Remove vmware_nsx_tempest
This now existsin the vmware_nsx_tempest_plugin Change-Id: I76e5856deeeb06b87675314635d06aa0291143eb Depends-On: I804c3fd1e0c9cbeb454677e7951072ad74391fec
This commit is contained in:
parent
02c28ee5ea
commit
508c6262a2
@ -21,8 +21,6 @@ classifier =
|
||||
[files]
|
||||
packages =
|
||||
vmware_nsx
|
||||
vmware_nsx_tempest
|
||||
|
||||
[entry_points]
|
||||
console_scripts =
|
||||
neutron-check-nsx-config = vmware_nsx.check_nsx_config:main
|
||||
@ -53,8 +51,6 @@ vmware_nsx.neutron.nsxv.router_type_drivers =
|
||||
shared = vmware_nsx.plugins.nsx_v.drivers.shared_router_driver:RouterSharedDriver
|
||||
distributed = vmware_nsx.plugins.nsx_v.drivers.distributed_router_driver:RouterDistributedDriver
|
||||
exclusive = vmware_nsx.plugins.nsx_v.drivers.exclusive_router_driver:RouterExclusiveDriver
|
||||
tempest.test_plugins =
|
||||
vmware-nsx-tempest-plugin = vmware_nsx_tempest.plugin:VMwareNsxTempestPlugin
|
||||
oslo.config.opts =
|
||||
nsx = vmware_nsx.opts:list_opts
|
||||
networking_sfc.flowclassifier.drivers =
|
||||
|
@ -59,23 +59,10 @@ check_identical_policy_files () {
|
||||
fi
|
||||
}
|
||||
|
||||
check_no_duplicate_api_test_idempotent_ids() {
|
||||
# For API tests, an idempotent ID is assigned to each single API test,
|
||||
# those IDs should be unique
|
||||
output=$(check-uuid --package vmware_nsx_tempest)
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "There are duplicate idempotent ids in the API tests" >>$FAILURES
|
||||
echo "please, assign unique uuids to each API test:" >>$FAILURES
|
||||
echo "$output" >>$FAILURES
|
||||
fi
|
||||
}
|
||||
|
||||
# Add your checks here...
|
||||
check_no_symlinks_allowed
|
||||
check_pot_files_errors
|
||||
#check_identical_policy_files
|
||||
# Remove the comment below when we figure out how to consume pyshark
|
||||
#check_no_duplicate_api_test_idempotent_ids
|
||||
|
||||
# Fail, if there are emitted failures
|
||||
if [ -f $FAILURES ]; then
|
||||
|
1
tox.ini
1
tox.ini
@ -106,7 +106,6 @@ import-order-style = pep8
|
||||
|
||||
[hacking]
|
||||
import_exceptions = vmware_nsx._i18n,
|
||||
vmware_nsx_tempest._i18n
|
||||
local-check-factory = neutron_lib.hacking.checks.factory
|
||||
|
||||
[testenv:genconfig]
|
||||
|
@ -1,92 +0,0 @@
|
||||
Welcome!
|
||||
========
|
||||
vmware_nsx_tempest is a plugin module to openstack tempest project.
|
||||
|
||||
If you are not familiar with tempest, please refer to::
|
||||
|
||||
https://docs.openstack.org/developer/tempest
|
||||
|
||||
It is implemented with tempest external plugin.
|
||||
The official design sepcification is at::
|
||||
|
||||
https://review.openstack.org/#/c/184992/
|
||||
|
||||
Overview
|
||||
========
|
||||
|
||||
vmware_nsx_tempest hosts vmware_nsx's functional api and scenario tests.
|
||||
|
||||
All vmware_nsx_tempest tests are in "master" branch. For this reason,
|
||||
it is recommended to have your own developer version of vmware-nsx repo
|
||||
installed outside the devstack folder, /opt/stack/.
|
||||
|
||||
For example at /opt/devtest folder. In doing so, you can install
|
||||
editable vmware-nsx repo under tempest VENV environemnt.
|
||||
|
||||
Installation:
|
||||
-------------
|
||||
|
||||
#. On your own development folder, for example /opt/devtest/,
|
||||
install your own tempest development env at /opt/devtest/os-tempest/::
|
||||
|
||||
$ cd /opt/devtest
|
||||
$ git clone https://github.com/openstack/tempest os-tempest
|
||||
|
||||
#. Install virtualenv with the following command::
|
||||
|
||||
$ cd /opt/devtest/os-tempest
|
||||
$ ./run_tempest.sh -u not_exist_tests
|
||||
|
||||
#. Install vmware-nsx master branch at /opt/devtest/vmware-nsx::
|
||||
|
||||
$ cd /opt/devtest
|
||||
$ git clone https://github.com/openstack/vmware-nsx
|
||||
|
||||
#. Install vmware_nsx_tempest in your tempest development environment::
|
||||
|
||||
$ cd /opt/devtest/os-tempest
|
||||
$ source .venv/bin/activate
|
||||
$ pip install -e /opt/devtest/vmware-nsx/
|
||||
|
||||
Run command::
|
||||
|
||||
$ pip show vmware-nsx
|
||||
|
||||
You should observe the following statements::
|
||||
|
||||
Location: /opt/devtest/vmware-nsx
|
||||
|
||||
and under section of Entry-points::
|
||||
|
||||
[tempest.test_plugins]
|
||||
vmware-nsx-tempest-plugin = vmware_nsx_tempest.plugin:VMwareNsxTempestPlugin
|
||||
|
||||
#. Validate installed vmware_nsx_tempest successfully do::
|
||||
|
||||
$ cd /opt/devtest/os-tempest
|
||||
$ tools/with_venv.sh testr list-tests vmware_nsx_tempest.*l2_gateway
|
||||
|
||||
Your installation failed, if no tests are shown.
|
||||
|
||||
Execution:
|
||||
----------
|
||||
|
||||
vmware_nsx_tempest tests are tempest tests, you need to
|
||||
run from tempest directory. For example, to run only l2-gateway tests::
|
||||
|
||||
$ cd /opt/devtest/os-tempest
|
||||
$ ./run_tempest.sh -t vmware_nsx_tempest.*test_l2_gateway
|
||||
$ ./run_tempest.sh -d vmware_nsx_tempest.tests.nsxv.api.test_l2_gateway_connection.L2GatewayConnectionTest.test_csuld_single_device_interface_vlan
|
||||
|
||||
TechNote on vmware_nsx_tempest:
|
||||
-------------------------------
|
||||
|
||||
vmware_nsx_tempest is a plugin to tempest, not neutron, nor vmware_nsx.
|
||||
|
||||
It is defined by tempest.test_plugins.
|
||||
|
||||
Modules within vmware_nsx_tempest can not see resources defined
|
||||
by vmware_nsx. Commands like following are not acceptable, unless
|
||||
vmware_nsx is installed in your tempest environment::
|
||||
|
||||
import vmware_nsx.shell.admin.plugins.common.utils as admin_utils
|
@ -1,32 +0,0 @@
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import oslo_i18n
|
||||
|
||||
DOMAIN = "vmware-nsx-tempest"
|
||||
|
||||
_translators = oslo_i18n.TranslatorFactory(domain=DOMAIN)
|
||||
|
||||
# The primary translation function using the well-known name "_"
|
||||
_ = _translators.primary
|
||||
|
||||
# The contextual translation function using the name "_C"
|
||||
_C = _translators.contextual_form
|
||||
|
||||
# The plural translation function using the name "_P"
|
||||
_P = _translators.plural_form
|
||||
|
||||
|
||||
def get_available_languages():
|
||||
return oslo_i18n.get_available_languages(DOMAIN)
|
@ -1,61 +0,0 @@
|
||||
# Copyright 2017 VMware, Inc.
|
||||
# All Rights Reserved
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_log import log
|
||||
|
||||
LOG = log.getLogger(__name__)
|
||||
|
||||
# General constants.
|
||||
ONE_SEC = 1
|
||||
|
||||
# L2GW constants.
|
||||
L2GW = "l2_gateway"
|
||||
L2GWS = L2GW + "s"
|
||||
L2_GWS_BASE_URI = "/l2-gateways"
|
||||
EXPECTED_HTTP_RESPONSE_200 = "200"
|
||||
EXPECTED_HTTP_RESPONSE_201 = "201"
|
||||
EXPECTED_HTTP_RESPONSE_204 = "204"
|
||||
L2GWC = "l2_gateway_connection"
|
||||
|
||||
# MAC Learning constants
|
||||
MAC_SW_PROFILE = "MacManagementSwitchingProfile"
|
||||
PORT_SEC_PROFILE = "SpoofGuardSwitchingProfile"
|
||||
SEC_GRPS_PROFILE = "SwitchSecuritySwitchingProfile"
|
||||
|
||||
# NSXV3 MDProxy constants.
|
||||
MD_ERROR_CODE_WHEN_LS_BOUNDED = "10026"
|
||||
INTERVAL_BETWEEN_EXEC_RETRY_ON_SSH = 5
|
||||
MAX_NO_OF_TIMES_EXECUTION_OVER_SSH = 30
|
||||
MD_BASE_URL = "http://169.254.169.254/"
|
||||
|
||||
# NSXV3 Port Security constants.
|
||||
NSX_BACKEND_TIME_INTERVAL = 30
|
||||
NSX_BACKEND_SMALL_TIME_INTERVAL = 10
|
||||
NSX_BACKEND_VERY_SMALL_TIME_INTERVAL = 5
|
||||
|
||||
# DFW
|
||||
NSX_FIREWALL_REALIZED_TIMEOUT = 120
|
||||
|
||||
# FWaaS
|
||||
NO_OF_ENTRIES = 20
|
||||
EXCLUSIVE_ROUTER = 'exclusive'
|
||||
DISTRIBUTED_ROUTER = 'distributed'
|
||||
TCP_PROTOCOL = 'tcp'
|
||||
ICMP_PROTOCOL = 'icmp'
|
||||
|
||||
# NSXV3 Firewall
|
||||
NSX_FIREWALL_REALIZED_DELAY = 2
|
||||
|
||||
APPLIANCE_NAME_STARTS_WITH = "vmw_"
|
@ -1,199 +0,0 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
from tempest import config
|
||||
|
||||
service_option = cfg.BoolOpt("vmware_nsx",
|
||||
default=True,
|
||||
help="Whether or not vmware_nsx is expected to be"
|
||||
" available")
|
||||
|
||||
scenario_group = config.scenario_group
|
||||
ScenarioGroup = [
|
||||
cfg.FloatOpt('waitfor_disassoc',
|
||||
default=15.0,
|
||||
help="Wait for seconds after disassociation."),
|
||||
cfg.FloatOpt('waitfor_assoc',
|
||||
default=5.0,
|
||||
help="Waitfor seconds after association."),
|
||||
cfg.FloatOpt('waitfor_connectivity',
|
||||
default=120.0,
|
||||
help="Wait for seconds to become connected."),
|
||||
cfg.ListOpt('outside_world_servers',
|
||||
default=["8.8.8.8", "8.8.4.4"],
|
||||
help="List of servers reside outside of openstack env."
|
||||
" which is used to test default gateway behavior"
|
||||
" when VMs are under logical routers,"
|
||||
" & DNS are local to provider's settings."),
|
||||
cfg.DictOpt('flat_alloc_pool_dict',
|
||||
default={},
|
||||
help="Define flat network ip range."
|
||||
" required attributes are gateway, start, end"
|
||||
" and cidr. Example value: gateway:10.1.1.253,"
|
||||
" start:10.1.1.30,end:10.1.1.49,cidr=10.1.1.0/24"),
|
||||
cfg.DictOpt('xnet_multiple_subnets_dict',
|
||||
default={},
|
||||
help="External network with multiple subnets."
|
||||
" The primary subnet ip-range will be shrinked,"
|
||||
" This is for the 2nd subnet, required attrs:"
|
||||
" start:10.1.1.31,end:10.1.1.33,cidr=10.1.2.0/24"
|
||||
" AND limit to only 3 ip addresses defined."),
|
||||
]
|
||||
|
||||
network_group = config.network_group
|
||||
NetworkGroup = [
|
||||
cfg.StrOpt('l2gw_switch',
|
||||
default='',
|
||||
help="Distributed Virtual Portgroup to create VLAN port."),
|
||||
cfg.DictOpt('l2gw_switch_dict',
|
||||
default={},
|
||||
help="dict version of l2gw_switch:"
|
||||
"device_name:,interfaces:,segmentation_id:,"),
|
||||
cfg.StrOpt('dns_search_domain',
|
||||
default='vmware.com',
|
||||
help="a valid domain that contains host defined at"
|
||||
" attribute host_in_search_domain"),
|
||||
cfg.StrOpt('host_in_search_domain',
|
||||
default='mail',
|
||||
help="host exists in dns_search_domain"),
|
||||
cfg.StrOpt('public_network_cidr',
|
||||
default='',
|
||||
help="Public network cidr which provides external network"
|
||||
" connectivity"),
|
||||
cfg.StrOpt('backend',
|
||||
default='nsxv',
|
||||
help="NSX backend, valid values are nsxv|nsxv3"),
|
||||
]
|
||||
|
||||
nsxv_group = cfg.OptGroup(name='nsxv',
|
||||
title="NSX-v Configuration Options")
|
||||
NSXvGroup = [
|
||||
cfg.StrOpt('manager_uri',
|
||||
default='https://10.0.0.10',
|
||||
help="NSX-v manager ip address"),
|
||||
cfg.StrOpt('user',
|
||||
default='admin',
|
||||
help="NSX-v manager username"),
|
||||
cfg.StrOpt('password',
|
||||
default='default',
|
||||
help="NSX-v manager password"),
|
||||
cfg.StrOpt('vdn_scope_id',
|
||||
default='vdnscope-1',
|
||||
help="NSX-v vdn scope id"),
|
||||
cfg.IntOpt('max_mtz',
|
||||
default=3,
|
||||
help="Max Multiple Transport Zones used for testing."),
|
||||
cfg.DictOpt('flat_alloc_pool_dict',
|
||||
default={},
|
||||
help=" Define flat network ip range."
|
||||
" required attributes are gateway, start, end"
|
||||
" and cidr. Example value: gateway:10.1.1.253,"
|
||||
" start:10.1.1.30,end:10.1.1.49,cidr=10.1.1.0/24"),
|
||||
cfg.StrOpt('vlan_physical_network',
|
||||
default='',
|
||||
help="physval_network to create vlan."),
|
||||
cfg.IntOpt('provider_vlan_id',
|
||||
default=888,
|
||||
help="The default vlan_id for admin vlan."),
|
||||
cfg.IntOpt('create_router_http_timeout',
|
||||
default=900,
|
||||
help="Specific for router_size tests. This value defines"
|
||||
" how long http.request should retry."),
|
||||
cfg.BoolOpt('no_router_type',
|
||||
default=False,
|
||||
help="router_type is NSXv extension."
|
||||
"Set it to True allow tests to remove this attribute"
|
||||
" when creating router."),
|
||||
cfg.ListOpt('bugs_to_resolve',
|
||||
default=[],
|
||||
help="Bugs to be resolved. Define this at tempest.conf and"
|
||||
" test case testtools.skipIf(condition, reasons) to"
|
||||
" skip test cannot be run at specific plugin env."),
|
||||
cfg.StrOpt('default_policy_id',
|
||||
default='',
|
||||
help="NSX security-policy ID used to create all tenants"
|
||||
" default security-group-policy."
|
||||
" This must be the same as the one at vmware/nsx.ini"),
|
||||
cfg.StrOpt('alt_policy_id',
|
||||
default='',
|
||||
help="NSX security-policy ID used to create the 2nd"
|
||||
" security-group-policy, and != default_policy_id."),
|
||||
cfg.BoolOpt('allow_tenant_rules_with_policy',
|
||||
default=False,
|
||||
help="Default=False; a tenant cannot create security-group."
|
||||
" If True, tenant can create non-policy security-group."
|
||||
" Sync this value with nsx.ini file."),
|
||||
]
|
||||
|
||||
|
||||
l2gw_group = cfg.OptGroup(name='l2gw',
|
||||
title="l2-gateway Configuration Options")
|
||||
L2gwGroup = [
|
||||
cfg.DictOpt('vlan_subnet_ipv4_dict',
|
||||
default={},
|
||||
help="Tenant's VLAN subnet cdir to connect to l2gw/VXLAN."
|
||||
" Example: cidr=192.168.99.0/24,start:192.168.99.41"
|
||||
" ,end:192.168.99.50,gateway=192.168.99.253"),
|
||||
cfg.StrOpt('device_one_vlan',
|
||||
default="",
|
||||
help="l2g2 device with one VLAN"
|
||||
" l2gw-1::dvportgroup-14420|3845"),
|
||||
cfg.StrOpt('device_multiple_vlans',
|
||||
default="",
|
||||
help="l2gw device with multiple VLANs"
|
||||
" l2gw-x::dvportgroup-14429|3880#3381#3382"),
|
||||
cfg.StrOpt('multiple_interfaces_multiple_vlans',
|
||||
default="",
|
||||
help="l2gw multiple devices, interface has multiple VLANs"
|
||||
" m-ifs::dvportgroup-144|138#246;dvportgroup-155|339"),
|
||||
cfg.StrOpt('vlan_1',
|
||||
default="16",
|
||||
help="VLAN id"),
|
||||
cfg.StrOpt('vlan_2',
|
||||
default="17",
|
||||
help="VLAN id"),
|
||||
cfg.StrOpt("subnet_1_cidr",
|
||||
default="192.168.1.0/24",
|
||||
help="Subnet 1 network cidr."
|
||||
"Example: 1.1.1.0/24"),
|
||||
cfg.StrOpt('vm_on_vds_tz1_vlan16_ip',
|
||||
default="192.168.1.203",
|
||||
help="IPv4 IP address of VM3"),
|
||||
cfg.StrOpt('vm_on_switch_vlan16',
|
||||
default="192.168.1.204",
|
||||
help="IPv4 IP address of VM4"),
|
||||
cfg.StrOpt('vm_on_vds_tz2_vlan16_ip',
|
||||
default="192.168.1.205",
|
||||
help="IPv4 IP address of VM5"),
|
||||
cfg.StrOpt('vm_on_vds_tz2_vlan17_ip',
|
||||
default="192.168.1.206",
|
||||
help="IPv4 IP address of VM6"),
|
||||
]
|
||||
|
||||
nsxv3_group = cfg.OptGroup(name='nsxv3',
|
||||
title="NSXv3 Configuration Options")
|
||||
|
||||
NSXv3Group = [
|
||||
cfg.StrOpt('nsx_manager',
|
||||
default='',
|
||||
help="NSX manager IP address"),
|
||||
cfg.StrOpt('nsx_user',
|
||||
default='admin',
|
||||
help="NSX manager username"),
|
||||
cfg.StrOpt('nsx_password',
|
||||
default='default',
|
||||
help="NSX manager password"),
|
||||
cfg.BoolOpt('native_dhcp_metadata',
|
||||
default=False,
|
||||
help="Enable or disable Native DHCP and MDProxy for nsxv3"),
|
||||
]
|
@ -1,90 +0,0 @@
|
||||
Admin Policy
|
||||
============
|
||||
|
||||
Admin policy, neutron extension secuirty-group-policy provides organization
|
||||
to enforce traffic forwarding utilizing NSX security policy.
|
||||
|
||||
The "Admin Policy" feature is admin priviledge, normal project/tenant is not
|
||||
able to create security-group-policy.
|
||||
|
||||
This feature can be enabled from devstack or manually.
|
||||
|
||||
Enable security-group-policy extention at bring up devstack
|
||||
===========================================================
|
||||
|
||||
You can enable security-group-policy when starting up devstack.
|
||||
However, if the policy-id does not exist, starting will fail.
|
||||
|
||||
To enable it, add the following tokens to local.conf:
|
||||
|
||||
NSXV_USE_NSX_POLICIES=True
|
||||
NSXV_DEFAULT_POLICY_ID=policy-11
|
||||
NSXV_ALLOW_TENANT_RULES_WITH_POLICY=True
|
||||
|
||||
Change values according to your needs though.
|
||||
|
||||
Enable security-group-policy extention manually
|
||||
===============================================
|
||||
|
||||
Instruction is from the view of devstack
|
||||
|
||||
#. Add following items to /etc/neutron/policy.json::
|
||||
|
||||
"create_security_group:logging": "rule:admin_only",
|
||||
"update_security_group:logging": "rule:admin_only",
|
||||
"get_security_group:logging": "rule:admin_only",
|
||||
"create_security_group:provider": "rule:admin_only",
|
||||
"create_port:provider_security_groups": "rule:admin_only",
|
||||
"create_security_group:policy": "rule:admin_only",
|
||||
"update_security_group:policy": "rule:admin_only",
|
||||
|
||||
#. Add following key=value pair to session [nsxv] of /etc/neutron/plugin/vmware/nsx.ini::
|
||||
|
||||
use_nsx_policies = True
|
||||
default_policy_id = policy-11
|
||||
allow_tenant_rules_with_policy = False
|
||||
|
||||
# NOTE: For automation, set allow_tenant_rules_with_policy to True
|
||||
|
||||
tempest.conf
|
||||
============
|
||||
|
||||
At session [nsxv] add the following 3 key=value pair:
|
||||
|
||||
default_policy_id = policy-11
|
||||
alt_policy_id = policy-22
|
||||
allow_tenant_rules_with_policy = False
|
||||
|
||||
# NOTE: default_policy_id and allow_tenant_rules_with_policy need to match nsx.ini
|
||||
|
||||
default_policy_id and alt_policy_id:
|
||||
|
||||
For API tests, both must exist at NSX.
|
||||
|
||||
For scenario tests, please refer to nsxv/scenario/test_admin_policy_basic_ops.py
|
||||
|
||||
In short::
|
||||
|
||||
policy-11 (policy-AA at script & test-plan) firewall rules::
|
||||
action-1: dhcp-in/any/policy-security-groups/dhcp/Allow
|
||||
action-2: dhcp-out/policy-security-groups/dhcp/Allow
|
||||
action-3: ping-in/any/policy-security-groups/ICMP/Allow
|
||||
action-4: ping-out/policy-security-groups/any/ICMP/Allow/
|
||||
action-5: ssh-in/any/policy-security-groups/SSH/Allow/
|
||||
action-6: ssh-in/any/policy-security-groups/SSH/Allow/
|
||||
action-7: http-ok/any/policy-security-groups/HTTP,HTTPS/Allow/
|
||||
action-8: sorry-nothing-allowed/any/policy-security-groups/Any/Reject
|
||||
|
||||
You can import policy-AA to NSX using the admin-policy-AA.blueprint
|
||||
|
||||
policy-22 (policy-BB at script & test-plan) firewall rules::
|
||||
action-1: dhcp-in/any/policy-security-groups/dhcp/Allow
|
||||
action-2: dhcp-out/policy-security-groups/dhcp/Allow
|
||||
action-3: group-ping/policy-security-groups/policy-security-groups/ICMP/Allow/
|
||||
action-4: ssh-in/any/policy-security-groups/SSH/Allow/
|
||||
action-5: ssh-in/any/policy-security-groups/SSH/Allow/
|
||||
action-6: http-ok/any/policy-security-groups/HTTP,HTTPS/Allow/
|
||||
pction-7: sorry-nothing-allowed/any/policy-security-groups/Any/Reject
|
||||
|
||||
NOTE on ping: same as policy-11 but only allowed from policy-security-groups
|
||||
You can import policy-BB to NSX using the admin-policy-BB.blueprint
|
@ -1,74 +0,0 @@
|
||||
Overview
|
||||
========
|
||||
|
||||
This document describes what LBaaS tests are not supported at different
|
||||
NSX plugin's and backends.
|
||||
|
||||
NOTE::
|
||||
|
||||
All LBaaS API & Scenario tests should PASS with exceptions
|
||||
due to NSX plugins and features supported by backend.
|
||||
|
||||
For how tests can be skipped for specific plugin and backend,
|
||||
please refer to paragraph "Config for Test Execution".
|
||||
|
||||
NOTE::
|
||||
|
||||
We no longer support LBaaS v1. So this document and LBaaS tests
|
||||
only applys to releases from Mitaka/Marvin or later.
|
||||
|
||||
Limitation:
|
||||
-----------
|
||||
|
||||
NSX-v with VMware LBaaS driver::
|
||||
|
||||
#. LBaaS networks need to attach to exclusive router
|
||||
#. One tenant per subnet
|
||||
#. L7 switching not supported
|
||||
|
||||
NSX-v3 with Octavia driver::
|
||||
|
||||
#. upstream implemenation - all tests should PASS.
|
||||
#. scenario tests take long time, it might fail with fixture timeout.
|
||||
|
||||
Config for Test execution:
|
||||
--------------------------
|
||||
|
||||
Following configuration attributes used to controll test execution::
|
||||
|
||||
#. no_router_type at group/session nsxv
|
||||
|
||||
Default is False, and is used to run LBaaS tests in NSX-v environment.
|
||||
To run in NSX-t environment, set it to True
|
||||
|
||||
#. bugs_to_resolve at group/session nsxv
|
||||
|
||||
For test to skip if bug-ID presented in this attribute.
|
||||
The test will use testtools.skipIf(condition, reason) to skip if its ID in the bugs_to_resolve list.
|
||||
|
||||
local.conf:
|
||||
----------
|
||||
NSX-v::
|
||||
[nsxv]
|
||||
no_router_type=False
|
||||
bugs_to_resolve=1641902,1715126,1703396,1739510
|
||||
|
||||
NSX-v3::
|
||||
[compute]
|
||||
build_timeout=900
|
||||
build_interval=2
|
||||
|
||||
[nsxv]
|
||||
no_router_type=True
|
||||
|
||||
Execution:
|
||||
----------
|
||||
|
||||
#. Use testr list-tests command to generate test suite for run API and Scenario tests::
|
||||
|
||||
tools/with_venv.sh testr list-tests nsxv.api.lbaas
|
||||
tools/with_venv.sh testr list-tests nsxv.scenarion.test_lbaas
|
||||
|
||||
#. l7 switching tests take long time to complete. If got fixture timeout, do::
|
||||
|
||||
OS_TEST_TIMEOUT=2400 ./run_tempest.sh -t test_lbaas_l7_switching_ops
|
@ -1,341 +0,0 @@
|
||||
<securityPolicyHierarchy>
|
||||
<name>admin-policy-AA</name>
|
||||
<description>8 firewall rules - ping, ssh from anywhere are OK</description>
|
||||
<securityPolicy>
|
||||
<revision>0</revision>
|
||||
<name>security-policy-AA</name>
|
||||
<description>Security Policy AA</description>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>false</inheritanceAllowed>
|
||||
<precedence>5500</precedence>
|
||||
<actionsByCategory>
|
||||
<category>firewall</category>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>dhcp-in</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>1</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>DHCP-Client</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>UDP</applicationProtocol>
|
||||
<value>68</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>DHCP-Server</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>UDP</applicationProtocol>
|
||||
<value>67</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>inbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>dhcp-out</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>2</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>DHCP-Client</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>UDP</applicationProtocol>
|
||||
<value>68</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>DHCP-Server</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>UDP</applicationProtocol>
|
||||
<value>67</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>outbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>ping-in</name>
|
||||
<description>Everyone can ping me</description>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>3</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>ICMP Echo</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>ICMP</applicationProtocol>
|
||||
<value>echo-request</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>ICMP Redirect</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>ICMP</applicationProtocol>
|
||||
<value>redirect</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>ICMP Echo Reply</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>ICMP</applicationProtocol>
|
||||
<value>echo-reply</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>inbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>ping-out</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>4</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>ICMP Echo</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>ICMP</applicationProtocol>
|
||||
<value>echo-request</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>ICMP Redirect</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>ICMP</applicationProtocol>
|
||||
<value>redirect</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>ICMP Echo Reply</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>ICMP</applicationProtocol>
|
||||
<value>echo-reply</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>outbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>ssh-in-ok</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>5</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>SSH</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>TCP</applicationProtocol>
|
||||
<value>22</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>inbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>ssh-out-ok</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>6</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>SSH</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>TCP</applicationProtocol>
|
||||
<value>22</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>outbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>HTTP-ok</name>
|
||||
<description>All can http(s) me</description>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>7</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>HTTP</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>TCP</applicationProtocol>
|
||||
<value>80</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>HTTPS</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>TCP</applicationProtocol>
|
||||
<value>443</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>inbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>sorry-nothing-allowed</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>8</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>reject</action>
|
||||
<direction>inbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
</actionsByCategory>
|
||||
<statusesByCategory>
|
||||
<category>firewall</category>
|
||||
<status>in_sync</status>
|
||||
</statusesByCategory>
|
||||
</securityPolicy>
|
||||
</securityPolicyHierarchy>
|
@ -1,285 +0,0 @@
|
||||
<securityPolicyHierarchy>
|
||||
<name>admin-policy-BB</name>
|
||||
<description>policy-BB, ssh from anywhere are OK, but ping limited to same security-group</description>
|
||||
<securityPolicy>
|
||||
<revision>0</revision>
|
||||
<name>security-policy-BB</name>
|
||||
<description>Security Policy BB</description>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>false</inheritanceAllowed>
|
||||
<precedence>5600</precedence>
|
||||
<actionsByCategory>
|
||||
<category>firewall</category>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>dhcp-in</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>1</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>DHCP-Client</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>UDP</applicationProtocol>
|
||||
<value>68</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>DHCP-Server</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>UDP</applicationProtocol>
|
||||
<value>67</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>inbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>dhcp-out</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>2</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>DHCP-Client</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>UDP</applicationProtocol>
|
||||
<value>68</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>DHCP-Server</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>UDP</applicationProtocol>
|
||||
<value>67</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>outbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>group-ping-ok</name>
|
||||
<description>icmp only allowed from VM with same security-policy</description>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>3</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>ICMP Echo</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>ICMP</applicationProtocol>
|
||||
<value>echo-request</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>ICMP Redirect</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>ICMP</applicationProtocol>
|
||||
<value>redirect</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>ICMP Echo Reply</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>ICMP</applicationProtocol>
|
||||
<value>echo-reply</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>intra</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>ssh-in-ok</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>4</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>SSH</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>TCP</applicationProtocol>
|
||||
<value>22</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>inbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>ssh-out-ok</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>5</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>SSH</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>TCP</applicationProtocol>
|
||||
<value>22</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>outbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>group-HTTP</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>6</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<applications>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>HTTP</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>TCP</applicationProtocol>
|
||||
<value>80</value>
|
||||
</element>
|
||||
</application>
|
||||
<application>
|
||||
<revision>0</revision>
|
||||
<name>HTTPS</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<inheritanceAllowed>true</inheritanceAllowed>
|
||||
<element>
|
||||
<applicationProtocol>TCP</applicationProtocol>
|
||||
<value>443</value>
|
||||
</element>
|
||||
</application>
|
||||
</applications>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>allow</action>
|
||||
<direction>intra</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
<action class="firewallSecurityAction">
|
||||
<revision>0</revision>
|
||||
<name>sorry-nothing-allowed</name>
|
||||
<clientHandle></clientHandle>
|
||||
<isUniversal>false</isUniversal>
|
||||
<universalRevision>0</universalRevision>
|
||||
<category>firewall</category>
|
||||
<executionOrder>7</executionOrder>
|
||||
<isEnabled>true</isEnabled>
|
||||
<isActionEnforced>false</isActionEnforced>
|
||||
<invalidSecondaryContainers>false</invalidSecondaryContainers>
|
||||
<invalidApplications>false</invalidApplications>
|
||||
<logged>false</logged>
|
||||
<action>reject</action>
|
||||
<direction>inbound</direction>
|
||||
<outsideSecondaryContainer>false</outsideSecondaryContainer>
|
||||
</action>
|
||||
</actionsByCategory>
|
||||
<statusesByCategory>
|
||||
<category>firewall</category>
|
||||
<status>in_sync</status>
|
||||
</statusesByCategory>
|
||||
</securityPolicy>
|
||||
</securityPolicyHierarchy>
|
@ -1,234 +0,0 @@
|
||||
# Copyright 2017 VMware Inc
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
import collections
|
||||
|
||||
import netaddr
|
||||
from oslo_log import log as logging
|
||||
|
||||
from tempest import config
|
||||
from tempest.lib.common.utils import data_utils
|
||||
from tempest.lib.common.utils import test_utils
|
||||
from tempest.lib import exceptions as lib_exc
|
||||
|
||||
from vmware_nsx_tempest.common import constants
|
||||
from vmware_nsx_tempest.tests.scenario import manager
|
||||
|
||||
CONF = config.CONF
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class ApplianceManager(manager.NetworkScenarioTest):
|
||||
server_details = collections.namedtuple('server_details',
|
||||
['server', 'floating_ip',
|
||||
'networks'])
|
||||
|
||||
def setUp(self):
|
||||
super(ApplianceManager, self).setUp()
|
||||
self.topology_routers = {}
|
||||
self.topology_networks = {}
|
||||
self.topology_subnets = {}
|
||||
self.topology_servers = {}
|
||||
self.topology_servers_floating_ip = []
|
||||
self.topology_public_network_id = CONF.network.public_network_id
|
||||
self.topology_config_drive = CONF.compute_feature_enabled.config_drive
|
||||
self.topology_keypairs = {}
|
||||
self.servers_details = {}
|
||||
|
||||
def get_internal_ips(self, server, network, device="network"):
|
||||
internal_ips = [p['fixed_ips'][0]['ip_address'] for p in
|
||||
self.os_admin.ports_client.list_ports(
|
||||
tenant_id=server['tenant_id'],
|
||||
network_id=network['id'])['ports'] if
|
||||
p['device_owner'].startswith(device)]
|
||||
return internal_ips
|
||||
|
||||
def _verify_empty_security_group_status(self, security_group):
|
||||
ip_protocols = ["IPV6", "IPV4"]
|
||||
nsx_fw_section, nsx_fw_section_rules = \
|
||||
self.nsx_client.get_firewall_section_and_rules(
|
||||
security_group['name'], security_group['id'])
|
||||
msg = "Newly created empty security group does not meet criteria !!!"
|
||||
self.assertEqual(nsx_fw_section["rule_count"], 2, msg)
|
||||
self.assertEqual(nsx_fw_section_rules[0]["action"], "ALLOW", msg)
|
||||
self.assertEqual(nsx_fw_section_rules[1]["action"], "ALLOW", msg)
|
||||
self.assertEqual(nsx_fw_section_rules[0]["direction"], "OUT", msg)
|
||||
self.assertEqual(nsx_fw_section_rules[1]["direction"], "OUT", msg)
|
||||
self.assertIn(nsx_fw_section_rules[0]["ip_protocol"], ip_protocols,
|
||||
msg)
|
||||
self.assertIn(nsx_fw_section_rules[1]["ip_protocol"], ip_protocols,
|
||||
msg)
|
||||
|
||||
def create_topology_empty_security_group(self, namestart="vmw_"):
|
||||
security_group = self._create_empty_security_group(namestart=namestart)
|
||||
self._verify_empty_security_group_status(security_group)
|
||||
return security_group
|
||||
|
||||
def add_security_group_rule(self, security_group, rule):
|
||||
return self._create_security_group_rule(secgroup=security_group,
|
||||
**rule)
|
||||
|
||||
def get_server_key(self, server):
|
||||
return self.topology_keypairs[server['key_name']]['private_key']
|
||||
|
||||
def create_topology_router(self, router_name, routers_client=None,
|
||||
**kwargs):
|
||||
if not routers_client:
|
||||
routers_client = self.routers_client
|
||||
router_name_ = constants.APPLIANCE_NAME_STARTS_WITH + router_name
|
||||
router = self._create_router(namestart=router_name_, **kwargs)
|
||||
public_network_info = {"external_gateway_info": dict(
|
||||
network_id=self.topology_public_network_id)}
|
||||
routers_client.update_router(router['id'], **public_network_info)
|
||||
self.topology_routers[router_name] = router
|
||||
return router
|
||||
|
||||
def create_topology_network(self, network_name, networks_client=None,
|
||||
tenant_id=None, port_security_enabled=True, **kwargs):
|
||||
if not networks_client:
|
||||
networks_client = self.networks_client
|
||||
if not tenant_id:
|
||||
tenant_id = networks_client.tenant_id
|
||||
network_name_ = constants.APPLIANCE_NAME_STARTS_WITH + network_name
|
||||
name = data_utils.rand_name(network_name_)
|
||||
# Neutron disables port security by default so we have to check the
|
||||
# config before trying to create the network with port_security_enabled
|
||||
if CONF.network_feature_enabled.port_security:
|
||||
port_security_enabled = True
|
||||
result = networks_client.create_network(
|
||||
name=name, tenant_id=tenant_id,
|
||||
port_security_enabled=port_security_enabled, **kwargs)
|
||||
network = result['network']
|
||||
self.assertEqual(network['name'], name)
|
||||
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
|
||||
networks_client.delete_network, network['id'])
|
||||
self.topology_networks[network_name] = network
|
||||
return network
|
||||
|
||||
def create_topology_subnet(
|
||||
self, subnet_name, network, routers_client=None,
|
||||
subnets_client=None, router_id=None, ip_version=4, cidr=None,
|
||||
mask_bits=None, **kwargs):
|
||||
subnet_name_ = constants.APPLIANCE_NAME_STARTS_WITH + subnet_name
|
||||
if not subnets_client:
|
||||
subnets_client = self.subnets_client
|
||||
if not routers_client:
|
||||
routers_client = self.routers_client
|
||||
|
||||
def cidr_in_use(cidr, tenant_id):
|
||||
"""Check cidr existence
|
||||
:returns: True if subnet with cidr already exist in tenant
|
||||
False else
|
||||
"""
|
||||
cidr_in_use = \
|
||||
self.os_admin.subnets_client.list_subnets(tenant_id=tenant_id,
|
||||
cidr=cidr)['subnets']
|
||||
return len(cidr_in_use) != 0
|
||||
|
||||
if ip_version == 6:
|
||||
tenant_cidr = (cidr or netaddr.IPNetwork(
|
||||
CONF.network.project_network_v6_cidr))
|
||||
mask_bits = mask_bits or CONF.network.project_network_v6_mask_bits
|
||||
else:
|
||||
tenant_cidr = cidr or netaddr.IPNetwork(
|
||||
CONF.network.project_network_cidr)
|
||||
mask_bits = mask_bits or CONF.network.project_network_mask_bits
|
||||
str_cidr = str(tenant_cidr)
|
||||
if not cidr:
|
||||
# Repeatedly attempt subnet creation with sequential cidr
|
||||
# blocks until an unallocated block is found.
|
||||
for subnet_cidr in tenant_cidr.subnet(mask_bits):
|
||||
str_cidr = str(subnet_cidr)
|
||||
if not cidr_in_use(str_cidr, tenant_id=network['tenant_id']):
|
||||
break
|
||||
else:
|
||||
if cidr_in_use(str_cidr, tenant_id=network['tenant_id']):
|
||||
LOG.error("Specified subnet %r is in use" % str_cidr)
|
||||
raise
|
||||
subnet = dict(name=data_utils.rand_name(subnet_name_),
|
||||
network_id=network['id'], tenant_id=network['tenant_id'],
|
||||
cidr=str_cidr, ip_version=ip_version, **kwargs)
|
||||
try:
|
||||
result = None
|
||||
result = subnets_client.create_subnet(**subnet)
|
||||
except lib_exc.Conflict as e:
|
||||
is_overlapping_cidr = 'overlaps with another subnet' in str(e)
|
||||
if not is_overlapping_cidr:
|
||||
raise
|
||||
self.assertIsNotNone(result, 'Unable to allocate tenant network')
|
||||
subnet = result['subnet']
|
||||
self.assertEqual(subnet['cidr'], str_cidr)
|
||||
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
|
||||
subnets_client.delete_subnet, subnet['id'])
|
||||
self.topology_subnets[subnet_name] = subnet
|
||||
if router_id:
|
||||
if not routers_client:
|
||||
routers_client = self.routers_client
|
||||
routers_client.add_router_interface(
|
||||
router_id, subnet_id=subnet["id"])
|
||||
self.addCleanup(
|
||||
test_utils.call_and_ignore_notfound_exc,
|
||||
routers_client.remove_router_interface, router_id,
|
||||
subnet_id=subnet["id"])
|
||||
return subnet
|
||||
|
||||
def create_topology_security_group(self, **kwargs):
|
||||
return self._create_security_group(**kwargs)
|
||||
|
||||
def create_topology_instance(
|
||||
self, server_name, networks, security_groups=None,
|
||||
config_drive=None, keypair=None, image_id=None,
|
||||
clients=None, create_floating_ip=True, **kwargs):
|
||||
# Define security group for server.
|
||||
if security_groups:
|
||||
kwargs["security_groups"] = security_groups
|
||||
else:
|
||||
_sg = self.create_topology_security_group()
|
||||
_security_groups = [{'name': _sg['name']}]
|
||||
kwargs["security_groups"] = _security_groups
|
||||
# Define config drive for server.
|
||||
if not config_drive:
|
||||
kwargs["config_drive"] = self.topology_config_drive
|
||||
else:
|
||||
kwargs["config_drive"] = config_drive
|
||||
if not keypair:
|
||||
keypair = self.create_keypair()
|
||||
self.topology_keypairs[keypair['name']] = keypair
|
||||
kwargs["key_name"] = keypair['name']
|
||||
else:
|
||||
kwargs["key_name"] = keypair['name']
|
||||
# Define image id for server.
|
||||
if image_id:
|
||||
kwargs["image_id"] = image_id
|
||||
server_name_ = constants.APPLIANCE_NAME_STARTS_WITH + server_name
|
||||
# Collect all the networks for server.
|
||||
networks_ = []
|
||||
for net in networks:
|
||||
net_ = {"uuid": net["id"]}
|
||||
networks_.append(net_)
|
||||
# Deploy server with all teh args.
|
||||
server = self.create_server(
|
||||
name=server_name_, networks=networks_, clients=clients, **kwargs)
|
||||
if create_floating_ip:
|
||||
floating_ip = self.create_floating_ip(server)
|
||||
server["floating_ip"] = floating_ip
|
||||
self.topology_servers_floating_ip.append(floating_ip)
|
||||
else:
|
||||
floating_ip = None
|
||||
server_details = self.server_details(server=server,
|
||||
floating_ip=floating_ip,
|
||||
networks=networks)
|
||||
self.servers_details[server_name] = server_details
|
||||
self.topology_servers[server_name] = server
|
||||
return server
|
@ -1,172 +0,0 @@
|
||||
# Copyright 2017 VMware Inc
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from tempest import config
|
||||
from tempest.lib.common.utils import test_utils
|
||||
|
||||
from vmware_nsx_tempest._i18n import _
|
||||
from vmware_nsx_tempest.common import constants
|
||||
from vmware_nsx_tempest.lib import traffic_manager
|
||||
from vmware_nsx_tempest.services import nsx_client
|
||||
from vmware_nsx_tempest.services import openstack_network_clients
|
||||
|
||||
LOG = constants.log.getLogger(__name__)
|
||||
|
||||
CONF = config.CONF
|
||||
|
||||
|
||||
# It includes feature related function such CRUD Mdproxy, L2GW or QoS
|
||||
class FeatureManager(traffic_manager.TrafficManager):
|
||||
@classmethod
|
||||
def setup_clients(cls):
|
||||
"""
|
||||
Create various client connections. Such as NSXv3 and L2 Gateway.
|
||||
"""
|
||||
super(FeatureManager, cls).setup_clients()
|
||||
try:
|
||||
manager = getattr(cls.os_admin, "manager", cls.os_admin)
|
||||
net_client = getattr(manager, "networks_client")
|
||||
_params = manager.default_params_withy_timeout_values.copy()
|
||||
except AttributeError as attribute_err:
|
||||
LOG.warning(
|
||||
"Failed to locate the attribute, Error: %(err_msg)s",
|
||||
{"err_msg": attribute_err.__str__()})
|
||||
_params = {}
|
||||
cls.l2gw_client = openstack_network_clients.L2GatewayClient(
|
||||
net_client.auth_provider,
|
||||
net_client.service,
|
||||
net_client.region,
|
||||
net_client.endpoint_type,
|
||||
**_params)
|
||||
cls.nsx_client = nsx_client.NSXClient(
|
||||
CONF.network.backend,
|
||||
CONF.nsxv3.nsx_manager,
|
||||
CONF.nsxv3.nsx_user,
|
||||
CONF.nsxv3.nsx_password)
|
||||
cls.l2gwc_client = openstack_network_clients.L2GatewayConnectionClient(
|
||||
net_client.auth_provider,
|
||||
net_client.service,
|
||||
net_client.region,
|
||||
net_client.endpoint_type,
|
||||
**_params)
|
||||
|
||||
#
|
||||
# L2Gateway base class. To get basics of L2GW.
|
||||
#
|
||||
def create_l2gw(self, l2gw_name, l2gw_param):
|
||||
"""
|
||||
Creates L2GW and returns the response.
|
||||
|
||||
:param l2gw_name: name of the L2GW
|
||||
:param l2gw_param: L2GW parameters
|
||||
|
||||
:return: response of L2GW create API
|
||||
"""
|
||||
LOG.info("l2gw name: %(name)s, l2gw_param: %(devices)s ",
|
||||
{"name": l2gw_name, "devices": l2gw_param})
|
||||