[openstack-dev] Removing internet access from unit test gates

Clint Byrum clint at fewbar.com
Sun Nov 26 22:00:57 UTC 2017

Excerpts from Jens Harbott's message of 2017-11-24 13:22:23 +0000:
> 2017-11-21 15:04 GMT+00:00 Jeremy Stanley <fungi at yuggoth.org>:
> > On 2017-11-21 09:28:20 +0100 (+0100), Thomas Goirand wrote:
> > [...]
> >> The only way that I see going forward, is having internet access
> >> removed from unit tests in the gate, or probably just the above
> >> variables set.
> > [...]
> ...
> > Removing network access from the machines running these jobs won't
> > work, of course, because our job scheduling and execution service
> > needs to reach them over the Internet to start jobs, monitor
> > progress and collect results.
> I have tested a variant that would accomodate this: Run the tests in a
> new network namespace that no network configuration at all. There are
> some issues with this still:
> - One needs sudo access in order to run something similar to "ip netns
> exec ns1 tox ...". This could still be set up in a way such that the
> tox user/environment itself does not need sudo.
> - I found some unit tests that do need to talk to localhost, so one
> still has to setup lo with
> - Most important issue that prevents me from successfully running tox
> currently though is that even if I prepared the venv beforehand with
> "tox -epy27 --notest", the next tox run will still want to reinstall
> the project itself and most projects have something like
> install_command =
>     pip install -U
> -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt}
> {opts} {packages}
> in their tox.ini, which will obviously fail without network
> connectivity. Running something like
> sudo ip netns exec ns1 su -c ".tox/py27/bin/stestr run" $USER
> does work rather well though. Does anyone have an idea how to force
> tox to just run the tests without doing any installation steps? Then I
> guess one could come up with a small wrapper to handle the other
> steps.

Tox can be run without tests first to build all the venvs:

  $ tox --notest

Then with a sufficiently new kernel or setuid bwrap, one can use
Bubblewrap to get a clean netns:

bwrap --unshare-net 

Unfortunately bubblewrap is pretty new, so it's only going to be there
in package repos with newer Fedora and Ubuntu.

Either way, this is pretty doable with Zuulv3 inheritance. Whatever
jobs are using as parent, make a -nonet child of that which runs tox
--notest with network access still intact, then by whatever means makes
the most sense, namespaces or firewalls, runs the tests themselves with
access restricted.

More information about the OpenStack-dev mailing list