrypted volume attach is not supported') + @utils.services('compute', 'volume') + def test_boot_server_from_encrypted_volume_luks(self): + """LUKs v1 decrypts volume through libvirt.""" + self._do_test_boot_server_from_encrypted_volume_luks('luks') + + @decorators.idempotent_id('5ab6100f-1b31-4dd0-a774-68cfd837ef77') + @testtools.skipIf(CONF.volume.storage_protocol == 'ceph', + 'Ceph only supports LUKSv2 if doing host attach.') + @testtools.skipUnless(CONF.compute_feature_enabled.attach_encrypted_volume, + 'Encrypted volume attach is not supported') + @utils.services('compute', 'volume') + def test_boot_server_from_encrypted_volume_luksv2(self): + """LUKs v2 decrypts volume through os-brick.""" + self._do_test_boot_server_from_encrypted_volume_luks('luks2') |