def __update_endpoint_info(tc):
for dest_host, workloads in tc.vmotion_cntxt.MoveRequest.items():
api.Logger.debug(
"Creating endpoint info at %s for workloads being moved" %
dest_host)
if not api.IsNaplesNode(dest_host):
continue
for wl in workloads:
api.Logger.debug("Updating ep-info for %s" % wl.workload_name)
ep_filter = "meta.name=" + wl.workload_name + ";"
objects = agent_api.QueryConfigs("Endpoint", filter=ep_filter)
assert (len(objects) == 1)
obj = copy.deepcopy(objects[0])
# update to indicate completion of vmotion
obj.spec.migration = "DONE"
obj.spec.node_uuid = tc.vmotion_cntxt.UUIDMap[dest_host]
resp = agent_api.UpdateConfigObjects([obj], [dest_host],
ignore_error=True)
if resp != api.types.status.SUCCESS:
api.Logger.error(
"Update migr status done failed for %s for %s" %
(wl.workload_name, dest_host))
# update to keep new node happy, only in iota
obj.spec.migration = None
obj.spec.node_uuid = tc.vmotion_cntxt.UUIDMap[dest_host]
resp = agent_api.UpdateConfigObjects([obj], [dest_host],
ignore_error=True)
if resp != api.types.status.SUCCESS:
api.Logger.error(
"Update migr state to None failed for %s for %s" %
(wl.workload_name, dest_host))
api.Logger.debug("Completed endpoint update at NewHome")
return
def update_ep_migr_status(tc, wl, node, migr_state):
ep_filter = "meta.name=" + wl.workload_name + ";"
objects = agent_api.QueryConfigs("Endpoint", filter=ep_filter)
assert(len(objects) == 1)
# update to indicate completion of vmotion
object = copy.deepcopy(objects[0])
object.spec.migration = migr_state
object.spec.node_uuid = tc.uuidMap[node]
agent_api.UpdateConfigObjects([object], [node], ignore_error=True)
# update to keep new node happy, only in iota
object.spec.migration = None
object.spec.node_uuid = tc.uuidMap[node]
agent_api.UpdateConfigObjects([object], [node], ignore_error=True)
def SetSessionLimit(session, limit):
#Query will get the reference of objects on store
store_profile_objects = netagent_cfg_api.QueryConfigs(
kind='SecurityProfile')
if len(store_profile_objects) == 0:
api.Logger.error("No security profile objects in store")
return api.types.status.FAILURE
for object in store_profile_objects:
if (session == 'tcp'):
object.spec.rate_limits.tcp_half_open_session_limit = limit
elif (session == 'udp'):
object.spec.rate_limits.udp_active_session_limit = limit
elif (session == 'icmp'):
object.spec.rate_limits.icmp_active_session_limit = limit
elif (session == 'other'):
object.spec.rate_limits.other_session_limit = limit
elif (session == 'all'):
object.spec.rate_limits.tcp_half_open_session_limit = limit
object.spec.rate_limits.udp_active_session_limit = limit
object.spec.rate_limits.icmp_active_session_limit = limit
object.spec.rate_limits.other_session_limit = limit
else:
api.Logger.error("unsupported security profile session type %s" %
session)
return api.types.status.FAILURE
#Now push the update as we modified.
netagent_cfg_api.UpdateConfigObjects(store_profile_objects)
time.sleep(5)
return api.types.status.SUCCESS
def update_sgpolicy(app_name, allowDefault=False):
#Query will get the reference of objects on store
store_policy_objects = netagent_cfg_api.QueryConfigs(
kind='NetworkSecurityPolicy')
if len(store_policy_objects) == 0:
api.Logger.error("No SG Policy objects in store")
return api.types.status.FAILURE
for object in store_policy_objects:
rules = len(object.spec.policy_rules)
if (rules == 0):
continue
#We dont want to keep updating the same policy
defaultRule = object.spec.policy_rules.pop()
if app_name != None:
if (hasattr(object.spec.policy_rules[rules-2], 'app_name') and \
object.spec.policy_rules[rules-2].app_name == app_name):
continue
newRule = copy.deepcopy(object.spec.policy_rules[0])
newRule.source.addresses = ['any']
newRule.destination.addresses = ['any']
newRule.app_name = app_name
newRule.destination.app_configs = None
newRule.destination.proto_ports = None
newRule.action = 'PERMIT'
object.spec.policy_rules.append(newRule)
if allowDefault == False:
defaultRule.action = 'DENY'
else:
defaultRule.action = 'PERMIT'
object.spec.policy_rules.append(defaultRule)
#Now push the update as we modified.
netagent_cfg_api.UpdateConfigObjects(store_policy_objects)
def update_timeout(timeout, val):
#Query will get the reference of objects on store
store_profile_objects = netagent_cfg_api.QueryConfigs(
kind='SecurityProfile')
if len(store_profile_objects) == 0:
api.Logger.error("No security profile objects in store")
return api.types.status.FAILURE
for object in store_profile_objects:
if (timeout == 'tcp-timeout'):
object.spec.timeouts.tcp = val
if (timeout == 'udp-timeout'):
object.spec.timeouts.udp = val
if (timeout == 'icmp-timeout'):
object.spec.timeouts.icmp = val
if (timeout == 'tcp-half-close'):
object.spec.timeouts.tcp_half_close = val
if (timeout == 'tcp-close'):
object.spec.timeouts.tcp_close = val
if (timeout == 'tcp-connection-setup'):
object.spec.timeouts.tcp_connection_setup = val
if (timeout == 'tcp-drop'):
object.spec.timeouts.tcp_drop = val
if (timeout == 'udp-drop'):
object.spec.timeouts.udp_drop = val
if (timeout == 'icmp-drop'):
object.spec.timeouts.icmp_drop = val
#Now push the update as we modified.
netagent_cfg_api.UpdateConfigObjects(store_profile_objects)
return api.types.status.SUCCESS
def __modify_security_profile(tc):
sp_objects = netagent_api.QueryConfigs(kind='SecurityProfile')
tc.cloned_sp_objects = netagent_api.CloneConfigObjects(sp_objects)
for obj in sp_objects:
obj.spec.timeouts.tcp = "1s"
obj.spec.timeouts.udp = "1s"
obj.spec.timeouts.tcp_half_close = "1s"
obj.spec.timeouts.tcp_close = "1s"
obj.spec.timeouts.tcp_connection_setup = "10s"
return netagent_api.UpdateConfigObjects(sp_objects)
def updateFlowmonCollectors(tc, num_exports):
iteration = 0
result = api.types.status.SUCCESS
coll_dst_port_list = {}
for idx in range(num_exports_at_create, num_exports):
coll_dst_port_list[idx] = random.randint(100, 10000)
for iteration in range(tc.iterators.num_flowmon_sessions):
flowmon_objects = tc.test_iterator_data[iteration]['del_obj']
local_wl = tc.test_iterator_data[iteration]['local_wl']
peer_wl = tc.test_iterator_data[iteration]['peer_wl']
coll_wl_list = tc.test_iterator_data[iteration]['coll_wl_list']
coll_ip_list = tc.test_iterator_data[iteration]['coll_ip_list']
export_cfg_list = tc.test_iterator_data[iteration]['export_cfg_list']
utils.generateFlowmonCollectorConfig(flowmon_objects, num_exports)
if num_exports > len(coll_ip_list):
api.Logger.info(
"Collector IP list {} is smaller than requested collectors {} "
"for this test! bailing out!!!".format(len(coll_ip_list),
num_exports))
result = api.types.status.FAILURE
break
for obj in flowmon_objects:
old_export_count = num_exports_at_create
for c in range(old_export_count, num_exports):
obj.spec.exports[c].destination = "{}".format(coll_ip_list[c])
obj.spec.exports[c].proto_port.port = "{}".format(
coll_dst_port_list[c])
export_cfg_list.append(obj.spec.exports[c])
#api.Logger.info("updating export idx: {} to dst: {} port: {} from collector_WL: {}".format(c,
# obj.spec.exports[c].destination, obj.spec.exports[c].proto_port.port, coll_wl_list[c]))
if num_exports > len(export_cfg_list):
api.Logger.info(
"Export cfg list {} is smaller than requested exports {} "
"for this test! bailing out!!!".format(len(export_cfg_list),
num_exports))
result = api.types.status.FAILURE
break
result = agent_api.UpdateConfigObjects(flowmon_objects,
[local_wl.node_name])
#agent_api.PrintConfigObjects(flowmon_objects)
if result != api.types.status.SUCCESS:
api.Logger.error("Unable to push updates to flowmon objects")
result = api.types.status.FAILURE
break
return (result)
def AddRemoveCollectorsOnInterface(tc, coObjs):
node_name = random.choice(api.GetNaplesHostnames())
api.Logger.info("Pushing lif telemetry on %s" % node_name)
for obj in tc.node_intf_obj_map[node_name]:
del obj.spec.TxCollectors[:]
del obj.spec.RxCollectors[:]
for coObj in coObjs:
obj.spec.RxCollectors.append(coObj.meta.name)
obj.spec.TxCollectors.append(coObj.meta.name)
ret = agent_api.UpdateConfigObjects(tc.node_intf_obj_map[node_name],
[node_name])
if ret != api.types.status.SUCCESS:
api.Logger.error("Failed to push the interface objects")
return api.types.status.FAILURE
for obj in tc.node_intf_obj_map[node_name]:
del obj.spec.TxCollectors[:]
del obj.spec.RxCollectors[:]
ret = agent_api.UpdateConfigObjects(tc.node_intf_obj_map[node_name],
[node_name])
if ret != api.types.status.SUCCESS:
api.Logger.error("Failed to push the interface objects")
return api.types.status.FAILURE
return api.types.status.SUCCESS
def Trigger(tc):
store_policy_objects = netagent_api.QueryConfigs(
kind='NetworkSecurityPolicy')
wait = getattr(tc.args, "wait", 30)
time.sleep(int(wait))
action = str(getattr(tc.args, "action"))
__update_policy_actions(store_policy_objects, action)
ret = netagent_api.UpdateConfigObjects(store_policy_objects)
if ret != api.types.status.SUCCESS:
return api.types.status.FAILURE
return api.types.status.SUCCESS
def update_field(field, val):
#Query will get the reference of objects on store
store_profile_objects = netagent_cfg_api.QueryConfigs(
kind='SecurityProfile')
if len(store_profile_objects) == 0:
api.Logger.error("No security profile objects in store")
return api.types.status.FAILURE
for object in store_profile_objects:
if (field == 'enable-connection-tracking'):
object.spec.enable_connection_tracking = val
#Now push the update as we modified.
netagent_cfg_api.UpdateConfigObjects(store_profile_objects)
return api.types.status.SUCCESS
def Trigger(tc):
result = api.types.status.SUCCESS
mirrorPolicies = utils.GetTargetJsons('mirror', "scale")
flowmonPolicies = utils.GetTargetJsons('flowmon', "scale")
#colPolicies = utils.GetTargetJsons('mirror', "collector")
iters = getattr(tc.args, "iters", 10)
iters = 1
mpObjs = fpObjs = []
for mp_json, fp_json in zip(mirrorPolicies, flowmonPolicies):
for i in range(iters):
#
# Push Mirror Session and Flow Export objects
#
mpObjs = agent_api.AddOneConfig(mp_json)
fpObjs = agent_api.AddOneConfig(fp_json)
ret = agent_api.PushConfigObjects(mpObjs + fpObjs)
if ret != api.types.status.SUCCESS:
api.Logger.error("Failed to push the telemetry objects")
return api.types.status.FAILURE
#
# Update Mirror Session and Flow Export objects
#
mpObjs = UpdateMirrorSessionObjects(mpObjs)
fpObjs = UpdateFlowMonitorObjects(fpObjs)
ret = agent_api.UpdateConfigObjects(mpObjs + fpObjs)
if ret != api.types.status.SUCCESS:
api.Logger.error("Failed to update the telemetry objects")
return api.types.status.FAILURE
#
# Delete Mirror Session and Flow Export objects
#
ret = agent_api.DeleteConfigObjects(fpObjs + mpObjs)
if ret != api.types.status.SUCCESS:
api.Logger.error("Failed to delete the telemetry objects")
return api.types.status.FAILURE
ret = agent_api.RemoveConfigObjects(mpObjs + fpObjs)
if ret != api.types.status.SUCCESS:
api.Logger.error("Failed to remove the telemetry objects")
return api.types.status.FAILURE
return result
def update_sgpolicy(src, dst, proto, dport, action="DENY"):
#Query will get the reference of objects on store
store_policy_objects = netagent_cfg_api.QueryConfigs(
kind='NetworkSecurityPolicy')
if len(store_policy_objects) == 0:
api.Logger.error("No security profile objects in store")
return api.types.status.FAILURE
for object in store_policy_objects:
for rule in object.spec.policy_rules:
if (rule.action == action
and rule.destination.proto_ports != None):
for app_config in rule.destination.proto_ports:
if app_config.protocol == proto:
app_config.port = str(dport)
#Now push the update as we modified.
netagent_cfg_api.UpdateConfigObjects(store_policy_objects)
return api.types.status.SUCCESS
def update_app(app, timeout, field=None, val=None, isstring=False):
#Query will get the reference of objects on store
store_app_objects = netagent_cfg_api.QueryConfigs(kind='App')
if len(store_app_objects) == 0:
api.Logger.error("No App objects in store")
return api.types.status.FAILURE
for object in store_app_objects:
if object.meta.name == app:
object.spec.app_idle_timeout = timeout
if field != None:
obj = 'object.spec.alg' + '.' + app + '.' + field
if isstring == True:
exec(obj + "=" + "\'%s\'" % (val))
else:
exec(obj + "=" + val)
#Now push the update as we modified.
netagent_cfg_api.UpdateConfigObjects(store_app_objects)
return api.types.status.SUCCESS
def increase_timeout():
#Query will get the reference of objects on store
store_profile_objects = agent_api.QueryConfigs(kind='SecurityProfile')
if len(store_profile_objects) == 0:
api.Logger.error("No security profile objects in store")
return api.types.status.FAILURE
for object in store_profile_objects:
object.spec.timeouts.session_idle = "360s"
object.spec.timeouts.tcp = "360s"
object.spec.timeouts.udp = "360s"
object.spec.timeouts.icmp = "120s"
object.spec.timeouts.tcp_half_close = "360s"
object.spec.timeouts.tcp_close = "360s"
object.spec.timeouts.tcp_connection_setup = "60s"
object.spec.timeouts.tcp_drop = "360s"
object.spec.timeouts.udp_drop = "60s"
object.spec.timeouts.icmp_drop = "300s"
#Now push the update as we modified.
agent_api.UpdateConfigObjects(store_profile_objects)
return api.types.status.SUCCESS
def Trigger(tc):
if tc.ignore == True:
return api.types.status.SUCCESS
if tc.error == True:
return api.types.status.FAILURE
protoDir1 = api.GetTopologyDirectory() +\
"/gen/telemetry/{}/{}".format('mirror', 'lif')
api.Logger.info("Template Config files location: ", protoDir1)
protoDir2 = api.GetTopologyDirectory() +\
"/gen/telemetry/{}/{}".format('mirror', tc.iterators.proto)
api.Logger.info("Template Config files location: ", protoDir2)
protoDir3 = api.GetTopologyDirectory() +\
"/gen/telemetry/{}/{}".format('flowmon', tc.iterators.proto)
api.Logger.info("Template Config files location: ", protoDir3)
result = api.types.status.SUCCESS
count = 0
MirrorPolicies = utils.GetTargetJsons('mirror', tc.iterators.proto)
FlowMonPolicies = utils.GetTargetJsons('flowmon', tc.iterators.proto)
LifPolicies = utils.GetTargetJsons('mirror', 'lif')
flowmon_policy_idx = 0
ret_count = 0
for mirror_json in MirrorPolicies:
#
# Get template-Mirror Config
#
newMirrorObjects = agent_api.AddOneConfig(mirror_json)
if len(newMirrorObjects) == 0:
api.Logger.error("Adding new Mirror objects to store failed")
tc.error = True
return api.types.status.FAILURE
agent_api.RemoveConfigObjects(newMirrorObjects)
#
# Ignore Multi-collector template config's, since Expanded-Telemetry
# testbundle dynamically creates such config's
#
if len(newMirrorObjects[0].spec.collectors) > 1:
continue
idx = 0
for flowmon_json in FlowMonPolicies:
if idx < flowmon_policy_idx:
idx += 1
continue
#
# Get template-FlowMon Config
#
newFlowMonObjects = agent_api.AddOneConfig(flowmon_json)
if len(newFlowMonObjects) == 0:
api.Logger.error("Adding new FlowMon objects to store failed")
tc.error = True
return api.types.status.FAILURE
agent_api.RemoveConfigObjects(newFlowMonObjects)
#
# Ignore Multi-collector template config's, since Expanded-Telemetry
# testbundle dynamically creates such config's
#
if len(newFlowMonObjects[0].spec.exports) > 1:
flowmon_policy_idx += 1
idx += 1
continue
#
# Modify template-Mirror / template-FlowMon Config to make sure
# that Naples-node # act as either source or destination
#
# Set up Collector in the remote node
#
eutils.generateMirrorConfig(tc, mirror_json, newMirrorObjects)
eutils.generateFlowMonConfig(tc, flowmon_json, newFlowMonObjects)
ret_count = 0
for i in range(0, len(tc.mirror_verif)):
#
# If Execution-Optimization is enabled, no need to run the
# test for the same protocol more than once
#
if i > 0 and tc.mirror_verif[i]['protocol'] ==\
tc.mirror_verif[i-1]['protocol']:
continue
#
# Flow-ERSPAN for TCP-traffic is not tested (yet) in
# Classic-mode until applicable pkt-trigger tools are
# identified
#
if tc.classic_mode == True and\
tc.mirror_verif[i]['protocol'] == 'tcp':
continue
for policy_json in LifPolicies:
#
# Get template-Mirror Config
#
newObjects = agent_api.AddOneConfig(policy_json)
if len(newObjects) == 0:
api.Logger.error("Adding new objects to store failed")
tc.error = True
return api.types.status.FAILURE
#
# Modify template-Mirror Config to make sure that
# Naples-node act as either source or destination
#
# Set up Collector in the remote node
#
if newObjects[0].kind == 'InterfaceMirrorSession':
tc.lif_collector_objects = newObjects
agent_api.RemoveConfigObjects(tc.lif_collector_objects)
elif newObjects[0].kind == 'Interface':
tc.interface_objects = newObjects
agent_api.RemoveConfigObjects(tc.interface_objects)
#
# Push Collector Config to Naples
#
colObjects = tc.lif_collector_objects
ret = eutils.generateLifCollectorConfig(tc, colObjects)
if ret != api.types.status.SUCCESS:
api.Logger.error("Unable to identify Collector Workload")
tc.error = True
return api.types.status.FAILURE
ret = agent_api.PushConfigObjects(colObjects,
[tc.naples.node_name],
[tc.naples_device_name])
if ret != api.types.status.SUCCESS:
api.Logger.error("Unable to push collector objects")
tc.error = True
return api.types.status.FAILURE
#
# Push Mirror / FlowMon Config to Naples
#
ret = agent_api.PushConfigObjects(newMirrorObjects,
[tc.naples.node_name],
[tc.naples_device_name])
if ret != api.types.status.SUCCESS:
agent_api.DeleteConfigObjects(tc.lif_collector_objects,
[tc.naples.node_name],
[tc.naples_device_name])
api.Logger.error("Unable to push mirror objects")
tc.error = True
return api.types.status.FAILURE
ret = agent_api.PushConfigObjects(newFlowMonObjects,
[tc.naples.node_name],
[tc.naples_device_name])
if ret != api.types.status.SUCCESS:
agent_api.DeleteConfigObjects(tc.lif_collector_objects,
[tc.naples.node_name],
[tc.naples_device_name])
agent_api.DeleteConfigObjects(newMirrorObjects,
[tc.naples.node_name],
[tc.naples_device_name])
api.Logger.error("Unable to push flowmon objects")
tc.error = True
return api.types.status.FAILURE
#
# Update Interface objects
#
ifObjects = tc.interface_objects
ret = eutils.generateLifInterfaceConfig(
tc, ifObjects, tc.lif_collector_objects)
if ret != api.types.status.SUCCESS:
agent_api.DeleteConfigObjects(tc.lif_collector_objects,
[tc.naples.node_name],
[tc.naples_device_name])
agent_api.DeleteConfigObjects(newMirrorObjects,
[tc.naples.node_name],
[tc.naples_device_name])
agent_api.DeleteConfigObjects(newFlowMonObjects,
[tc.naples.node_name],
[tc.naples_device_name])
api.Logger.error(
"Unable to identify Uplink/LIF Interfaces")
tc.error = True
return api.types.status.FAILURE
ret = agent_api.UpdateConfigObjects(ifObjects,
[tc.naples.node_name],
[tc.naples_device_name])
if ret != api.types.status.SUCCESS:
agent_api.DeleteConfigObjects(tc.lif_collector_objects,
[tc.naples.node_name],
[tc.naples_device_name])
agent_api.DeleteConfigObjects(newMirrorObjects,
[tc.naples.node_name],
[tc.naples_device_name])
agent_api.DeleteConfigObjects(newFlowMonObjects,
[tc.naples.node_name],
[tc.naples_device_name])
api.Logger.error("Unable to update interface objects")
tc.error = True
return api.types.status.FAILURE
#
# Establish Forwarding set up between Naples-peer and
# Collectors
#
eutils.establishForwardingSetup(tc)
#
# Give a little time for flows clean-up to happen so that
# stale IPFIX records don't show up
#
if tc.classic_mode == True:
time.sleep(1)
if tc.collection == 'distinct':
req_tcpdump_flow_erspan = \
api.Trigger_CreateExecuteCommandsRequest(serial = True)
for c in range(0, len(tc.flow_collector)):
#
# Set up TCPDUMP's on the collector
#
idx = tc.flow_collector_idx[c]
if tc.flow_collector[c].IsNaples():
cmd = "tcpdump -c 600 -XX -vv -nni {} ip proto\
gre and dst {} --immediate-mode -U\
-w flow-mirror-{}.pcap"\
.format(tc.flow_collector[c].interface,
tc.collector_ip_address[idx], c)
else:
cmd = "tcpdump -p -c 600 -XX -vv -nni {} ip\
proto gre and dst {} --immediate-mode -U\
-w flow-mirror-{}.pcap"\
.format(tc.flow_collector[c].interface,
tc.collector_ip_address[idx], c)
eutils.add_command(req_tcpdump_flow_erspan,
tc.flow_collector[c], cmd, True)
resp_tcpdump_flow_erspan = api.Trigger(\
req_tcpdump_flow_erspan)
for cmd in resp_tcpdump_flow_erspan.commands:
api.PrintCommandResults(cmd)
#
# Classic mode requires a delay to make sure that TCPDUMP
# background process is fully up
#
if tc.classic_mode == True:
time.sleep(1)
req_tcpdump_lif_erspan = \
api.Trigger_CreateExecuteCommandsRequest(serial = True)
req_tcpdump_flowmon = api.Trigger_CreateExecuteCommandsRequest(\
serial = True)
for c in range(0, len(tc.lif_collector)):
#
# Set up TCPDUMP's on the collector
#
idx = tc.lif_collector_idx[c]
if tc.lif_collector[c].IsNaples():
cmd = "tcpdump -c 1000 -XX -vv -nni {} ip proto gre\
and dst {} --immediate-mode -U\
-w lif-mirror-{}.pcap"\
.format(tc.lif_collector[c].interface,
tc.collector_ip_address[idx], c)
else:
cmd = "tcpdump -p -c 1000 -XX -vv -nni {} ip proto\
gre and dst {} --immediate-mode -U\
-w lif-mirror-{}.pcap"\
.format(tc.lif_collector[c].interface,
tc.collector_ip_address[idx], c)
eutils.add_command(req_tcpdump_lif_erspan,
tc.lif_collector[c], cmd, True)
for c in range(0, len(tc.flowmon_collector)):
#
# Set up TCPDUMP's on the collector
#
idx = tc.flowmon_collector_idx[c]
if tc.flowmon_collector[c].IsNaples():
cmd = "tcpdump -c 600 -XX -vv -nni {} udp and\
dst port {} and dst {} --immediate-mode\
-U -w flowmon-{}.pcap"\
.format(tc.flowmon_collector[c].interface,
tc.export_port[c], tc.collector_ip_address[idx], c)
else:
cmd = "tcpdump -p -c 600 -XX -vv -nni {} udp\
and dst port {} and dst {}\
--immediate-mode -U -w flowmon-{}.pcap"\
.format(tc.flowmon_collector[c].interface,
tc.export_port[c], tc.collector_ip_address[idx], c)
eutils.add_command(req_tcpdump_flowmon,
tc.flowmon_collector[c], cmd, True)
resp_tcpdump_lif_erspan = api.Trigger(\
req_tcpdump_lif_erspan)
for cmd in resp_tcpdump_lif_erspan.commands:
api.PrintCommandResults(cmd)
#
# Classic mode requires a delay to make sure that TCPDUMP
# background process is fully up
#
if tc.classic_mode == True:
time.sleep(2)
resp_tcpdump_flowmon = api.Trigger(req_tcpdump_flowmon)
for cmd in resp_tcpdump_flowmon.commands:
api.PrintCommandResults(cmd)
#
# Classic mode requires a delay to make sure that TCPDUMP
# background process is fully up
#
if tc.classic_mode == True:
time.sleep(2)
#
# Trigger packets for ERSPAN / FLOWMON to take effect
#
tc.protocol = tc.mirror_verif[i]['protocol']
tc.dest_port = utils.GetDestPort(tc.mirror_verif[i]['port'])
protocol = tc.protocol
tc.protocol = 'all'
if api.GetNodeOs(tc.naples.node_name) == 'linux':
eutils.triggerTrafficInClassicModeLinux(tc)
else:
eutils.triggerTrafficInHostPinModeOrFreeBSD(tc)
tc.protocol = protocol
#
# Dump sessions/flows/P4-tables for debug purposes
#
eutils.showSessionAndP4TablesForDebug(tc, tc.lif_collector,
tc.lif_collector_idx)
#
# Terminate TCPDUMP background process
#
term_resp_tcpdump_lif_erspan = \
api.Trigger_TerminateAllCommands(resp_tcpdump_lif_erspan)
tc.resp_tcpdump_lif_erspan = \
api.Trigger_AggregateCommandsResponse(\
resp_tcpdump_lif_erspan, term_resp_tcpdump_lif_erspan)
if tc.collection == 'distinct':
term_resp_tcpdump_flow_erspan = \
api.Trigger_TerminateAllCommands(resp_tcpdump_flow_erspan)
tc.resp_tcpdump_flow_erspan = \
api.Trigger_AggregateCommandsResponse(\
resp_tcpdump_flow_erspan, term_resp_tcpdump_flow_erspan)
term_resp_tcpdump_flowmon = api.Trigger_TerminateAllCommands(\
resp_tcpdump_flowmon)
tc.resp_tcpdump_flowmon = \
api.Trigger_AggregateCommandsResponse(resp_tcpdump_flowmon,
term_resp_tcpdump_flowmon)
# Delete the objects
eutils.deGenerateLifInterfaceConfig(tc, tc.interface_objects,
tc.lif_collector_objects)
agent_api.UpdateConfigObjects(tc.interface_objects,
[tc.naples.node_name],
[tc.naples_device_name])
agent_api.DeleteConfigObjects(tc.lif_collector_objects,
[tc.naples.node_name],
[tc.naples_device_name])
agent_api.DeleteConfigObjects(newMirrorObjects,
[tc.naples.node_name],
[tc.naples_device_name])
agent_api.DeleteConfigObjects(newFlowMonObjects,
[tc.naples.node_name],
[tc.naples_device_name])
#
# Make sure that Mirror-config has been removed
#
tc.resp_cleanup = eutils.showP4TablesForValidation(tc)
#
# Validate ERSPAN packets reception
#
tc.tcp_erspan_pkts_expected = \
NUMBER_OF_TCP_ERSPAN_PACKETS_PER_SESSION
tc.udp_erspan_pkts_expected = (tc.udp_count << 1)
tc.icmp_erspan_pkts_expected = (tc.udp_count << 1)+\
(tc.icmp_count << 1)
if tc.iterators.direction != 'both':
tc.tcp_erspan_pkts_expected >>= 1
tc.udp_erspan_pkts_expected >>= 1
tc.icmp_erspan_pkts_expected >>= 1
if tc.dupcheck == 'disable':
tc.tcp_erspan_pkts_expected = \
(tc.tcp_erspan_pkts_expected+1) << 1
tc.udp_erspan_pkts_expected <<= 1
tc.icmp_erspan_pkts_expected <<= 1
#
# Adjust Expected-pkt-counts taking into account Flow-ERSPAN
# Config's
#
if tc.collection == 'unified':
if (tc.protocol == 'tcp' or tc.iterators.proto == 'mixed')\
and tc.iterators.direction != 'both':
tc.tcp_erspan_pkts_expected <<= 1
if (tc.protocol == 'udp' or tc.iterators.proto == 'mixed')\
and tc.iterators.direction != 'both':
tc.udp_erspan_pkts_expected <<= 1
if tc.protocol == 'icmp' or tc.iterators.proto == 'mixed':
if tc.iterators.direction != 'both':
tc.icmp_erspan_pkts_expected <<= 1
#if tc.iterators.direction != 'egress':
# tc.icmp_erspan_pkts_expected += 1
protocol = tc.protocol
tc.protocol = 'all'
tc.feature = 'lif-erspan'
tc.resp_tcpdump_erspan = tc.resp_tcpdump_lif_erspan
res_1 = eutils.validateErspanPackets(tc, tc.lif_collector,
tc.lif_collector_idx)
if tc.collection == 'distinct':
tc.tcp_erspan_pkts_expected = 0
tc.udp_erspan_pkts_expected = 0
tc.icmp_erspan_pkts_expected = 0
tc.protocol = protocol
if tc.protocol == 'tcp' or tc.iterators.proto == 'mixed':
tc.tcp_erspan_pkts_expected = \
NUMBER_OF_TCP_ERSPAN_PACKETS_PER_SESSION
if tc.protocol == 'udp' or tc.iterators.proto == 'mixed':
tc.udp_erspan_pkts_expected = (tc.udp_count << 1)
if tc.protocol == 'icmp' or tc.iterators.proto == 'mixed':
tc.icmp_erspan_pkts_expected = (tc.udp_count << 1)+\
(tc.icmp_count << 1)
tc.protocol = 'all'
tc.feature = 'flow-erspan'
tc.resp_tcpdump_erspan = tc.resp_tcpdump_flow_erspan
res_f = eutils.validateErspanPackets(
tc, tc.flow_collector, tc.flow_collector_idx)
if res_f == api.types.status.FAILURE:
result = api.types.status.FAILURE
#
# Validate IPFIX packets reception
#
tc.feature = 'flowmon'
res_2 = eutils.validateIpFixPackets(tc)
tc.protocol = protocol
#
# Validate Config-cleanup
#
res_3 = eutils.validateConfigCleanup(tc)
if res_1 == api.types.status.FAILURE or\
res_2 == api.types.status.FAILURE or\
res_3 == api.types.status.FAILURE:
result = api.types.status.FAILURE
if result == api.types.status.FAILURE:
break
ret_count += 1
flowmon_policy_idx += 1
break
if result == api.types.status.FAILURE:
break
count += ret_count
tc.SetTestCount(count)
return result
def Trigger(tc):
if tc.ignore == True:
return api.types.status.SUCCESS
if tc.error == True:
return api.types.status.FAILURE
tc.resp_tcpdump_erspan = None
tc.resp_cleanup = None
protoDir = api.GetTopologyDirectory() +\
"/gen/telemetry/{}/{}".format('mirror', 'endpoint')
api.Logger.info("Template Config files location: ", protoDir)
policies = utils.GetTargetJsons('mirror', 'endpoint')
for policy_json in policies:
#
# Get template-Mirror Config
#
api.Logger.info("Adding one config object for {}", format(policy_json))
newObjects = agent_api.AddOneConfig(policy_json)
if len(newObjects) == 0:
api.Logger.error("Adding new objects to store failed")
tc.error = True
return api.types.status.FAILURE
#
# Modify template-Mirror Config to make sure that Naples-node
# act as either source or destination
#
# Set up Collector in the remote node
#
if newObjects[0].kind == 'InterfaceMirrorSession':
tc.ep_collector_objects = newObjects
agent_api.RemoveConfigObjects(tc.ep_collector_objects)
elif newObjects[0].kind == 'Endpoint':
tc.endpoint_objects = newObjects
agent_api.RemoveConfigObjects(tc.endpoint_objects)
updateEndpointObjectTempl(tc, tc.endpoint_objects,
tc.store_endpoint_objects[0])
for i in range(0, len(policies)):
#
# Push Collector object
#
if i == 0:
colObjects = tc.ep_collector_objects
if tc.iterators.session == 'single':
ret = eutils.generateEpCollectorConfig(tc, colObjects)
else:
ret = eutils.generateEpCollectorConfigForMultiMirrorSession(
tc, colObjects)
if ret != api.types.status.SUCCESS:
api.Logger.error("Unable to identify Collector Workload")
tc.error = True
return api.types.status.FAILURE
api.Logger.info("Pushing collector objects")
ret = agent_api.PushConfigObjects(colObjects,
[tc.naples.node_name],
[tc.naples_device_name])
if ret != api.types.status.SUCCESS:
api.Logger.error("Unable to push collector objects")
tc.error = True
return api.types.status.FAILURE
continue
api.Logger.info("Generating Endpoint objects")
cfg_api.PrintConfigsObjects(colObjects)
#
# Update Endpoint objects
#
epObjects = tc.endpoint_objects
ret = eutils.generateEndpointConfig(tc, epObjects, colObjects)
if ret != api.types.status.SUCCESS:
agent_api.DeleteConfigObjects(tc.ep_collector_objects,
[tc.naples.node_name],
[tc.naples_device_name])
api.Logger.error("Unable to identify Endpoints")
tc.error = True
return api.types.status.FAILURE
api.Logger.info("Pushing Endpoint objects")
ret = agent_api.UpdateConfigObjects(epObjects, [tc.naples.node_name],
[tc.naples_device_name])
if ret != api.types.status.SUCCESS:
agent_api.DeleteConfigObjects(tc.ep_collector_objects,
[tc.naples.node_name],
[tc.naples_device_name])
api.Logger.error("Unable to update endpoint objects")
tc.error = True
return api.types.status.FAILURE
#
# Establish Forwarding set up between Naples-peer and Collectors
#
eutils.establishForwardingSetup(tc)
req_tcpdump_erspan = api.Trigger_CreateExecuteCommandsRequest(\
serial = True)
for c in range(0, len(tc.ep_collector)):
#
# Set up TCPDUMP's on the collector
#
idx = tc.ep_collector_idx[c]
if tc.ep_collector[c].IsNaples():
### TODO - run & revisit for windows case and fix any issues.
if api.GetNodeOs(tc.naples.node_name) == "windows":
intfGuid = ionic_utils.winIntfGuid(
tc.ep_collector[c].node_name,
tc.ep_collector[c].interface)
intfVal = str(
ionic_utils.winTcpDumpIdx(tc.ep_collector[c].node_name,
intfGuid))
cmd = "sudo /mnt/c/Windows/System32/tcpdump.exe -c 1000 -XX -vv -i {} ip proto 47 and dst {} -U -w ep-mirror-{}.pcap"\
.format(intfVal, tc.collector_ip_address[idx], c)
else:
intfVal = tc.ep_collector[c].interface
cmd = "tcpdump -c 1000 -XX -vv -nni {} ip proto gre and dst {}\
--immediate-mode -U -w ep-mirror-{}.pcap"\
.format(intfVal,
tc.collector_ip_address[idx], c)
else:
cmd = "tcpdump -p -c 1000 -XX -vv -nni {} ip proto gre\
and dst {} --immediate-mode -U -w ep-mirror-{}.pcap"\
.format(tc.ep_collector[c].interface,
tc.collector_ip_address[idx], c)
eutils.add_command(req_tcpdump_erspan, tc.ep_collector[c], cmd,
True)
resp_tcpdump_erspan = api.Trigger(req_tcpdump_erspan)
for cmd in resp_tcpdump_erspan.commands:
api.PrintCommandResults(cmd)
#
# Classic mode requires a delay to make sure that TCPDUMP background
# process is fully up
#
if tc.classic_mode == True:
time.sleep(2)
#
# Trigger packets for ERSPAN to take effect
#
tc.dest_port = '120'
if api.GetNodeOs(tc.naples.node_name) == 'linux' or api.GetNodeOs(
tc.naples.node_name) == 'windows':
eutils.triggerTrafficInClassicModeLinux(tc)
else:
eutils.triggerTrafficInHostPinModeOrFreeBSD(tc)
#
# Dump sessions/flows/P4-tables for debug purposes
#
eutils.showSessionAndP4TablesForDebug(tc, tc.ep_collector,
tc.ep_collector_idx)
#
# Terminate TCPDUMP background process
#
term_resp_tcpdump_erspan = api.Trigger_TerminateAllCommands(\
resp_tcpdump_erspan)
tc.resp_tcpdump_erspan = api.Trigger_AggregateCommandsResponse(\
resp_tcpdump_erspan, term_resp_tcpdump_erspan)
if api.GetNodeOs(tc.naples.node_name) == "windows":
req = api.Trigger_CreateExecuteCommandsRequest(serial=True)
cmd = api.WINDOWS_POWERSHELL_CMD + " Stop-Process -Name 'tcpdump' -Force"
api.Trigger_AddCommand(req,
tc.naples.node_name,
tc.naples.workload_name,
cmd,
background=False)
resp = api.Trigger(req)
# Delete the objects
eutils.deGenerateEndpointConfig(tc, tc.endpoint_objects,
tc.ep_collector_objects)
agent_api.UpdateConfigObjects(tc.endpoint_objects,
[tc.naples.node_name],
[tc.naples_device_name])
agent_api.DeleteConfigObjects(tc.ep_collector_objects,
[tc.naples.node_name],
[tc.naples_device_name])
#
# Make sure that Mirror-config has been removed
#
tc.resp_cleanup = eutils.showP4TablesForValidation(tc)
return api.types.status.SUCCESS
def Trigger(tc):
#if tc.skip: return api.types.status.SUCCESS
policies = utils.GetTargetJsons('mirror', tc.iterators.proto)
result = api.types.status.SUCCESS
count = 0
ret_count = 0
collector_dest = []
collector_wl = []
collector_type = []
for policy_json in policies:
collector_dest.clear()
collector_wl.clear()
collector_type.clear()
verif_json = utils.GetVerifJsonFromPolicyJson(policy_json)
api.Logger.info("Using policy_json = {}".format(policy_json))
newObjects = agent_api.AddOneConfig(policy_json)
if len (newObjects) == 0:
api.Logger.error("Adding new objects to store failed")
return api.types.status.FAILURE
ret = agent_api.PushConfigObjects(newObjects)
if ret != api.types.status.SUCCESS:
api.Logger.error("Unable to push mirror objects")
return api.types.status.FAILURE
utils.DumpMirrorSessions()
# Get collector to find the workload
for obj in newObjects:
for obj_collector in obj.spec.collectors:
coll_dst = obj_collector.export_config.destination
coll_type = obj_collector.type
collector_dest.append(coll_dst)
collector_type.append(coll_type)
api.Logger.info(f"export-dest: {coll_dst}, erspan-type: {coll_type}")
for coll_dst in collector_dest:
for wl in tc.workloads:
if (wl.ip_address == coll_dst) or (coll_dst in wl_sec_ip_info[wl.workload_name]):
collector_wl.append(wl)
api.Logger.info("collect_dest len: {} collect_wl len: {}".format(len(collector_dest), len(collector_wl)))
collector_info = utils.GetMirrorCollectorsInfo(collector_wl, collector_dest, collector_type)
ret = utils.RunAll(tc, verif_json, 'mirror', collector_info, is_wl_type_bm)
result = ret['res']
ret_count = ret['count']
count = count + ret_count
if result != api.types.status.SUCCESS:
api.Logger.info("policy_json = {}, Encountered FAILURE, stopping".format(policy_json))
# Delete the objects
agent_api.DeleteConfigObjects(newObjects)
agent_api.RemoveConfigObjects(newObjects)
break
# Update collector
newObjects = agent_api.QueryConfigs(kind='MirrorSession')
# mirror config update to local collector is applicable only for ESX topology
if is_wl_type_bm is False:
for obj in newObjects:
if obj.spec.collectors[0].type == utils.ERSPAN_TYPE_2:
obj.spec.collectors[0].type = utils.ERSPAN_TYPE_3
collector_info[0]['type'] = utils.ERSPAN_TYPE_3
else:
obj.spec.collectors[0].type = utils.ERSPAN_TYPE_2
collector_info[0]['type'] = utils.ERSPAN_TYPE_2
break
# Now push the update as we modified
agent_api.UpdateConfigObjects(newObjects)
utils.DumpMirrorSessions()
# Rerun the tests
ret = utils.RunAll(tc, verif_json, 'mirror', collector_info, is_wl_type_bm)
result = ret['res']
ret_count = ret['count']
count = count + ret_count
# Delete the objects
agent_api.DeleteConfigObjects(newObjects)
agent_api.RemoveConfigObjects(newObjects)
api.Logger.info("policy_json = {}, count = {}, total_count = {}".format(policy_json, ret_count, count))
if result != api.types.status.SUCCESS:
api.Logger.info("policy_json = {}, Encountered FAILURE, stopping".format(policy_json))
break
tc.SetTestCount(count)
collector_dest.clear()
collector_wl.clear()
return result
def Trigger(tc):
#Query will get the reference of objects on store
store_profile_objects = netagent_cfg_api.QueryConfigs(kind='SecurityProfile')
if len(store_profile_objects) == 0:
api.Logger.error("No security profile objects in store")
return api.types.status.FAILURE
#Get will return copy of pushed objects to agent
get_config_objects = netagent_cfg_api.GetConfigObjects(store_profile_objects)
if len(get_config_objects) == 0:
api.Logger.error("Unable to fetch security profile objects")
return api.types.status.FAILURE
if len(get_config_objects) != len(store_profile_objects):
api.Logger.error("Config mismatch, Get Objects : %d, Config store Objects : %d"
% (len(get_config_objects), len(store_profile_objects)))
return api.types.status.FAILURE
#Now do an update of the objects
for object in store_profile_objects:
object.spec.timeouts.tcp_connection_setup = "1200s"
object.spec.timeouts.tcp_half_close = "1400s"
#Now push the update as we modified.
netagent_cfg_api.UpdateConfigObjects(store_profile_objects)
#Get will return copy of pushed objects to agent
new_get_config_objects = netagent_cfg_api.GetConfigObjects(store_profile_objects)
if len(new_get_config_objects) == 0:
api.Logger.error("Unable to fetch security profile objects after update")
return api.types.status.FAILURE
#Check whether value has changed
for (get_object,store_object,old_object) in zip(new_get_config_objects, store_profile_objects, get_config_objects):
if get_object.spec.timeouts.tcp_connection_setup != store_object.spec.timeouts.tcp_connection_setup or \
old_object.spec.timeouts.tcp_connection_setup == store_object.spec.timeouts.tcp_connection_setup or \
old_object.spec.timeouts.tcp_connection_setup == get_object.spec.timeouts.tcp_connection_setup:
api.Logger.error("Update failed")
return api.types.status.FAILURE
#Now do restore value to old one
for object,old_object in zip(store_profile_objects, get_config_objects):
object.spec.timeouts.tcp_connection_setup = old_object.spec.timeouts.tcp_connection_setup
object.spec.timeouts.tcp_half_close = old_object.spec.timeouts.tcp_half_close
#Now push the update as we modified.
netagent_cfg_api.UpdateConfigObjects(store_profile_objects)
#Get will return copy of pushed objects to agent
new_get_config_objects = netagent_cfg_api.GetConfigObjects(store_profile_objects)
if len(new_get_config_objects) == 0:
api.Logger.error("Unable to fetch security profile objects after update")
return api.types.status.FAILURE
for (get_object,store_object,old_object) in zip(new_get_config_objects, store_profile_objects, get_config_objects):
if get_object.spec.timeouts.tcp_connection_setup != store_object.spec.timeouts.tcp_connection_setup or \
old_object.spec.timeouts.tcp_connection_setup != store_object.spec.timeouts.tcp_connection_setup or \
old_object.spec.timeouts.tcp_connection_setup != get_object.spec.timeouts.tcp_connection_setup:
api.Logger.error("Second Update failed")
return api.types.status.FAILURE
#Now lets do a delete
netagent_cfg_api.DeleteConfigObjects(store_profile_objects)
#Get will return copy of pushed objects to agent
get_config_objects = netagent_cfg_api.GetConfigObjects(store_profile_objects)
if len(get_config_objects) != 0:
api.Logger.error("Delete of objects failed")
return api.types.status.FAILURE
netagent_cfg_api.PushConfigObjects(store_profile_objects)
#Get will return copy of pushed objects to agent
get_config_objects = netagent_cfg_api.GetConfigObjects(store_profile_objects)
if len(get_config_objects) == 0:
api.Logger.error("Unable to fetch security profile objects")
return api.types.status.FAILURE
newObjects = netagent_cfg_api.AddOneConfig(api.GetTopologyDirectory() + "/test_cfg/test_security_profile.json")
if len(newObjects) == 0:
api.Logger.error("Adding new objects to store failed")
return api.types.status.FAILURE
nodes = api.GetNaplesHostnames()
push_nodes = [nodes[0]]
ret = netagent_cfg_api.PushConfigObjects(newObjects, node_names = push_nodes)
if ret != api.types.status.SUCCESS:
api.Logger.error("Unable to fetch security profile objects to node %s" % nodes[0])
return api.types.status.FAILURE
#Get will return copy of pushed objects to agent
get_config_objects = netagent_cfg_api.GetConfigObjects(newObjects, node_names = push_nodes)
if len(get_config_objects) == 0:
api.Logger.error("Unable to fetch newly pushed objects")
return api.types.status.FAILURE
#Delete the objects that is pushed
netagent_cfg_api.DeleteConfigObjects(get_config_objects)
#Get will return copy of pushed objects to agent
get_config_objects = netagent_cfg_api.GetConfigObjects(newObjects, node_names = push_nodes)
if len(get_config_objects) != 0:
api.Logger.error("Delete of new objects failed")
return api.types.status.FAILURE
#Remoe competely those objects from the store too.
ret = netagent_cfg_api.RemoveConfigObjects(newObjects)
if ret != api.types.status.SUCCESS:
api.Logger.error("Remove of new objects failed")
return api.types.status.FAILURE
return api.types.status.SUCCESS
def __restore_security_profile(tc):
return netagent_api.UpdateConfigObjects(tc.cloned_sp_objects)