openstack/neutron-tempest-plugin
Code Issues Proposed changes

Add a scenario test for remote address group

Browse Source 
Add a scenario test for SG rules with remote address group.

Implements: blueprint address-groups-in-sg-rules
Change-Id: I982552f47297a83a351ec67090c9101d80d88d4a
This commit is contained in:
Hang Yang 2021-02-26 15:07:05 -06:00
parent b1c7a3d731
commit e6e0ccf3db
4 changed files with 111 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
neutron_tempest_plugin/config.py
View File

@ -68,6 +68,11 @@ NeutronPluginOptions = [
default=None, default=None,
choices=['None', 'linuxbridge', 'ovs', 'sriov'], choices=['None', 'linuxbridge', 'ovs', 'sriov'],
help='Agent used for devstack@q-agt.service'), help='Agent used for devstack@q-agt.service'),
cfg.StrOpt('firewall_driver',
default=None,
choices=['None', 'openvswitch', 'ovn',
'iptables_hybrid', 'iptables'],
help='Driver for security groups firewall in the L2 agent'),
# Multicast tests settings # Multicast tests settings
cfg.StrOpt('multicast_group_range', cfg.StrOpt('multicast_group_range',

11
neutron_tempest_plugin/scenario/base.py
View File

@ -158,13 +158,14 @@ class BaseTempestTestCase(base_api.BaseNetworkTest):
if sg['name'] == constants.DEFAULT_SECURITY_GROUP: if sg['name'] == constants.DEFAULT_SECURITY_GROUP:
secgroup_id = sg['id'] secgroup_id = sg['id']
break break
resp = []
for rule in rule_list: for rule in rule_list:
direction = rule.pop('direction') direction = rule.pop('direction')
client.create_security_group_rule( resp.append(client.create_security_group_rule(
direction=direction, direction=direction,
security_group_id=secgroup_id, security_group_id=secgroup_id,
**rule) **rule)['security_group_rule'])
return resp
@classmethod @classmethod
def create_loginable_secgroup_rule(cls, secgroup_id=None, def create_loginable_secgroup_rule(cls, secgroup_id=None,

95
neutron_tempest_plugin/scenario/test_security_groups.py
View File

@ -12,8 +12,12 @@
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from neutron_lib import constants
import netaddr
from neutron_lib import constants
import testtools
from tempest.common import utils as tempest_utils
from tempest.common import waiters from tempest.common import waiters
from tempest.lib.common.utils import data_utils from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils from tempest.lib.common.utils import test_utils
@ -310,6 +314,95 @@ class NetworkSecGroupTest(base.BaseTempestTestCase):
self.ping_ip_address(fips[0]['floating_ip_address'], self.ping_ip_address(fips[0]['floating_ip_address'],
should_succeed=False) should_succeed=False)
@testtools.skipUnless(
CONF.neutron_plugin_options.firewall_driver == 'openvswitch',
"Openvswitch agent is required to run this test")
@decorators.idempotent_id('678dd4c0-2953-4626-b89c-8e7e4110ec4b')
@tempest_utils.requires_ext(extension="address-group", service="network")
@tempest_utils.requires_ext(
extension="security-groups-remote-address-group", service="network")
def test_remote_group_and_remote_address_group(self):
"""Test SG rules with remote group and remote address group
This test checks the ICMP connection among two servers using a security
group rule with remote group and another rule with remote address
group. The connection should be granted when at least one of the rules
is applied. When both rules are applied (overlapped), removing one of
them should not disable the connection.
"""
# create a new sec group
ssh_secgrp_name = data_utils.rand_name('ssh_secgrp')
ssh_secgrp = self.os_primary.network_client.create_security_group(
name=ssh_secgrp_name)
# add cleanup
self.security_groups.append(ssh_secgrp['security_group'])
# configure sec group to support SSH connectivity
self.create_loginable_secgroup_rule(
secgroup_id=ssh_secgrp['security_group']['id'])
# spawn two instances with the sec group created
server_ssh_clients, fips, servers = self.create_vm_testing_sec_grp(
security_groups=[{'name': ssh_secgrp_name}])
# verify SSH functionality
for i in range(2):
self.check_connectivity(fips[i]['floating_ip_address'],
CONF.validation.image_ssh_user,
self.keypair['private_key'])
# try to ping instances without ICMP permissions
self.check_remote_connectivity(
server_ssh_clients[0], fips[1]['fixed_ip_address'],
should_succeed=False)
# add ICMP support to the remote group
rule_list = [{'protocol': constants.PROTO_NUM_ICMP,
'direction': constants.INGRESS_DIRECTION,
'remote_group_id': ssh_secgrp['security_group']['id']}]
remote_sg_rid = self.create_secgroup_rules(
rule_list, secgroup_id=ssh_secgrp['security_group']['id'])[0]['id']
# verify ICMP connectivity between instances works
self.check_remote_connectivity(
server_ssh_clients[0], fips[1]['fixed_ip_address'],
servers=servers)
# make sure ICMP connectivity doesn't work from framework
self.ping_ip_address(fips[0]['floating_ip_address'],
should_succeed=False)
# add ICMP rule with remote address group
test_ag = self.create_address_group(
name=data_utils.rand_name('test_ag'),
addresses=[str(netaddr.IPNetwork(fips[0]['fixed_ip_address']))])
rule_list = [{'protocol': constants.PROTO_NUM_ICMP,
'direction': constants.INGRESS_DIRECTION,
'remote_address_group_id': test_ag['id']}]
remote_ag_rid = self.create_secgroup_rules(
rule_list, secgroup_id=ssh_secgrp['security_group']['id'])[0]['id']
# verify ICMP connectivity between instances still works
self.check_remote_connectivity(
server_ssh_clients[0], fips[1]['fixed_ip_address'],
servers=servers)
# make sure ICMP connectivity doesn't work from framework
self.ping_ip_address(fips[0]['floating_ip_address'],
should_succeed=False)
# Remove the ICMP rule with remote group
self.client.delete_security_group_rule(remote_sg_rid)
# verify ICMP connectivity between instances still works as granted
# by the rule with remote address group
self.check_remote_connectivity(
server_ssh_clients[0], fips[1]['fixed_ip_address'],
servers=servers)
# make sure ICMP connectivity doesn't work from framework
self.ping_ip_address(fips[0]['floating_ip_address'],
should_succeed=False)
# Remove the ICMP rule with remote address group
self.client.delete_security_group_rule(remote_ag_rid)
# verify ICMP connectivity between instances doesn't work now
self.check_remote_connectivity(
server_ssh_clients[0], fips[1]['fixed_ip_address'],
should_succeed=False)
# make sure ICMP connectivity doesn't work from framework
self.ping_ip_address(fips[0]['floating_ip_address'],
should_succeed=False)
@decorators.idempotent_id('f07d0159-8f9e-4faa-87f5-a869ab0ad488') @decorators.idempotent_id('f07d0159-8f9e-4faa-87f5-a869ab0ad488')
def test_multiple_ports_secgroup_inheritance(self): def test_multiple_ports_secgroup_inheritance(self):
"""Test multiple port security group inheritance """Test multiple port security group inheritance

6
zuul.d/master_jobs.yaml
View File

@ -64,6 +64,7 @@
- router-admin-state-down-before-update - router-admin-state-down-before-update
- router_availability_zone - router_availability_zone
- security-group - security-group
- security-groups-remote-address-group
- segment - segment
- service-type - service-type
- sorting - sorting
@ -162,6 +163,7 @@
available_features: "{{ network_available_features | join(',') }}" available_features: "{{ network_available_features | join(',') }}"
neutron_plugin_options: neutron_plugin_options:
available_type_drivers: flat,vlan,local,vxlan available_type_drivers: flat,vlan,local,vxlan
firewall_driver: openvswitch
irrelevant-files: &openvswitch-scenario-irrelevant-files irrelevant-files: &openvswitch-scenario-irrelevant-files
- ^(test-|)requirements.txt$ - ^(test-|)requirements.txt$
- ^releasenotes/.*$ - ^releasenotes/.*$
@ -231,6 +233,7 @@
available_features: "{{ network_available_features | join(',') }}" available_features: "{{ network_available_features | join(',') }}"
neutron_plugin_options: neutron_plugin_options:
available_type_drivers: flat,vlan,local,vxlan available_type_drivers: flat,vlan,local,vxlan
firewall_driver: iptables_hybrid
irrelevant-files: irrelevant-files:
- ^(test-|)requirements.txt$ - ^(test-|)requirements.txt$
- ^releasenotes/.*$ - ^releasenotes/.*$
@ -306,6 +309,7 @@
neutron_plugin_options: neutron_plugin_options:
available_type_drivers: flat,vlan,local,vxlan available_type_drivers: flat,vlan,local,vxlan
q_agent: linuxbridge q_agent: linuxbridge
firewall_driver: iptables
irrelevant-files: irrelevant-files:
- ^(test-|)requirements.txt$ - ^(test-|)requirements.txt$
- ^releasenotes/.*$ - ^releasenotes/.*$
@ -403,6 +407,7 @@
neutron_plugin_options: neutron_plugin_options:
available_type_drivers: local,flat,vlan,geneve available_type_drivers: local,flat,vlan,geneve
is_igmp_snooping_enabled: True is_igmp_snooping_enabled: True
firewall_driver: ovn
irrelevant-files: irrelevant-files:
- ^(test-|)requirements.txt$ - ^(test-|)requirements.txt$
- ^releasenotes/.*$ - ^releasenotes/.*$
@ -543,6 +548,7 @@
image_is_advanced: true image_is_advanced: true
available_type_drivers: flat,geneve,vlan,gre,local,vxlan available_type_drivers: flat,geneve,vlan,gre,local,vxlan
l3_agent_mode: dvr_snat l3_agent_mode: dvr_snat
firewall_driver: openvswitch
group-vars: group-vars:
subnode: subnode:
devstack_services: devstack_services: