[openstack-dev] Removing internet access from unit test gates

Jens Harbott j.harbott at x-ion.de
Fri Nov 24 13:22:23 UTC 2017

2017-11-21 15:04 GMT+00:00 Jeremy Stanley <fungi at yuggoth.org>:
> On 2017-11-21 09:28:20 +0100 (+0100), Thomas Goirand wrote:
> [...]
>> The only way that I see going forward, is having internet access
>> removed from unit tests in the gate, or probably just the above
>> variables set.
> [...]
> Removing network access from the machines running these jobs won't
> work, of course, because our job scheduling and execution service
> needs to reach them over the Internet to start jobs, monitor
> progress and collect results.

I have tested a variant that would accomodate this: Run the tests in a
new network namespace that no network configuration at all. There are
some issues with this still:

- One needs sudo access in order to run something similar to "ip netns
exec ns1 tox ...". This could still be set up in a way such that the
tox user/environment itself does not need sudo.
- I found some unit tests that do need to talk to localhost, so one
still has to setup lo with
- Most important issue that prevents me from successfully running tox
currently though is that even if I prepared the venv beforehand with
"tox -epy27 --notest", the next tox run will still want to reinstall
the project itself and most projects have something like

install_command =
    pip install -U
{opts} {packages}

in their tox.ini, which will obviously fail without network
connectivity. Running something like

sudo ip netns exec ns1 su -c ".tox/py27/bin/stestr run" $USER

does work rather well though. Does anyone have an idea how to force
tox to just run the tests without doing any installation steps? Then I
guess one could come up with a small wrapper to handle the other

More information about the OpenStack-dev mailing list