manifest.yaml with test “enabled: true” fails to apply

Marking as release gating; medium priority. Right now, this doesn't cause issues in the starlingx deployments as tests are set to disabled. But, ideally, we want to address this issue and enable basic tests to be run on the services when they are launched.

Assigning to Angie as the first failure appears to be related to aodh

Assigned to Bruce for re-assignment.

Hi Kristine Bujold, do you know what's the pull time info of the last pass?

this issue can be reproduced based on iso built by cengn 26th June.

in this issue, as openstack test cases (from upstream) were enabled, the manifest application would fail when one of the tests did not passed.

in the reproduce test, not only aodh-test failed, tests of barbican, neutron, panko and ceilometer also failed. by analyzing related pods/container logs, it should be an authentication issue (internal endpoint ... not found (HTTP 503) or forbidden to ...).

deeper dig is required.

update logs of failed *-test pods

glance test failed too with codes based on July 15th master branch

aodh:
Aodh test pod requires the gnocchi pod running. Currently, Aodh installs before Gnocchi. In the manifest openstack-telemetry chart_group, reverse the order of aodh and gnocchi should solve the issue.

ceilometer:
We cannot enable the ceilometer test, it's disabled since day1. The upstream ceilometer test matches the default openstack Ocata which is based on ceilometer-api. But ceilometer-api was removed since openstack Queens and we are using Stein.

panko:
The Panko chart test(matches Ocata) runs ceilometer events rally tests which also requires the ceilometer-api, so we cannot enable the test.

barbican:
The error shows secret get request fails due to "Secret retrieval attempt not allowed - please review your user/project privileges". I checked the barbican chart, I believe all the commands run in the _barbican-test.sh.tpl is using "admin" user. In theory, it shouldn't have user/project policy issue. An, does this problem happens all the time? Have you tried to manually run "openstack secret get <secret-ref>" after barbican api is ready.

glance:
Looks like the image creations failed because image cannot be downloaded from this url http://download.cirros-cloud.net/0.3.5/cirros-0.3.5-x86_64-disk.img
Same question is does this problem happens all the time? Have you tried to access into glance pod to do curl with the url?

neutron:
test scenario NeutronNetworks.create_and_show_network
test scenario NeutronNetworks.create_and_update_networks

The above create network testcases failed due to the following error.
ServiceUnavailable: Unable to create the network. No tenant network is available for allocation.

Not sure if it's configuration problem. From google, it says we need this configuration vni_ranges=1:1000 in /etc/neutron/plugins/ml2/ml2_conf.ini. I believe Joseph can give more suggestions.

Have you looked inside of the neutron logs at all?

The neutron logs show that no tenant network is available for allocation, which would be the case if no network segment ranges are allocated. Can you re-run this test with network_segment_range removed from the list of neutron service_plugins in the manifest? Does it still hit this error?

hi Joseph, I removed "network_segment_range" in list "service_plugins" of secrets neutron-etc and restarted neutron-server* pods but it did not help.

however, setting "vin_ranges = 1:1000" which under section "ml2_conf.ini: ml2_type_vxlan" could solve this neutron test issue.

"vin_ranges" enumerated ranges of VXLAN VNI IDs that are available for tenant network allocation according to https://docs.openstack.org/neutron/stein/configuration/samples/ml2-conf.html

aodh:
solved by reversing the order of aodh and gnocchi should solve the issue.

barbican:
WIP

glance:
only failed on system with http proxy.
required a patch of glance helm charts to set proxy for the glance test pods.

neutron:
test pods could created tenant network after setting "vin_ranges = 1:1000" which under section "ml2_conf.ini: ml2_type_vxlan" in stx-openstack.yaml.

but there an authentication error on neutron tests pod.
"AuthenticationFailed: Failed to authenticate to http://keystone-api.openstack.svc.cluster.local:5000/v3 for user 'test' in project 'test': The account is locked for user: f61dc48fecf349ffb2592e3421f81ef0.
"
further investigate is on going. and expect more suggestions as well.

thanks Angie's comments, which helps a lot!

barbican:
Run "openstack secret get <secret-href>" manually failed with errors "Secret retrieval attempt not allowed - please review your user/project privileges" after barbican api is ready.
it should be an issue about barbican policy configuration. policy config should be fixed, or we do not support this case.

from barbican-api log:
{"log":"2019-08-05 03:05:46.074 9 ERROR barbican.api.controllers [req-71a5f70c-ef7e-4a23-ae06-e7acdeedca76 64745dfc3d1a44cbbf9b8592ec950d7e 94b67db79b544a13b8bda20e0612e360 - default default] Secret retrieval attempt not allowed - please review your user/project privileges: PolicyNotAuthorized: secret:get is disallowed by policy\n","stream":"stdout","time":"2019-08-05T03:05:46.074915942Z"}

and the "secret:get" in barbican-api policy config file are show as follows:
"secret:get":"rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
"secret_creator_user":"user:%(target.secret.creator_id)s",
"secret_decrypt_non_private_read":"rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
"secret_non_private_read":"rule:all_users and rule:secret_project_match and not rule:secret_private_read",
"secret_private_read":"'False':%(target.secret.read_project_access)s",
"secret_project_admin":"rule:admin and rule:secret_project_match",
"secret_project_creator":"rule:creator and rule:secret_project_match and rule:secret_creator_user",
"secret_project_match":"project:%(target.secret.project_id)s",
"secrets:get":"rule:all_but_audit",

As per agreement with the community, moving all unresolved medium priority bugs from stx.2.0 to stx.3.0

Ran please update your current status for this issue. Which of these tests do you now have working and which are not working?
aodh-test, barbican, ceilometer, glance, neutron, panko

Frank, I will retest this issue on Openstack Train, and update the status later.

with openstack train (iso built by cengn at 20191115T023000Z):
test pods with name "osh-openstack-*-test" could not be created due to "spec.containers[0].image: Required value"

further investigate is under going.

error logs of "osh-openstack-glance-test":
results {
        name: "osh-openstack-glance-test"
        status: FAILURE
        info: "Pod \"osh-openstack-glance-test\" is invalid: spec.containers[0].image: Required value"
        started_at {
          seconds: 1574847410
          nanos: 624560841
        }
        completed_at {
          seconds: 1574847410
          nanos: 639567037
        }

issue "Pod \"osh-openstack-glance-test\" is invalid: spec.containers[0].image: Required value" was caused by commit https://review.opendev.org/gitweb?p=starlingx/openstack-armada-app.git;a=commit;h=149dcb306dc831d9646b34da3f072f8aeee16211

Re-tagging this LP to stx.4.0 as changes will not complete in time for stx.3.0

Marking as low priority - As previously noted, this doesn't cause issues in the starlingx deployments as tests are set to disabled.