Commit Graph

18 Commits (0634dcc6d0f08c18c69a2c360a2c5c0581ec7bb6)

Author SHA1 Message Date
Jenkins 640fd9d2fd Merge "fullstack: test for IPv6 north-south traffic" 7 years ago
Jakub Libosvar f0439a04ad fullstack: VLAN aware VMs test
Patch tests basic life-cycle of a trunk associated with a port. Test
creates a trunk with one subport - this tests interaction between
agent and ovsdb handler that calls via RPC to server.
Later a new subport is added which tests RPC interaction between
server and agent. Then deletes the first created subport. Finally trunk
is removed and checked that no patch ports remain on the integration

Future work:
 - Run this test with linuxbridge
 - Test re-using port associated with trunk.
 - Test re-using subports.
 - Test with OVS firewall.

Partially-implements: blueprint vlan-aware-vms
Change-Id: Ie79a010e6751c1f1c2be5b1bf52511b9e100ad20
7 years ago
Jakub Libosvar a17c52f388 tests: Don't raise TimeoutError when waiting for ping
Timeout error makes debugging a little bit harder. This exception makes
more sense.

Change-Id: Idd6556710190019d440b94e725a0f17f89e0f082
7 years ago
sridhargaddam 989aba6a2b fullstack: test for IPv6 north-south traffic
This patch validates north south IPv6 traffic through legacy router.

Partial-Bug: #1583028
Change-Id: I12cccdb01960e89ddfc795b587d617da37c9fee6
7 years ago
Jakub Libosvar a626172706 Move wait_until_true to neutron.common.utils
We need to be able to re-use wait_until_true in tempest scenario tests.
There is tempest bug
that prevents us to do so.

Also wait_until_true is not linux specific so it makes more sense to
have it in common package.

Change-Id: Ib8b0e51dbd9edaa58391774d428a737836dfdf77
7 years ago
Jakub Libosvar 4f6aa3ffde ovs-fw: Mark conntrack entries invalid if no rule is matched
This patch makes sure that existing connection breaks once security
group rule that allowed such connection is removed. Due to correctly
track connections on the same hypervisor, zones were changed from
per-port to per-network (based on port's vlan tag). This information is
now stored in register 6. Also there was added a test for RELATED
connections to avoid marking such connection as invalid by REPLY rules.

Closes-Bug: 1549370
Change-Id: Ibb5942a980ddd8f2dd7ac328e9559a80c05789bb
7 years ago
Assaf Muller 075f152223 Make fullstack test_connectivity tests more forgiving
Change assert_ping to block_until_ping.

Closes-Bug: #1518466

Change-Id: I233cb40e701ef462e9d570d9677da1cbcc2c91c8
8 years ago
Cedric Brandily 5dbdf11026 Move docstring to FakeMachineBase
This change moves FakeMachine docstring to FakeMachineBase because it is
valid for all FakeMachineBase subclasses.

Change-Id: Ic30098f7d84dd3a5d6c5f7ff675d3f6e7b0a4cae
8 years ago
Assaf Muller 53fe9ddd6c Add a fullstack fake VM, basic connectivity test
* Full stack tests' fake VMs are represented via a namespace,
  MAC, IP address and default gateway. They're plugged to an OVS
  bridge via an OVS internal port. As opposed to the current
  fake machine class used in functional testing, this new fake
  machine also creates a Neutron port via the API and sets the
  IP and MAC according to it. It also sets additional attributes
  on the OVS port to allow the OVS agent to do its magic.
* The functional fake machine and the full stack fake machine
  should continue to share commonalities.
* The fullstack fake machine currently takes the IP address
  from the port and statically assigns it to the namespace
  device. Later when I'll add support for the DHCP agent
  in full stack testing this assignment will look for the dhcp
  attribute of the subnet and either assign the IP address
  via 'ip' or call a dhcp client.
* Added a basic L2 connectivity test between two such machines
  on the same Neutron network.
* OVSPortFixture now uses OVSInterfaceDriver to plug the port
  instead of replicate a lot of the code. I had to make a
  small change to _setup_arp_spoof_for_port since all OVS ports
  are now created with their external-ids set.

Change-Id: Ib985b7e742f58f1a6eb6fc598df3cbac31046951
8 years ago
Jenkins 6c7c4c2b33 Merge "Introduce connection testers module" 8 years ago
Jakub Libosvar 2759f130b4 Introduce connection testers module
This module provides tools for testing simple connectivity between two
endpoints via given technology. Current patch implements endpoints
connected through either linux bridge or openvswitch bridge.
Connectivity can be tested using icmp, arp, tcp and udp protocols.

Change-Id: I00e19fd9b80dc6f6743eb735523bd8f5ff096136
8 years ago
Kevin Benton 04197bc4bb Add ARP spoofing protection for LinuxBridge agent
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables. This code was written to be minimally
invasive with the intent of back-porting to Kilo.

The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.

The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.

Closes-Bug: #1274034
Change-Id: I0b0e3b1272472385dff060897ecbd25e93fd78e7
8 years ago
Robert Collins 7344e3ab8e Improve fixture usage.
There were two broad issues with fixtures.

Firstly, the 'SafeFixture' workaround for resource leaks in fixtures
<1.3 is not needed if we depend on fixtures>=1.3.1. While testtools
may raise a TypeError when trying to query a fixture that failed to
setup, this is only ever a cascading failure - it will not cause
tests to fail, cause leaks, or cause tests to incorrectly pass. That
will be fixed in testtools soon to stop it happening (but as it cannot
affect whether a test passes or fails or leaks happen there is no
reason to wait for that). Leaks are seen with fixtures 1.3.0 still
because eventlet raises a BaseException subclass rather than an
Exception subclass, and fixtures 1.3.0 didn't handle that - 1.3.1 does.

Secondly, some of the fixtures had race conditions where things were
started and then cleanups scheduled. Where possible I've fixed those,
but some of them require more significant work to fully address.

Change-Id: I3290712f7274970defda19263f4955e3c78e5ed6
Depends-On: I8c01506894ec0a92b53bc0e4ad14767f2dd6a6b3
Closes-bug: #1453888
8 years ago
Cedric Brandily 4b4cedaf85 Define SafeFixture base fixture
Currenty useFixture(myfixture)[1] ensures to call myfixture.cleanUp only
if myfixture.setUp succeed.

This change defines a workaround to ensure cleanUp call even if setUp
fails until testtools/fixtures support it: SafeFixture[2] which ensures
cleanUp call if setUp fails and replaces fixtures.Fixture use by
SafeFixture. This workaround will be removed when the bug will fixed in
testtools and fixtures[3].

[1] testtools.TestCase.useFixture, fixtures.Fixture.useFixture
[3] see related bugs

Change-Id: I875934e8dde321a450c83fb95d175affd1f3bb83
Closes-Bug: #1464410
Partial-Bug: #1453888
Related-Bug: #1456353
Related-Bug: #1456370
8 years ago
Jakub Libosvar 753196480d Break Pinger class to functions
As the class served only for storing parameters that can be passed as
actual function parameters, there is no reason for class.

Change-Id: I553b4d6daeb78d495cda09894582a3d885b5d1b5
8 years ago
YAMAMOTO Takashi dbe7ba1868 OVS-agent: Ignore IPv6 addresses for ARP spoofing prevention
The flow rules to match on ARP headers for spoofing prevention
fail to install when an IPv6 address is used. These should be
skipped since the ARP spoofing prevention doesn't apply to IPv6.

Co-authored-by: Kevin Benton <>
Closes-Bug: #1449363
Change-Id: I4bb3135e62378c5c96d1ac0b646336ac9a637bde
8 years ago
Cedric Brandily 8a4540acac Replace BaseIPVethTestCase by FakeMachine
This change removes BaseIPVethTestCase class and moves Pinger class to
allow its use from a fake machine.

Change-Id: I0636f11a327e9535828e7b52e60195e52831a0b2
8 years ago
Cedric Brandily 7f7343b1af Define FakeMachine helper for functional/fullstack tests
The change defines the FakeMachine fixture/helper which emulates a
machine through a namespace with:
* a port bound to a bridge,
* an ip on the port,
* a gateway (if requested).

The FakeMachine class can be used to emulate:
* a VM for testing network features (ex: metadata service),
* an external machine for testing "external" network features (ex:
* a server for low level tests of network features (ex: iptables).

The change also defines PeerMachines fixture/helper to create some fake
machines bound to a bridge.

Change-Id: I4fde1a03badd9adfd14b9124b5602331b69dda9d
8 years ago