| Matthew Treinish | a970d65 | 2015-03-11 15:39:24 -0400 | [diff] [blame] | 1 | .. _tempest-configuration: |
| 2 | |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 3 | Tempest Configuration Guide |
| 4 | =========================== |
| 5 | |
| Matthew Treinish | f640f66 | 2015-03-11 15:13:30 -0400 | [diff] [blame] | 6 | This guide is a starting point for configuring tempest. It aims to elaborate |
| 7 | on and explain some of the mandatory and common configuration settings and how |
| 8 | they are used in conjunction. The source of truth on each option is the sample |
| 9 | config file which explains the purpose of each individual option. |
| 10 | |
| 11 | Lock Path |
| 12 | --------- |
| 13 | |
| 14 | There are some tests and operations inside of tempest that need to be |
| 15 | externally locked when running in parallel to prevent them from running at |
| 16 | the same time. This is a mandatory step for configuring tempest and is still |
| 17 | needed even when running serially. All that is needed to do this is: |
| 18 | |
| 19 | #. Set the lock_path option in the oslo_concurrency group |
| 20 | |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 21 | Auth/Credentials |
| 22 | ---------------- |
| 23 | |
| 24 | Tempest currently has 2 different ways in configuration to provide credentials |
| 25 | to use when running tempest. One is a traditional set of configuration options |
| 26 | in the tempest.conf file. These options are in the identity section and let you |
| 27 | specify a regular user, a global admin user, and a alternate user set of |
| 28 | credentials. (which consist of a username, password, and project/tenant name) |
| 29 | These options should be clearly labelled in the sample config file in the |
| 30 | identity section. |
| 31 | |
| 32 | The other method to provide credentials is using the accounts.yaml file. This |
| 33 | file is used to specify an arbitrary number of users available to run tests |
| 34 | with. You can specify the location of the file in the |
| 35 | auth section in the tempest.conf file. To see the specific format used in |
| 36 | the file please refer to the accounts.yaml.sample file included in tempest. |
| 37 | Currently users that are specified in the accounts.yaml file are assumed to |
| 38 | have the same set of roles which can be used for executing all the tests you |
| 39 | are running. This will be addressed in the future, but is a current limitation. |
| 40 | Eventually the config options for providing credentials to tempest will be |
| 41 | deprecated and removed in favor of the accounts.yaml file. |
| 42 | |
| 43 | Credential Provider Mechanisms |
| 44 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 45 | |
| 46 | Tempest currently also has 3 different internal methods for providing |
| 47 | authentication to tests. Tenant isolation, locking test accounts, and |
| 48 | non-locking test accounts. Depending on which one is in use the configuration |
| 49 | of tempest is slightly different. |
| 50 | |
| 51 | Tenant Isolation |
| 52 | """""""""""""""" |
| 53 | Tenant isolation was originally create to enable running tempest in parallel. |
| 54 | For each test class it creates a unique set of user credentials to use for the |
| 55 | tests in the class. It can create up to 3 sets of username, password, and |
| 56 | tenant/project names for a primary user, an admin user, and an alternate user. |
| 57 | To enable and use tenant isolation you only need to configure 2 things: |
| 58 | |
| 59 | #. A set of admin credentials with permissions to create users and |
| 60 | tenants/projects. This is specified in the identity section with the |
| 61 | admin_username, admin_tenant_name, and admin_password options |
| 62 | #. To enable tenant_isolation in the auth section with the |
| 63 | allow_tenant_isolation option. |
| 64 | |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 65 | This is also the currently the default credential provider enabled by tempest, |
| 66 | due to it's common use and ease of configuration. |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 67 | |
| 68 | Locking Test Accounts |
| 69 | """"""""""""""""""""" |
| 70 | For a long time using tenant isolation was the only method available if you |
| 71 | wanted to enable parallel execution of tempest tests. However this was |
| 72 | insufficient for certain use cases because of the admin credentials requirement |
| 73 | to create the credential sets on demand. To get around that the accounts.yaml |
| 74 | file was introduced and with that a new internal credential provider to enable |
| 75 | using the list of credentials instead of creating them on demand. With locking |
| 76 | test accounts each test class will reserve a set of credentials from the |
| 77 | accounts.yaml before executing any of its tests so that each class is isolated |
| 78 | like in tenant isolation. |
| 79 | |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 80 | Currently, this mechanism has some limitations, mostly around networking. The |
| 81 | locking test accounts provider will only work with a single flat network as |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 82 | the default for each tenant/project. If another network configuration is used |
| 83 | in your cloud you might face unexpected failures. |
| 84 | |
| 85 | To enable and use locking test accounts you need do a few things: |
| 86 | |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 87 | #. Create a accounts.yaml file which contains the set of pre-existing |
| 88 | credentials to use for testing. To make sure you don't have a credentials |
| 89 | starvation issue when running in parallel make sure you have at least 2 |
| Matthew Treinish | fc7cd8f | 2015-03-30 11:51:55 -0400 | [diff] [blame] | 90 | times the number of worker processes you are using to execute tempest |
| 91 | available in the file. (if running serially the worker count is 1) |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 92 | |
| 93 | You can check the sample file packaged in tempest for the yaml format |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 94 | #. Provide tempest with the location of you accounts.yaml file with the |
| 95 | test_accounts_file option in the auth section |
| 96 | |
| 97 | |
| 98 | Non-locking test accounts |
| 99 | """"""""""""""""""""""""" |
| 100 | When tempest was refactored to allow for locking test accounts, the original |
| 101 | non-tenant isolated case was converted to support the new accounts.yaml file. |
| 102 | This mechanism is the non-locking test accounts provider. It only makes sense |
| 103 | to use it if parallel execution isn't needed. If the role restrictions were too |
| 104 | limiting with the locking accounts provider and tenant isolation is not wanted |
| 105 | then you can use the non-locking test accounts credential provider without the |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 106 | accounts.yaml file. |
| Matthew Treinish | bc1b15b | 2015-02-20 15:56:07 -0500 | [diff] [blame] | 107 | |
| 108 | To use the non-locking test accounts provider you have 2 ways to configure it. |
| 109 | First you can specify the sets of credentials in the configuration file like |
| 110 | detailed above with following 9 options in the identity section: |
| 111 | |
| 112 | #. username |
| 113 | #. password |
| 114 | #. tenant_name |
| 115 | #. admin_username |
| 116 | #. admin_password |
| 117 | #. admin_tenant_name |
| 118 | #. alt_username |
| 119 | #. alt_password |
| 120 | #. alt_tenant_name |
| 121 | |
| Matthew Treinish | 0fd69e4 | 2015-03-06 00:40:51 -0500 | [diff] [blame] | 122 | The only restriction with using the traditional config options for credentials |
| 123 | is that if a test requires specific roles on accounts these tests can not be |
| 124 | run. This is because the config options do not give sufficient flexibility to |
| 125 | describe the roles assigned to a user for running the tests. |
| Matthew Treinish | 2b7f048 | 2015-04-10 12:49:01 -0400 | [diff] [blame^] | 126 | |
| 127 | Networking |
| 128 | ---------- |
| 129 | OpenStack has a myriad of different networking configurations possible and |
| 130 | depending on which of the 2 network backends, nova-network or neutron, you are |
| 131 | using things can vary drastically. Due to this complexity Tempest has to provide |
| 132 | a certain level of flexibility in it's configuration to ensure it will work |
| 133 | against any cloud. This ends up causing a large number of permutations in |
| 134 | Tempest's config around network configuration. |
| 135 | |
| 136 | |
| 137 | Enabling Remote Access to Created Servers |
| 138 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 139 | When Tempest creates servers for testing, some tests require being able to |
| 140 | connect those servers. Depending on the configuration of the cloud, the methods |
| 141 | for doing this can be different. In certain configurations it is required to |
| 142 | specify a single network with server create calls. Accordingly, Tempest provides |
| 143 | a few different methods for providing this information in configuration to try |
| 144 | and ensure that regardless of the clouds configuration it'll still be able to |
| 145 | run. This section covers the different methods of configuring Tempest to provide |
| 146 | a network when creating servers. |
| 147 | |
| 148 | Fixed Network Name |
| 149 | """""""""""""""""" |
| 150 | This is the simplest method of specifying how networks should be used. You can |
| 151 | just specify a single network name/label to use for all server creations. The |
| 152 | limitation with this is that all tenants/projects and users must be able to see |
| 153 | that network name/label if they were to perform a network list and be able to |
| 154 | use it. |
| 155 | |
| 156 | If no network name is assigned in the config file and none of the below |
| 157 | alternatives are used, then Tempest will not specify a network on server |
| 158 | creations, which depending on the cloud configuration might prevent them from |
| 159 | booting. |
| 160 | |
| 161 | To set a fixed network name simply do: |
| 162 | |
| 163 | #. Set the fixed_network_name option in the compute group |
| 164 | |
| 165 | In the case that the configured fixed network name can not be found by a user |
| 166 | network list call, it will be treated like one was not provided except that a |
| 167 | warning will be logged stating that it couldn't be found. |
| 168 | |
| 169 | |
| 170 | Accounts File |
| 171 | """"""""""""" |
| 172 | If you are using an accounts file to provide credentials for running Tempest |
| 173 | then you can leverage it to also specify which network should be used with |
| 174 | server creations on a per tenant/project and user pair basis. This provides |
| 175 | the necessary flexibility to work with more intricate networking configurations |
| 176 | by enabling the user to specify exactly which network to use for which |
| 177 | tenants/projects. You can refer to the accounts.yaml sample file included in |
| 178 | the tempest repo for the syntax around specifying networks in the file. |
| 179 | |
| 180 | However, specifying a network is not required when using an accounts file. If |
| 181 | one is not specified you can use a fixed network name to specify the network to |
| 182 | use when creating servers just as without an accounts file. However, any network |
| 183 | specified in the accounts file will take precedence over the fixed network name |
| 184 | provided. If no network is provided in the accounts file and a fixed network |
| 185 | name is not set then no network will be included in create server requests. |
| 186 | |
| 187 | If a fixed network is provided and the accounts.yaml file also contains networks |
| 188 | this has the benefit of enabling a couple more tests which require a static |
| 189 | network to perform operations like server lists with a network filter. If a |
| 190 | fixed network name is not provided these tests are skipped. Additionally, if a |
| 191 | fixed network name is provided it will serve as a fallback in case of a |
| 192 | misconfiguration or a missing network in the accounts file. |
| 193 | |
| 194 | |
| 195 | With Tenant Isolation |
| 196 | """"""""""""""""""""" |
| 197 | With tenant isolation enabled and using nova-network then nothing changes. Your |
| 198 | only option for configuration is to either set a fixed network name or not. |
| 199 | However, in most cases it shouldn't matter because nova-network should have no |
| 200 | problem booting a server with multiple networks. If this is not the case for |
| 201 | your cloud then using an accounts file is recommended because it provides the |
| 202 | necessary flexibility to describe your configuration. Tenant isolation is not |
| 203 | able to dynamically allocate things as necessary if neutron is not enabled. |
| 204 | |
| 205 | With neutron and tenant isolation enabled there should not be any additional |
| 206 | configuration necessary to enable Tempest to create servers with working |
| 207 | networking, assuming you have properly configured the network section to work |
| 208 | for your cloud. Tempest will dynamically create the neutron resources necessary |
| 209 | to enable using servers with that network. Also, just as with the accounts |
| 210 | file, if you specify a fixed network name while using neutron and tenant |
| 211 | isolation it will enable running tests which require a static network and it |
| 212 | will additionally be used as a fallback for server creation. However, unlike |
| 213 | accounts.yaml this should never be triggered. |