Use different CIDRs for private and public subnets
In test "test_connectivity_dvr_and_no_dvr_routers_in_same_subnet", as reported in the bug, the public IP (floating IP) and the private IP are in the same CIDR. This breaks the isolation between networks. Co-Authored-By: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Closes-Bug: #1861282 Change-Id: I39ca6474068d2e169dff1b81d2a0c71a8361c01f
This commit is contained in:
parent
92959e5412
commit
3e1921b48a
|
@ -348,3 +348,24 @@ class ARPregister(collections.namedtuple(
|
|||
return '%s %s %s %s %s %s' % (self.ip_address, self.hw_type,
|
||||
self.flags, self.mac_address, self.mask,
|
||||
self.device)
|
||||
|
||||
|
||||
def find_valid_cidr(valid_cidr='10.0.0.0/8', used_cidr=None):
|
||||
total_ips = netaddr.IPSet(netaddr.IPNetwork(valid_cidr))
|
||||
if used_cidr:
|
||||
used_network = netaddr.IPNetwork(used_cidr)
|
||||
netmask = used_network.netmask.netmask_bits()
|
||||
valid_ips = total_ips.difference(netaddr.IPSet(used_network))
|
||||
else:
|
||||
valid_ips = total_ips
|
||||
netmask = 24
|
||||
|
||||
for ip in valid_ips:
|
||||
valid_network = netaddr.IPNetwork('%s/%s' % (ip, netmask))
|
||||
if valid_network in valid_ips:
|
||||
return valid_network.cidr
|
||||
|
||||
exception_str = 'No valid CIDR found in %s' % valid_cidr
|
||||
if used_cidr:
|
||||
exception_str += ', used CIDR %s' % used_cidr
|
||||
raise Exception(exception_str)
|
||||
|
|
|
@ -13,11 +13,14 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import netaddr
|
||||
|
||||
from tempest.common import compute
|
||||
from tempest.common import utils
|
||||
from tempest.lib.common.utils import data_utils
|
||||
from tempest.lib import decorators
|
||||
|
||||
from neutron_tempest_plugin.common import ip as ip_utils
|
||||
from neutron_tempest_plugin.common import ssh
|
||||
from neutron_tempest_plugin import config
|
||||
from neutron_tempest_plugin.scenario import base
|
||||
|
@ -161,14 +164,14 @@ class NetworkConnectivityTest(base.BaseTempestTestCase):
|
|||
Subnet is connected to dvr and non-dvr routers in the same time, test
|
||||
ensures that connectivity from VM to both routers is working.
|
||||
|
||||
Test scenario:
|
||||
Test scenario: (NOTE: 10.1.0.0/24 private CIDR is used as an example)
|
||||
+----------------+ +------------+
|
||||
| Non-dvr router | | DVR router |
|
||||
| | | |
|
||||
| 10.0.0.1 | | 10.0.0.x |
|
||||
| 10.1.0.1 | | 10.1.0.x |
|
||||
+-------+--------+ +-----+------+
|
||||
| |
|
||||
| 10.0.0.0/24 |
|
||||
| 10.1.0.0/24 |
|
||||
+----------------+----------------+
|
||||
|
|
||||
+-+-+
|
||||
|
@ -176,16 +179,22 @@ class NetworkConnectivityTest(base.BaseTempestTestCase):
|
|||
+---+
|
||||
|
||||
where:
|
||||
10.0.0.1 - is subnet's gateway IP address,
|
||||
10.0.0.x - is any other IP address taken from subnet's range
|
||||
10.1.0.1 - is subnet's gateway IP address,
|
||||
10.1.0.x - is any other IP address taken from subnet's range
|
||||
|
||||
Test ensures that both 10.0.0.1 and 10.0.0.x IP addresses are
|
||||
Test ensures that both 10.1.0.1 and 10.1.0.x IP addresses are
|
||||
reachable from VM.
|
||||
"""
|
||||
ext_network = self.safe_client.show_network(self.external_network_id)
|
||||
ext_subnet_id = ext_network['network']['subnets'][0]['id']
|
||||
ext_subnet = self.safe_client.show_subnet(ext_subnet_id)
|
||||
ext_cidr = ext_subnet['subnet']['cidr']
|
||||
subnet_cidr = ip_utils.find_valid_cidr(used_cidr=ext_cidr)
|
||||
gw_ip = netaddr.IPAddress(subnet_cidr.first + 1)
|
||||
|
||||
network = self.create_network()
|
||||
subnet = self.create_subnet(
|
||||
network, cidr="10.0.0.0/24", gateway="10.0.0.1")
|
||||
network, cidr=str(subnet_cidr), gateway=str(gw_ip))
|
||||
|
||||
non_dvr_router = self.create_router_by_client(
|
||||
tenant_id=self.client.tenant_id,
|
||||
|
@ -221,8 +230,7 @@ class NetworkConnectivityTest(base.BaseTempestTestCase):
|
|||
fip['floating_ip_address'], CONF.validation.image_ssh_user,
|
||||
pkey=self.keypair['private_key'])
|
||||
|
||||
self.check_remote_connectivity(
|
||||
sshclient, '10.0.0.1', ping_count=10)
|
||||
self.check_remote_connectivity(sshclient, str(gw_ip), ping_count=10)
|
||||
self.check_remote_connectivity(
|
||||
sshclient, dvr_router_port['fixed_ips'][0]['ip_address'],
|
||||
ping_count=10)
|
||||
|
|
Loading…
Reference in New Issue