|
|
@ -0,0 +1,383 @@ |
|
|
|
# Copyright 2017 VMware Inc |
|
|
|
# All Rights Reserved |
|
|
|
# |
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may |
|
|
|
# not use this file except in compliance with the License. You may obtain |
|
|
|
# a copy of the License at |
|
|
|
# |
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0 |
|
|
|
# |
|
|
|
# Unless required by applicable law or agreed to in writing, software |
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
|
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
|
|
|
# License for the specific language governing permissions and limitations |
|
|
|
# under the License. |
|
|
|
|
|
|
|
import os |
|
|
|
import time |
|
|
|
|
|
|
|
from tempest.common.utils.linux import remote_client |
|
|
|
from tempest import config |
|
|
|
from tempest.lib.common.utils import data_utils |
|
|
|
from tempest.lib.common.utils import test_utils |
|
|
|
|
|
|
|
from tempest.lib import decorators |
|
|
|
from tempest.lib import exceptions |
|
|
|
|
|
|
|
from vmware_nsx_tempest_plugin.common import constants |
|
|
|
from vmware_nsx_tempest_plugin.lib import feature_manager |
|
|
|
from vmware_nsx_tempest_plugin.services import nsxp_client |
|
|
|
from vmware_nsx_tempest_plugin.services import nsxv3_client |
|
|
|
|
|
|
|
CONF = config.CONF |
|
|
|
LOG = constants.log.getLogger(__name__) |
|
|
|
|
|
|
|
|
|
|
|
class TestAllowedAddresCidr(feature_manager.FeatureManager): |
|
|
|
|
|
|
|
"""Test New Cases Scenario |
|
|
|
|
|
|
|
""" |
|
|
|
@classmethod |
|
|
|
def setup_clients(cls): |
|
|
|
super(TestAllowedAddresCidr, cls).setup_clients() |
|
|
|
cls.cmgr_adm = cls.get_client_manager('admin') |
|
|
|
cls.cmgr_alt = cls.get_client_manager('alt') |
|
|
|
cls.cmgr_adm = cls.get_client_manager('admin') |
|
|
|
cls.routers_client = cls.cmgr_adm.routers_client |
|
|
|
cls.networks_client = cls.cmgr_adm.networks_client |
|
|
|
cls.subnets_client = cls.cmgr_adm.subnets_client |
|
|
|
cls.sec_rule_client = cls.cmgr_adm.security_group_rules_client |
|
|
|
cls.sec_client = cls.cmgr_adm.security_groups_client |
|
|
|
|
|
|
|
def setUp(self): |
|
|
|
super(TestAllowedAddresCidr, self).setUp() |
|
|
|
CONF.validation.ssh_shell_prologue = '' |
|
|
|
self.vip_ip_address = '' |
|
|
|
self.namestart = 'lbaas-ops' |
|
|
|
self.poke_counters = 12 |
|
|
|
self.hm_delay = 4 |
|
|
|
self.hm_max_retries = 3 |
|
|
|
self.hm_timeout = 10 |
|
|
|
self.server_names = [] |
|
|
|
self.loadbalancer = None |
|
|
|
self.vip_fip = None |
|
|
|
self.web_service_start_delay = 2.5 |
|
|
|
|
|
|
|
@classmethod |
|
|
|
def resource_setup(cls): |
|
|
|
super(TestAllowedAddresCidr, cls).resource_setup() |
|
|
|
cls.nsx = nsxv3_client.NSXV3Client(CONF.nsxv3.nsx_manager, |
|
|
|
CONF.nsxv3.nsx_user, |
|
|
|
CONF.nsxv3.nsx_password) |
|
|
|
cls.nsxp = nsxp_client.NSXPClient(CONF.nsxv3.nsx_manager, |
|
|
|
CONF.nsxv3.nsx_user, |
|
|
|
CONF.nsxv3.nsx_password) |
|
|
|
|
|
|
|
def _test_ping_from_external_network(self, fip_ip): |
|
|
|
out = os.popen('ping -c 5 %s' % fip_ip).read().strip() |
|
|
|
return out |
|
|
|
|
|
|
|
def _create_ipv6_subnet(self, network, cidr, ipv6_ra_mode=None, |
|
|
|
ipv6_address_mode=None, |
|
|
|
router_id=None, slaac=False, enable_dhcp=False): |
|
|
|
subnet_client = self.cmgr_adm.subnets_client |
|
|
|
subnet_name = network['name'] + 'sub' |
|
|
|
if slaac: |
|
|
|
subnet = self.create_topology_subnet( |
|
|
|
subnet_name, network, |
|
|
|
subnets_client=subnet_client, |
|
|
|
ip_version=6, ipv6_ra_mode='slaac', |
|
|
|
ipv6_address_mode='slaac', |
|
|
|
cidr=cidr, router_id=router_id) |
|
|
|
else: |
|
|
|
subnet = self.create_topology_subnet( |
|
|
|
subnet_name, network, |
|
|
|
subnets_client=subnet_client, |
|
|
|
ipv6_address_mode=ipv6_address_mode, |
|
|
|
ipv6_ra_mode=ipv6_ra_mode, |
|
|
|
ip_version=6, enable_dhcp=True, |
|
|
|
cidr=cidr, router_id=router_id) |
|
|
|
return subnet |
|
|
|
|
|
|
|
def create_topo_single_dhcpv6_network( |
|
|
|
self, namestart, ipv6_address_mode, |
|
|
|
ipv6_ra_mode, create_instance=True, |
|
|
|
set_gateway=True, slaac=False, |
|
|
|
ipv6cidr=None, cidr=None, |
|
|
|
security_groups=None, **kwargs): |
|
|
|
""" |
|
|
|
Create Topo where 1 logical switches which is |
|
|
|
connected via tier-1 router. |
|
|
|
""" |
|
|
|
rtr_name = data_utils.rand_name(name='tempest-router') |
|
|
|
network_name = data_utils.rand_name(name='tempest-net') |
|
|
|
subnet_name = data_utils.rand_name(name='tempest-subnet') |
|
|
|
router_state = self.create_topology_router(rtr_name, |
|
|
|
set_gateway=set_gateway, |
|
|
|
**kwargs) |
|
|
|
network_state = self.create_topology_network(network_name) |
|
|
|
subnet_state = self.create_topology_subnet( |
|
|
|
subnet_name, network_state, |
|
|
|
router_id=router_state["id"], cidr=cidr) |
|
|
|
subnet_v6 = self._create_ipv6_subnet( |
|
|
|
network_state, cidr=ipv6cidr, slaac=slaac, |
|
|
|
ipv6_address_mode=ipv6_address_mode, |
|
|
|
ipv6_ra_mode=ipv6_ra_mode, |
|
|
|
router_id=router_state["id"]) |
|
|
|
time.sleep(constants.NSX_NETWORK_REALISE_TIMEOUT) |
|
|
|
if create_instance: |
|
|
|
image_id = self.get_glance_image_id(["cirros", "esx"]) |
|
|
|
self.create_topology_instance( |
|
|
|
"state_vm_1", [network_state], |
|
|
|
create_floating_ip=True, image_id=image_id, |
|
|
|
clients=self.cmgr_adm, |
|
|
|
security_groups=security_groups) |
|
|
|
self.create_topology_instance( |
|
|
|
"state_vm_2", [network_state], |
|
|
|
create_floating_ip=True, image_id=image_id, |
|
|
|
clients=self.cmgr_adm, |
|
|
|
security_groups=security_groups) |
|
|
|
topology_dict = dict(router_state=router_state, |
|
|
|
network_state=network_state, |
|
|
|
subnet_state=subnet_state, |
|
|
|
subnet_v6=subnet_v6) |
|
|
|
return topology_dict |
|
|
|
|
|
|
|
@decorators.idempotent_id('2317449c-14ca-1428-a428-09956daa46c3') |
|
|
|
def test_allowed_address_cidr_octavia_lb(self): |
|
|
|
""" |
|
|
|
Create NAT and Firewall rules on router. |
|
|
|
Verify order of NAT and Firewall. |
|
|
|
""" |
|
|
|
kwargs = {"enable_snat": True} |
|
|
|
network_name = data_utils.rand_name(name='tempest-net') |
|
|
|
subnet_name = data_utils.rand_name(name='tempest-subnet') |
|
|
|
router_state = self.create_topology_router( |
|
|
|
set_gateway=True, |
|
|
|
routers_client=self.cmgr_adm.routers_client, **kwargs) |
|
|
|
network_state = self.create_topology_network( |
|
|
|
network_name, networks_client=self.cmgr_adm.networks_client) |
|
|
|
subnet_state = self.create_topology_subnet( |
|
|
|
subnet_name, network_state, |
|
|
|
subnets_client=self.cmgr_adm.subnets_client) |
|
|
|
time.sleep(constants.NSX_NETWORK_REALISE_TIMEOUT) |
|
|
|
self.cmgr_adm.routers_client.add_router_interface( |
|
|
|
router_state['id'], subnet_id=subnet_state["id"]) |
|
|
|
self.addCleanup(test_utils.call_and_ignore_notfound_exc, |
|
|
|
self.cmgr_adm.routers_client.remove_router_interface, |
|
|
|
router_state['id'], subnet_id=subnet_state["id"]) |
|
|
|
sec_rule_client = self.cmgr_adm.security_group_rules_client |
|
|
|
sec_client = self.cmgr_adm.security_groups_client |
|
|
|
kwargs = dict(tenant_id=network_state['tenant_id'], |
|
|
|
security_group_rules_client=sec_rule_client, |
|
|
|
security_groups_client=sec_client) |
|
|
|
self.sg = self._create_security_group( |
|
|
|
security_group_rules_client=self.cmgr_adm. |
|
|
|
security_group_rules_client, |
|
|
|
security_groups_client=self.cmgr_adm.security_groups_client) |
|
|
|
lbaas_rules = [dict(direction='ingress', protocol='tcp', |
|
|
|
port_range_min=constants.HTTP_PORT, |
|
|
|
port_range_max=constants.HTTP_PORT, ), |
|
|
|
dict(direction='ingress', protocol='tcp', |
|
|
|
port_range_min=443, port_range_max=443, ), |
|
|
|
dict(direction='ingress', protocol='tcp', |
|
|
|
port_range_min=constants.HTTP_PORT, |
|
|
|
port_range_max=constants.HTTP_PORT, |
|
|
|
ethertype='IPv6'), |
|
|
|
dict(direction='ingress', protocol='tcp', |
|
|
|
port_range_min=443, port_range_max=443, |
|
|
|
ethertype='IPv6')] |
|
|
|
for rule in lbaas_rules: |
|
|
|
self.add_security_group_rule( |
|
|
|
self.sg, |
|
|
|
rule, |
|
|
|
ruleclient=self.cmgr_adm.security_group_rules_client, |
|
|
|
secclient=self.cmgr_adm.security_groups_client, |
|
|
|
tenant_id=network_state['tenant_id']) |
|
|
|
security_groups = [{'name': self.sg['name']}] |
|
|
|
image_id = self.get_glance_image_id(["cirros", "esx"]) |
|
|
|
self.create_topology_instance( |
|
|
|
"state_vm_1", [network_state], |
|
|
|
create_floating_ip=True, image_id=image_id, clients=self.cmgr_adm, |
|
|
|
security_groups=security_groups) |
|
|
|
self.create_topology_instance( |
|
|
|
"state_vm_2", [network_state], |
|
|
|
create_floating_ip=True, image_id=image_id, clients=self.cmgr_adm, |
|
|
|
security_groups=security_groups) |
|
|
|
self.start_web_servers(constants.HTTP_PORT) |
|
|
|
lb_cist = self.create_project_octavia( |
|
|
|
protocol_type="HTTP", protocol_port="80", |
|
|
|
lb_algorithm="LEAST_CONNECTIONS", |
|
|
|
vip_net_id=network_state['id']) |
|
|
|
allowed_cidrs = {'allowed_cidrs': ['3.0.0.0/24', '4.0.0.0/24']} |
|
|
|
self.octavia_admin_listener_client.\ |
|
|
|
update_octavia_listener(lb_cist['listener_id'], |
|
|
|
listener_data=allowed_cidrs)['listener'] |
|
|
|
time.sleep(constants.NSX_NETWORK_REALISE_TIMEOUT) |
|
|
|
self.check_project_lbaas(no_resp=True) |
|
|
|
out = os.popen("sudo ifconfig eth1 | grep 'inet'" |
|
|
|
"| awk {'print$2'} | " |
|
|
|
"cut -f2 -d':'").read().strip() |
|
|
|
allowed_cidrs = {'allowed_cidrs': ['%s/24' % out]} |
|
|
|
self.octavia_admin_listener_client.\ |
|
|
|
update_octavia_listener(lb_cist['listener_id'], |
|
|
|
listener_data=allowed_cidrs)['listener'] |
|
|
|
time.sleep(constants.NSX_NETWORK_REALISE_TIMEOUT) |
|
|
|
self.check_project_lbaas(no_resp=False) |
|
|
|
self.delete_octavia_lb_resources(lb_cist['lb_id']) |
|
|
|
|
|
|
|
@decorators.idempotent_id('2317449c-14ca-1428-a428-09956daa46c3') |
|
|
|
def test_allowed_address_ipv6_cidr_octavia_lb(self): |
|
|
|
""" |
|
|
|
Create NAT and Firewall rules on router. |
|
|
|
Verify order of NAT and Firewall. |
|
|
|
""" |
|
|
|
kwargs = {"enable_snat": True} |
|
|
|
mode = "dhcpv6-stateless" |
|
|
|
network_name = data_utils.rand_name(name='tempest-net') |
|
|
|
subnet_name = data_utils.rand_name(name='tempest-subnet') |
|
|
|
router_name = data_utils.rand_name(name='tempest-router') |
|
|
|
network_state1 = self.create_topology_network( |
|
|
|
network_name, networks_client=self.cmgr_adm.networks_client) |
|
|
|
time.sleep(constants.NSX_NETWORK_REALISE_TIMEOUT) |
|
|
|
sec_rule_client = self.cmgr_adm.security_group_rules_client |
|
|
|
sec_client = self.cmgr_adm.security_groups_client |
|
|
|
kwargs = dict(tenant_id=network_state1['tenant_id'], |
|
|
|
security_group_rules_client=sec_rule_client, |
|
|
|
security_groups_client=sec_client) |
|
|
|
self.sg = self._create_security_group( |
|
|
|
security_group_rules_client=self.cmgr_adm. |
|
|
|
security_group_rules_client, |
|
|
|
security_groups_client=self.cmgr_adm.security_groups_client) |
|
|
|
lbaas_rules = [dict(direction='ingress', protocol='tcp'), |
|
|
|
dict(direction='ingress', protocol='tcp', |
|
|
|
ethertype='IPv6'), |
|
|
|
dict(direction='egress', protocol='tcp', |
|
|
|
ethertype='IPv6'), |
|
|
|
dict(direction='egress', protocol='tcp')] |
|
|
|
for rule in lbaas_rules: |
|
|
|
self.add_security_group_rule( |
|
|
|
self.sg, |
|
|
|
rule, |
|
|
|
ruleclient=self.cmgr_adm.security_group_rules_client, |
|
|
|
secclient=self.cmgr_adm.security_groups_client, |
|
|
|
tenant_id=network_state1['tenant_id']) |
|
|
|
kwargs = {"admin_state_up": "True"} |
|
|
|
security_groups = [{'name': self.sg['name']}] |
|
|
|
topology_dict = self.create_topo_single_dhcpv6_network( |
|
|
|
"allowed_address_cidr", create_instance=True, |
|
|
|
set_gateway=True, |
|
|
|
ipv6_ra_mode=mode, ipv6_address_mode=mode, |
|
|
|
ipv6cidr="1300::/64", cidr="13.0.0.0/24", |
|
|
|
security_groups=security_groups, **kwargs) |
|
|
|
subnetipv6_state = topology_dict['subnet_v6'] |
|
|
|
router_state1 = self.create_topology_router( |
|
|
|
router_name, set_gateway=True, |
|
|
|
routers_client=self.cmgr_adm.routers_client, **kwargs) |
|
|
|
self.create_topology_subnet( |
|
|
|
subnet_name, network_state1, |
|
|
|
subnets_client=self.cmgr_adm.subnets_client, |
|
|
|
cidr="35.0.0.0/24", router_id=router_state1["id"]) |
|
|
|
mode = "dhcpv6-stateless" |
|
|
|
self._create_ipv6_subnet( |
|
|
|
network_state1, cidr="3500::/64", slaac=False, |
|
|
|
ipv6_address_mode=mode, |
|
|
|
ipv6_ra_mode=mode, |
|
|
|
router_id=router_state1["id"]) |
|
|
|
network_name = data_utils.rand_name(name='tempest-net') |
|
|
|
subnet_name = data_utils.rand_name(name='tempest-subnet') |
|
|
|
router_name = data_utils.rand_name(name='tempest-router') |
|
|
|
network_state2 = self.create_topology_network( |
|
|
|
network_name, networks_client=self.cmgr_adm.networks_client) |
|
|
|
router_state2 = self.create_topology_router( |
|
|
|
router_name, set_gateway=True, |
|
|
|
routers_client=self.cmgr_adm.routers_client, **kwargs) |
|
|
|
self.create_topology_subnet( |
|
|
|
subnet_name, network_state2, |
|
|
|
subnets_client=self.cmgr_adm.subnets_client, |
|
|
|
cidr="46.0.0.0/24", router_id=router_state2["id"]) |
|
|
|
self._create_ipv6_subnet( |
|
|
|
network_state2, cidr="4600::/64", slaac=False, |
|
|
|
ipv6_address_mode=mode, |
|
|
|
ipv6_ra_mode=mode, |
|
|
|
router_id=router_state2["id"]) |
|
|
|
time.sleep(constants.NSX_NETWORK_REALISE_TIMEOUT) |
|
|
|
self.start_web_servers(constants.HTTP_PORT) |
|
|
|
lb_cist = self.create_project_octavia( |
|
|
|
protocol_type="HTTP", protocol_port="80", |
|
|
|
lb_algorithm="LEAST_CONNECTIONS", |
|
|
|
vip_subnet_id=subnetipv6_state['id'], |
|
|
|
create_fip=False, ipv6=True) |
|
|
|
security_groups = [{'name': self.sg['name']}] |
|
|
|
image_id = self.get_glance_image_id(["cirros", "esx"]) |
|
|
|
server3 = self.create_topology_instance( |
|
|
|
"state_vm_3", [network_state1], |
|
|
|
create_floating_ip=True, image_id=image_id, clients=self.cmgr_adm, |
|
|
|
security_groups=security_groups) |
|
|
|
server4 = self.create_topology_instance( |
|
|
|
"state_vm_4", [network_state2], |
|
|
|
create_floating_ip=True, image_id=image_id, clients=self.cmgr_adm, |
|
|
|
security_groups=security_groups) |
|
|
|
allowed_cidrs = {'allowed_cidrs': ['3500::/64', '4600::/64']} |
|
|
|
self.octavia_admin_listener_client.\ |
|
|
|
update_octavia_listener(lb_cist['listener_id'], |
|
|
|
listener_data=allowed_cidrs)['listener'] |
|
|
|
fip1 = server3["floating_ips"][0]["floating_ip_address"] |
|
|
|
fip2 = server4["floating_ips"][0]["floating_ip_address"] |
|
|
|
ssh_client = remote_client.RemoteClient( |
|
|
|
fip1, 'cirros', 'gocubsgo') |
|
|
|
command = "curl http://[%s]" % lb_cist['loadbalancer']['vip_address'] |
|
|
|
for i in range(4): |
|
|
|
data = ssh_client.exec_command(command) |
|
|
|
self.assertIn(data, ['state_vm_1', 'state_vm_2']) |
|
|
|
time.sleep(constants.NSXP_BACKEND_SMALL_TIME_INTERVAL) |
|
|
|
ssh_client = remote_client.RemoteClient( |
|
|
|
fip2, 'cirros', 'gocubsgo') |
|
|
|
command = "curl http://[%s]" % lb_cist['loadbalancer']['vip_address'] |
|
|
|
for i in range(4): |
|
|
|
data = ssh_client.exec_command(command) |
|
|
|
self.assertIn(data, ['state_vm_1', 'state_vm_2']) |
|
|
|
allowed_cidrs = {'allowed_cidrs': ["6700::/64"]} |
|
|
|
self.octavia_admin_listener_client.\ |
|
|
|
update_octavia_listener(lb_cist['listener_id'], |
|
|
|
listener_data=allowed_cidrs)['listener'] |
|
|
|
fip1 = server3["floating_ips"][0]["floating_ip_address"] |
|
|
|
fip2 = server4["floating_ips"][0]["floating_ip_address"] |
|
|
|
ssh_client = remote_client.RemoteClient( |
|
|
|
fip1, 'cirros', 'gocubsgo') |
|
|
|
command = "curl http://[%s]" % lb_cist['loadbalancer']['vip_address'] |
|
|
|
time.sleep(constants.NSXP_BACKEND_SMALL_TIME_INTERVAL) |
|
|
|
for i in range(4): |
|
|
|
self.assertRaises( |
|
|
|
exceptions.SSHExecCommandFailed, |
|
|
|
ssh_client.exec_command, command) |
|
|
|
time.sleep(constants.NSXP_BACKEND_SMALL_TIME_INTERVAL) |
|
|
|
ssh_client = remote_client.RemoteClient( |
|
|
|
fip2, 'cirros', 'gocubsgo') |
|
|
|
command = "curl http://[%s]" % lb_cist['loadbalancer']['vip_address'] |
|
|
|
for i in range(4): |
|
|
|
self.assertRaises( |
|
|
|
exceptions.SSHExecCommandFailed, |
|
|
|
ssh_client.exec_command, command) |
|
|
|
allowed_cidrs = {'allowed_cidrs': []} |
|
|
|
self.octavia_admin_listener_client.\ |
|
|
|
update_octavia_listener(lb_cist['listener_id'], |
|
|
|
listener_data=allowed_cidrs)['listener'] |
|
|
|
fip1 = server3["floating_ips"][0]["floating_ip_address"] |
|
|
|
fip2 = server4["floating_ips"][0]["floating_ip_address"] |
|
|
|
ssh_client = remote_client.RemoteClient( |
|
|
|
fip1, 'cirros', 'gocubsgo') |
|
|
|
command = "curl http://[%s]" % lb_cist['loadbalancer']['vip_address'] |
|
|
|
time.sleep(constants.NSXP_BACKEND_SMALL_TIME_INTERVAL) |
|
|
|
for i in range(4): |
|
|
|
data = ssh_client.exec_command(command) |
|
|
|
self.assertIn(data, ['state_vm_1', 'state_vm_2']) |
|
|
|
time.sleep(constants.NSXP_BACKEND_SMALL_TIME_INTERVAL) |
|
|
|
ssh_client = remote_client.RemoteClient( |
|
|
|
fip2, 'cirros', 'gocubsgo') |
|
|
|
command = "curl http://[%s]" % lb_cist['loadbalancer']['vip_address'] |
|
|
|
for i in range(4): |
|
|
|
data = ssh_client.exec_command(command) |
|
|
|
self.assertIn(data, ['state_vm_1', 'state_vm_2']) |
|
|
|
self.delete_octavia_lb_resources(lb_cist['lb_id']) |