Excerpts from Jens Harbott's message of 2017-11-24 13:22:23 +0000: > 2017-11-21 15:04 GMT+00:00 Jeremy Stanley <[email protected]>: > > On 2017-11-21 09:28:20 +0100 (+0100), Thomas Goirand wrote: > > [...] > >> The only way that I see going forward, is having internet access > >> removed from unit tests in the gate, or probably just the above > >> variables set. > > [...] > ... > > Removing network access from the machines running these jobs won't > > work, of course, because our job scheduling and execution service > > needs to reach them over the Internet to start jobs, monitor > > progress and collect results. > > I have tested a variant that would accomodate this: Run the tests in a > new network namespace that no network configuration at all. There are > some issues with this still: > > - One needs sudo access in order to run something similar to "ip netns > exec ns1 tox ...". This could still be set up in a way such that the > tox user/environment itself does not need sudo. > - I found some unit tests that do need to talk to localhost, so one > still has to setup lo with 127.0.0.1/32. > - Most important issue that prevents me from successfully running tox > currently though is that even if I prepared the venv beforehand with > "tox -epy27 --notest", the next tox run will still want to reinstall > the project itself and most projects have something like > > install_command = > pip install -U > -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} > {opts} {packages} > > in their tox.ini, which will obviously fail without network > connectivity. Running something like > > sudo ip netns exec ns1 su -c ".tox/py27/bin/stestr run" $USER > > does work rather well though. Does anyone have an idea how to force > tox to just run the tests without doing any installation steps? Then I > guess one could come up with a small wrapper to handle the other > steps. >
Tox can be run without tests first to build all the venvs: $ tox --notest Then with a sufficiently new kernel or setuid bwrap, one can use Bubblewrap to get a clean netns: bwrap --unshare-net Unfortunately bubblewrap is pretty new, so it's only going to be there in package repos with newer Fedora and Ubuntu. Either way, this is pretty doable with Zuulv3 inheritance. Whatever jobs are using as parent, make a -nonet child of that which runs tox --notest with network access still intact, then by whatever means makes the most sense, namespaces or firewalls, runs the tests themselves with access restricted. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
