[lxc-devel] [lxc-ci/master] OVN: Project restriction tests

tomponline on Github lxc-bot at linuxcontainers.org
Fri Oct 2 11:26:46 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 303 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201002/9b37407e/attachment.bin>
-------------- next part --------------
From 44db93c7f29602301ce006afd06aaa15152ed32e Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Fri, 2 Oct 2020 11:17:26 +0100
Subject: [PATCH 1/2] bin/test-lxd-ovn: Use 127.0.0.1 for geneve encapsulation

For single node test no need to depend on external IP.

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 bin/test-lxd-ovn | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/bin/test-lxd-ovn b/bin/test-lxd-ovn
index 612a50e..294c306 100755
--- a/bin/test-lxd-ovn
+++ b/bin/test-lxd-ovn
@@ -36,11 +36,10 @@ apt install ovn-host ovn-central --yes
 
 # Configure OVN
 set -x
-IP=$(ip -4 route get 8.8.8.8 | grep src | cut -d' ' -f7)
 ovs-vsctl set open_vswitch . \
   external_ids:ovn-remote=unix:/var/run/ovn/ovnsb_db.sock \
   external_ids:ovn-encap-type=geneve \
-  external_ids:ovn-encap-ip=${IP}
+  external_ids:ovn-encap-ip=127.0.0.1
 
 # Configure LXD
 lxc storage create default zfs

From 3289890cac42041c9ad52520eaa2fc3ba38a846d Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Fri, 2 Oct 2020 12:25:41 +0100
Subject: [PATCH 2/2] bin/test-lxd-ovn: Adds tests for project restrictions and
 more thorough clean up steps

Allows the test to be re-run multiple times if needed.

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 bin/test-lxd-ovn | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/bin/test-lxd-ovn b/bin/test-lxd-ovn
index 294c306..e8261ea 100755
--- a/bin/test-lxd-ovn
+++ b/bin/test-lxd-ovn
@@ -52,14 +52,17 @@ lxc network create lxdbr0 \
     ipv6.address=fd42:4242:4242:1010::1/64 ipv6.nat=true \
     ipv6.ovn.ranges=fd42:4242:4242:1010::200-fd42:4242:4242:1010::254
 
-lxc network create ovn-virtual-network network=lxdbr0 --type=ovn
+# Create OVN network without specifying uplink parent network (check default selection works).
+lxc network create ovn-virtual-network --type=ovn
 
 # Test
 set +x
 lxc network list
+lxc project switch default
 
 echo "==> Launching a test container on lxdbr0"
 lxc init images:ubuntu/20.04 u1
+FINGERPRINT="$(lxc image ls -cf --format=csv)"
 lxc config device add u1 eth0 nic network=lxdbr0 name=eth0
 lxc start u1
 
@@ -109,6 +112,26 @@ echo "==> DNS resolution on OVN"
 lxc exec u3 -- ping -c1 -4 u2.lxd
 lxc exec u3 -- ping -c1 -6 u2.lxd
 
+echo "===> Testing project restrictions"
+lxc project create testovn -c features.networks=true -c restricted=true
+
+# Test we cannot create network in restricted project with no defined uplinks.
+! lxc network create ovn-virtual-network --project testovn
+
+# Test we can create network with a single restricted uplink network defined without specfiying it (or type).
+lxc project set testovn restricted.networks.uplinks=lxdbr0
+lxc network create ovn-virtual-network --project testovn
+lxc network delete ovn-virtual-network --project testovn
+
+# Test we have to specify uplink network if multiple are allowed.
+lxc network create lxdbr1 --project default
+lxc project set testovn restricted.networks.uplinks=lxdbr0,lxdbr1
+! lxc network create ovn-virtual-network --project testovn
+lxc network create ovn-virtual-network network=lxdbr0 --project testovn
+lxc network delete ovn-virtual-network --project testovn
+lxc project delete testovn
+lxc network delete lxdbr1 --project default
+
 echo "===> Testing projects"
 lxc project create testovn -c features.networks=true -c limits.networks=1
 lxc project switch testovn
@@ -184,4 +207,12 @@ lxc delete -f u2 u3
 lxc network delete ovn-virtual-network
 lxc network delete lxdbr0 --project default
 
+lxc image delete "${FINGERPRINT}" --project testovn
+lxc image delete "${FINGERPRINT}" --project default
+lxc profile device remove default root --project testovn
+lxc profile device remove default root --project default
+lxc storage delete default
+lxc project switch default
+lxc project delete testovn
+
 FAIL=0

More information about the lxc-devel mailing list