def _prepare_vms(self):
sgs = [self.safe_client.create_security_group(self.tenant_id)
for _ in range(2)]
port1 = self.safe_client.create_port(
self.tenant_id, self.network['id'],
self.environment.hosts[0].hostname,
device_owner="compute:test_ovs_dhcp",
security_groups=[sgs[0]['id']])
port2 = self.safe_client.create_port(
self.tenant_id, self.network['id'],
self.environment.hosts[0].hostname,
device_owner="compute:test_ovs_dhcp",
security_groups=[sgs[1]['id']])
# insert security-group-rules allow icmp
self.safe_client.create_security_group_rule(
self.tenant_id, sgs[0]['id'],
direction=constants.INGRESS_DIRECTION,
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_ICMP)
self.safe_client.create_security_group_rule(
self.tenant_id, sgs[0]['id'],
direction=constants.INGRESS_DIRECTION,
ethertype=constants.IPv6,
protocol=constants.PROTO_NAME_ICMP)
# insert security-group-rules allow icmp
self.safe_client.create_security_group_rule(
self.tenant_id, sgs[1]['id'],
direction=constants.INGRESS_DIRECTION,
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_ICMP)
self.safe_client.create_security_group_rule(
self.tenant_id, sgs[1]['id'],
direction=constants.INGRESS_DIRECTION,
ethertype=constants.IPv6,
protocol=constants.PROTO_NAME_ICMP)
vm1 = self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[0],
self.network['id'],
self.tenant_id,
self.safe_client,
neutron_port=port1,
use_dhcp=True,
use_dhcp6=True))
vm2 = self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[0],
self.network['id'],
self.tenant_id,
self.safe_client,
neutron_port=port2,
use_dhcp=True,
use_dhcp6=True))
return machine.FakeFullstackMachinesList([vm1, vm2])
def _boot_fake_vm_in_network(self, host, tenant_id, network_id, wait=True):
vm = self.useFixture(
machine.FakeFullstackMachine(
host, network_id, tenant_id, self.safe_client, use_dhcp=True))
if wait:
vm.block_until_boot()
return vm
def _prepare_vm_with_qos_policy(self, limit, burst):
qos_policy = self._create_qos_policy()
qos_policy_id = qos_policy['id']
rule = self.safe_client.create_bandwidth_limit_rule(
self.tenant_id, qos_policy_id, limit, burst)
# Make it consistent with GET reply
qos_policy['rules'].append(rule)
rule['type'] = qos_consts.RULE_TYPE_BANDWIDTH_LIMIT
rule['qos_policy_id'] = qos_policy_id
port = self.safe_client.create_port(
self.tenant_id, self.network['id'],
self.environment.hosts[0].hostname,
qos_policy_id)
vm = self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[0],
self.network['id'],
self.tenant_id,
self.safe_client,
neutron_port=port))
return vm, qos_policy
def test_l3_network_connectivity(self):
tenant_uuid = uuidutils.generate_uuid()
bgpvpn = self.safe_client.create_bgpvpn(tenant_uuid,
route_targets=['64512:1'])
network_ids = list()
for subnet_cidr in (base.SUBNET_CIDR1, base.SUBNET_CIDR2):
network_ids.append(
self._create_net_subnet_bgpvpn_assoc(tenant_uuid, subnet_cidr,
bgpvpn['id'])[0]
)
fake_machines = list()
for network_id in network_ids:
fake_machines.extend([
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[i],
network_id,
tenant_uuid,
self.safe_client))
for i in
range(self.compute_node_count)*self.port_per_compute_per_net])
vms = machine.FakeFullstackMachinesList(fake_machines)
vms.block_until_all_boot()
vms.ping_all()
def test_vm_port_rebound_when_L2_agent_revived(self):
"""Test scenario
1. Create port which will be properly bound to host
2. Stop L2 agent and wait until it will be DEAD
3. Create another port - it should have "binding_failed"
4. Turn on L2 agent
5. Port from p.3 should be bound properly after L2 agent will be UP
"""
vm_1 = self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[0],
self.network['id'], self.tenant_id,
self.safe_client))
vm_1.block_until_boot()
self._ensure_port_bound(vm_1.neutron_port['id'])
vm_1_port = self.safe_client.client.show_port(
vm_1.neutron_port['id'])['port']
self.l2_agent_process = self.environment.hosts[0].l2_agent
self.l2_agent = self.safe_client.client.list_agents(
agent_type=self.l2_agent_type)['agents'][0]
self.l2_agent_process.stop()
self._wait_until_agent_down(self.l2_agent['id'])
vm_2 = self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[0],
self.network['id'], self.tenant_id,
self.safe_client))
self._ensure_port_binding_failed(vm_2.neutron_port['id'])
vm_2_port = self.safe_client.client.show_port(
vm_2.neutron_port['id'])['port']
# check if vm_1 port is still bound as it was before
self._ensure_port_bound(vm_1.neutron_port['id'])
# and that revision number of vm_1's port wasn't changed
self.assertEqual(
vm_1_port['revision_number'],
self.safe_client.client.show_port(
vm_1_port['id'])['port']['revision_number'])
self.l2_agent_process.start()
self._wait_until_agent_up(self.l2_agent['id'])
self._ensure_port_bound(vm_2_port['id'])
def _prepare_vms_in_net(self, tenant_uuid, network):
vms = machine.FakeFullstackMachinesList(
self.useFixture(
machine.FakeFullstackMachine(host, network['id'], tenant_uuid,
self.safe_client))
for host in self.environment.hosts)
vms.block_until_all_boot()
return vms
def _spawn_vm(self):
host = random.choice(self.environment.hosts)
vm = self.useFixture(
machine.FakeFullstackMachine(host,
self.network['id'],
self.project_id,
self.safe_client,
use_dhcp=True))
vm.block_until_boot()
return vm
def create_vm_in_network(self, network):
"""Create a fake machine in given network."""
return self.useFixture(
machine.FakeFullstackMachine(
self.host,
network.id,
self.tenant_id,
self.safe_client
)
)
def _prepare_vms(self):
port1 = self.safe_client.create_port(
self.project_id,
self.network['id'],
self.environment.hosts[0].hostname,
device_owner="compute:test_local_ip")
port2 = self.safe_client.create_port(
self.project_id,
self.network['id'],
self.environment.hosts[0].hostname,
device_owner="compute:test_local_ip")
port3 = self.safe_client.create_port(
self.project_id,
self.network['id'],
self.environment.hosts[1].hostname,
device_owner="compute:test_local_ip")
vm1 = self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[0],
self.network['id'],
self.project_id,
self.safe_client,
neutron_port=port1))
vm2 = self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[0],
self.network['id'],
self.project_id,
self.safe_client,
neutron_port=port2))
vm_diff_host = self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[1],
self.network['id'],
self.project_id,
self.safe_client,
neutron_port=port3))
return machine.FakeFullstackMachinesList([vm1, vm2, vm_diff_host])
def _prepare_vms_in_net(self, tenant_uuid, network, use_dhcp=False):
vms = machine.FakeFullstackMachinesList(
self.useFixture(
machine.FakeFullstackMachine(host,
network['id'],
tenant_uuid,
self.safe_client,
use_dhcp=use_dhcp))
for host in self.environment.hosts)
vms.block_until_all_boot()
if use_dhcp:
vms.block_until_all_dhcp_config_done()
return vms
def _create_vm_on_host(
self, project_id, network_id, sg_id, host, mac_address=None):
if mac_address:
port = self.safe_client.create_port(
project_id, network_id, host.hostname,
security_groups=[sg_id], mac_address=mac_address)
else:
port = self.safe_client.create_port(
project_id, network_id, host.hostname,
security_groups=[sg_id])
return self.useFixture(
machine.FakeFullstackMachine(
host, network_id, project_id, self.safe_client,
neutron_port=port))
def _create_resources(self, tenant_uuid, subnet_cidr, stateful=True):
if self.firewall_driver == 'iptables_hybrid':
# The iptables_hybrid driver lacks isolation between agents
index_to_host = [0] * 4
else:
index_to_host = [0, 1, 1, 0]
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(tenant_uuid, network['id'], subnet_cidr)
sgs = [
self.safe_client.create_security_group(tenant_uuid,
stateful=stateful)
for i in range(3)
]
ports = [
self.safe_client.create_port(tenant_uuid,
network['id'],
self.environment.hosts[host].hostname,
security_groups=[],
port_security_enabled=False)
for host in index_to_host
]
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
vms = [
self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[host],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[port],
use_dhcp=True))
for port, host in enumerate(index_to_host)
]
map(lambda vm: vm.block_until_boot(), vms)
map(lambda vm: vm.block_until_dhcp_config_done(), vms)
return vms, ports, sgs, network, index_to_host
def _create_net_subnet_and_vm(self, tenant_id, cidr, host, router):
network = self.safe_client.create_network(tenant_id)
subnet = self.safe_client.create_subnet(tenant_id,
network['id'],
cidr,
enable_dhcp=False)
vm = self.useFixture(
machine.FakeFullstackMachine(host, network['id'], tenant_id,
self.safe_client))
vm.block_until_boot()
router_interface_info = self.safe_client.add_router_interface(
router['id'], subnet['id'])
self.block_until_port_status_active(router_interface_info['port_id'])
return vm
def _create_network_subnet_and_vm(self):
self.network = self.safe_client.create_network(self.project_id)
self.subnet = self.safe_client.create_subnet(self.project_id,
self.network['id'],
cidr='10.0.0.0/24',
gateway_ip='10.0.0.1',
name='subnet-test',
enable_dhcp=True)
self.vm = self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[0],
self.network['id'],
self.project_id,
self.safe_client,
use_dhcp=True))
self.vm.block_until_boot()
def test_connectivity(self):
tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(tenant_uuid, network['id'],
base.SUBNET_CIDR1)
vms = machine.FakeFullstackMachinesList([
self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[i],
network['id'], tenant_uuid,
self.safe_client))
for i in range(3)
])
vms.block_until_all_boot()
vms.ping_all()
def test_l3_router_connectivity(self):
tenant_uuid = uuidutils.generate_uuid()
bgpvpn = self.safe_client.create_bgpvpn(tenant_uuid,
route_targets=['64512:1'])
network1 = self.safe_client.create_network(tenant_uuid)
subnet1 = self.safe_client.create_subnet(
tenant_uuid, network1['id'], '10.0.0.0/24')
network2 = self.safe_client.create_network(tenant_uuid)
subnet2 = self.safe_client.create_subnet(
tenant_uuid, network2['id'], '20.0.0.0/24')
router = self.safe_client.create_router(tenant_uuid)
self.safe_client.add_router_interface(router['id'], subnet1['id'])
self.safe_client.add_router_interface(router['id'], subnet2['id'])
self.safe_client.create_router_association(tenant_uuid,
bgpvpn['id'],
router['id'])
network3 = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(
tenant_uuid, network3['id'], '30.0.0.0/24')
self.safe_client.create_network_association(tenant_uuid,
bgpvpn['id'],
network3['id'])
fake_machines = list()
for network in (network1, network2, network3):
fake_machines.extend([
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[i],
network['id'],
tenant_uuid,
self.safe_client))
for i in
range(self.compute_node_count)*self.port_per_compute_per_net])
vms = machine.FakeFullstackMachinesList(fake_machines)
vms.block_until_all_boot()
vms.ping_all()
def _prepare_vm_with_qos_policy(self, rule_add_functions):
qos_policy = self._create_qos_policy()
qos_policy_id = qos_policy['id']
port = self.safe_client.create_port(self.tenant_id, self.network['id'],
self.environment.hosts[0].hostname,
qos_policy_id)
for rule_add in rule_add_functions:
rule_add(qos_policy)
vm = self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[0],
self.network['id'],
self.tenant_id,
self.safe_client,
neutron_port=port))
return vm, qos_policy
def test_connectivity(self):
tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(tenant_uuid, network['id'],
'20.0.0.0/24')
vms = [
self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[i],
network['id'], tenant_uuid,
self.safe_client))
for i in range(2)
]
for vm in vms:
vm.block_until_boot()
vms[0].block_until_ping(vms[1].ip)
def _create_net_subnet_and_vm(self, tenant_id, subnet_cidrs, host, router):
network = self.safe_client.create_network(tenant_id)
for cidr in subnet_cidrs:
# For IPv6 subnets, enable_dhcp should be set to true.
enable_dhcp = (netaddr.IPNetwork(cidr).version ==
constants.IP_VERSION_6)
subnet = self.safe_client.create_subnet(
tenant_id, network['id'], cidr, enable_dhcp=enable_dhcp)
router_interface_info = self.safe_client.add_router_interface(
router['id'], subnet['id'])
self.block_until_port_status_active(
router_interface_info['port_id'])
vm = self.useFixture(
machine.FakeFullstackMachine(
host, network['id'], tenant_id, self.safe_client))
vm.block_until_boot()
return vm
def _prepare_resources(self):
self.tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(self.tenant_uuid)
self.safe_client.create_subnet(self.tenant_uuid,
network['id'],
'20.0.0.0/24',
enable_dhcp=False)
vms = machine.FakeFullstackMachinesList(
self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[0],
network['id'],
self.tenant_uuid,
self.safe_client,
use_dhcp=False))
for i in range(2))
vms.block_until_all_boot()
for vm in vms:
self._add_icmp_security_group_rule(vm)
return vms
def test_dscp_marking_packets(self):
# Create port (vm) which will be used to received and test packets
receiver_port = self.safe_client.create_port(
self.tenant_id, self.network['id'],
self.environment.hosts[1].hostname)
receiver = self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[1],
self.network['id'],
self.tenant_id,
self.safe_client,
neutron_port=receiver_port))
# Create port with qos policy attached
sender, qos_policy = self._prepare_vm_with_qos_policy(
[functools.partial(self._add_dscp_rule, DSCP_MARK)])
sender.block_until_boot()
receiver.block_until_boot()
self._wait_for_dscp_marking_rule_applied(sender, DSCP_MARK)
l2_extensions.wait_for_dscp_marked_packet(sender, receiver, DSCP_MARK)
def test_securitygroup(self):
"""Tests if a security group rules are working, by confirming
that 0. traffic is allowed when port security is disabled,
1. connection from outside of allowed security group is blocked
2. connection from allowed security group is permitted
3. traffic not explicitly allowed (eg. ICMP) is blocked,
4. a security group update takes effect,
5. a security group update for entire port range works
6. a remote security group member addition works, and
7. an established connection stops by deleting a SG rule.
8. multiple overlapping remote rules work,
9. test other protocol functionality by using SCTP protocol
10. test two vms with same mac on the same host in different
networks
11. test using multiple security groups
12. test stateless security groups when firewall driver is
iptables or iptables_hybrid.
"""
tenant_uuid = uuidutils.generate_uuid()
subnet_cidr = '20.0.0.0/24'
vms, ports, sgs, network, index_to_host = self._create_resources(
tenant_uuid, subnet_cidr)
# 0. check that traffic is allowed when port security is disabled
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
vms[0].block_until_ping(vms[1].ip)
vms[0].block_until_ping(vms[2].ip)
vms[1].block_until_ping(vms[2].ip)
# Apply security groups to the ports
for port, sg in zip(ports, self.index_to_sg):
self.safe_client.client.update_port(
port['id'],
body={
'port': {
'port_security_enabled': True,
'security_groups': [sgs[sg]['id']]
}
})
# 1. connection from outside of allowed security group is blocked
netcat = net_helpers.NetcatTester(vms[2].namespace, vms[0].namespace,
vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# Wait until port update takes effect on the ports
common_utils.wait_until_true(
netcat.test_no_connectivity,
exception=AssertionError(
"Still can connect to the VM from different host."))
netcat.stop_processes()
# 2. check if connection from allowed security group is permitted
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
# 3. check if traffic not explicitly allowed (eg. ICMP) is blocked
vms[0].block_until_no_ping(vms[1].ip)
vms[0].block_until_no_ping(vms[2].ip)
vms[1].block_until_no_ping(vms[2].ip)
# 4. check if a security group update takes effect
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
rule1 = self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3344,
port_range_max=3344)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3344, net_helpers.NetcatTester.TCP)
# 5. check if a security group update for entire port range works
self.client.delete_security_group_rule(rule1['id'])
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3366,
net_helpers.NetcatTester.TCP)
rule1 = self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=1,
port_range_max=65535)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3344, net_helpers.NetcatTester.TCP)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3366, net_helpers.NetcatTester.TCP)
self.client.delete_security_group_rule(rule1['id'])
# 6. check if a remote security group member addition works
rule2 = self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3355,
port_range_max=3355)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3355, net_helpers.NetcatTester.TCP)
# 7. check if an established connection stops by deleting
# the supporting SG rule.
index_to_host.append(index_to_host[2])
self.index_to_sg.append(1)
ports.append(
self.safe_client.create_port(
tenant_uuid,
network['id'],
self.environment.hosts[index_to_host[-1]].hostname,
security_groups=[sgs[1]['id']]))
vms.append(
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[index_to_host[-1]],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[-1],
use_dhcp=True)))
self.assertEqual(5, len(vms))
vms[4].block_until_boot()
netcat = net_helpers.NetcatTester(vms[4].namespace, vms[0].namespace,
vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
self.client.delete_security_group_rule(rule2['id'])
common_utils.wait_until_true(lambda: netcat.test_no_connectivity(),
sleep=8)
netcat.stop_processes()
# 8. check if multiple overlapping remote rules work
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[2]['id'],
direction='ingress',
ethertype=constants.IPv4)
for i in range(2):
self.assert_connection(vms[0].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[3].namespace, vms[0].namespace,
vms[0].ip, 8080,
net_helpers.NetcatTester.TCP)
# 9. check SCTP is supported by security group
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NUM_SCTP,
port_range_min=3366,
port_range_max=3366)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3366, net_helpers.NetcatTester.SCTP)
# 10. test two vms with same mac on the same host in different networks
self._test_overlapping_mac_addresses()
# 11. Check using multiple security groups
self._test_using_multiple_security_groups()
# 12. test stateless security groups when firewall driver is iptables
# or iptables_hybrid.
# TODO(njohnston): Re-add the iptables here once it is stable
if self.firewall_driver == 'iptables_hybrid':
self._test_stateless_security_groups()
def test_securitygroup(self):
"""Tests if a security group rules are working, by confirming
that 0. traffic is allowed when port security is disabled,
1. connection from outside of allowed security group is blocked
2. connection from allowed security group is permitted
3. traffic not explicitly allowed (eg. ICMP) is blocked,
4. a security group update takes effect,
5. a remote security group member addition works, and
6. an established connection stops by deleting a SG rule.
7. multiple overlapping remote rules work,
8. test other protocol functionality by using SCTP protocol
9. test two vms with same mac on the same host in different
networks
"""
index_to_sg = [0, 0, 1, 2]
if self.firewall_driver == 'iptables_hybrid':
# The iptables_hybrid driver lacks isolation between agents
index_to_host = [0] * 4
else:
index_to_host = [0, 1, 1, 0]
tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(tenant_uuid, network['id'],
'20.0.0.0/24')
sgs = [
self.safe_client.create_security_group(tenant_uuid)
for i in range(3)
]
ports = [
self.safe_client.create_port(tenant_uuid,
network['id'],
self.environment.hosts[host].hostname,
security_groups=[],
port_security_enabled=False)
for host in index_to_host
]
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
vms = [
self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[host],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[port],
use_dhcp=True))
for port, host in enumerate(index_to_host)
]
for vm in vms:
vm.block_until_boot()
# 0. check that traffic is allowed when port security is disabled
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
net_helpers.assert_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
# Apply security groups to the ports
for port, sg in zip(ports, index_to_sg):
self.safe_client.client.update_port(
port['id'],
body={
'port': {
'port_security_enabled': True,
'security_groups': [sgs[sg]['id']]
}
})
# 1. connection from outside of allowed security group is blocked
netcat = net_helpers.NetcatTester(vms[2].namespace, vms[0].namespace,
vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# Wait until port update takes effect on the ports
common_utils.wait_until_true(
netcat.test_no_connectivity,
exception=AssertionError(
"Still can connect to the VM from different host."))
netcat.stop_processes()
# 2. check if connection from allowed security group is permitted
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
# 3. check if traffic not explicitly allowed (eg. ICMP) is blocked
net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip)
# 4. check if a security group update takes effect
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3344,
port_range_max=3344)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3344, net_helpers.NetcatTester.TCP)
# 5. check if a remote security group member addition works
rule2 = self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3355,
port_range_max=3355)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3355, net_helpers.NetcatTester.TCP)
# 6. check if an established connection stops by deleting
# the supporting SG rule.
index_to_host.append(index_to_host[2])
index_to_sg.append(1)
ports.append(
self.safe_client.create_port(
tenant_uuid,
network['id'],
self.environment.hosts[index_to_host[-1]].hostname,
security_groups=[sgs[1]['id']]))
vms.append(
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[index_to_host[-1]],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[-1],
use_dhcp=True)))
self.assertEqual(5, len(vms))
vms[4].block_until_boot()
netcat = net_helpers.NetcatTester(vms[4].namespace, vms[0].namespace,
vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
self.client.delete_security_group_rule(rule2['id'])
common_utils.wait_until_true(lambda: netcat.test_no_connectivity(),
sleep=8)
netcat.stop_processes()
# 7. check if multiple overlapping remote rules work
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[2]['id'],
direction='ingress',
ethertype=constants.IPv4)
for i in range(2):
self.assert_connection(vms[0].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[3].namespace, vms[0].namespace,
vms[0].ip, 8080,
net_helpers.NetcatTester.TCP)
# 8. check SCTP is supported by security group
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NUM_SCTP,
port_range_min=3366,
port_range_max=3366)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3366, net_helpers.NetcatTester.SCTP)
# 9. test two vms with same mac on the same host in different networks
self._test_overlapping_mac_addresses()
def test_l2_network_connectivity(self):
# create <n> fake machines in 2 different networks, all using
# the same IP subnet, and check that each machine can reach all the
# others. We create machines so that we confirm that connectivity
# still works *inside* a given network, both locally on a compute
# node, and across different compute nodes
if self.evpn_driver is 'dummy':
self.skipTest("L2VPN unsupported for this scenario")
tenant_uuid = uuidutils.generate_uuid()
bgpvpn = self.safe_client.create_bgpvpn(tenant_uuid,
type="l2",
route_targets=['64512:10'])
fake_machines = list()
for network in range(2):
# we'll use the same subnet range for all networks, but
# choose in this range distinct IP addresses for each fake machine
network_id, subnet_id = self._create_net_subnet_bgpvpn_assoc(
tenant_uuid,
base.SUBNET_CIDR1,
bgpvpn['id']
)
for compute, port_i in itertools.product(
range(self.compute_node_count),
range(self.port_per_compute_per_net)):
# NOTE(tmorin): choice of fixed IP done this way for sake
# of simplicity, of course, this breaks e.g. for
# compute_node_count > 10
fixed_ip = (base.SUBNET_CIDR1[:base.SUBNET_CIDR1.find('0/24')]
+ str(100 * network + 10 * (compute+1) + port_i))
neutron_port = self.safe_client.create_port(
network_id=network_id,
tenant_id=tenant_uuid,
hostname=self.environment.hosts[compute].hostname,
fixed_ips=[{"subnet_id": subnet_id,
"ip_address": fixed_ip}]
)
fake_machines.append(
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[compute],
network_id,
tenant_uuid,
self.safe_client,
neutron_port=neutron_port
)
)
)
vms = machine.FakeFullstackMachinesList(fake_machines)
vms.block_until_all_boot()
vms.ping_all()
def test_securitygroup(self):
"""Tests if a security group rules are working, by confirming
that 1. connection from allowed security group is allowed,
2. connection from elsewhere is blocked,
3. traffic not explicitly allowed (eg. ICMP) is blocked,
4. a security group update takes effect,
5. a remote security group member addition works, and
6. an established connection stops by deleting a SG rule.
7. test other protocol functionality by using SCTP protocol
"""
index_to_sg = [0, 0, 1]
if self.firewall_driver == 'iptables_hybrid':
# The iptables_hybrid driver lacks isolation between agents
index_to_host = [0] * 3
else:
index_to_host = [0, 1, 1]
tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(
tenant_uuid, network['id'], '20.0.0.0/24')
sgs = [self.safe_client.create_security_group(tenant_uuid)
for i in range(2)]
ports = [
self.safe_client.create_port(tenant_uuid, network['id'],
self.environment.hosts[host].hostname,
security_groups=[sgs[sg]['id']])
for host, sg in zip(index_to_host, index_to_sg)]
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333, port_range_max=3333)
vms = [
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[host],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[port]))
for port, host in enumerate(index_to_host)]
for vm in vms:
vm.block_until_boot()
# 1. check if connection from allowed security group is allowed
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# 2. check if connection from elsewhere is blocked
self.assert_no_connection(
vms[2].namespace, vms[0].namespace, vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# 3. check if traffic not explicitly allowed (eg. ICMP) is blocked
net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip)
# 4. check if a security group update takes effect
self.assert_no_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3344, port_range_max=3344)
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
# 5. check if a remote security group member addition works
rule2 = self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[1]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3355, port_range_max=3355)
self.assert_connection(
vms[2].namespace, vms[0].namespace, vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
# NOTE(slaweq) iptables driver currently contains a bug
# https://bugs.launchpad.net/neutron/+bug/1657260
# where established connections are not dropped after security group
# rule is removed. Remove this workaround once bug #1657260 is fixed.
if self.firewall_driver != 'iptables':
# 6. check if an established connection stops by deleting
# the supporting SG rule.
index_to_host.append(index_to_host[2])
index_to_sg.append(1)
ports.append(
self.safe_client.create_port(tenant_uuid, network['id'],
self.environment.hosts[
index_to_host[3]].hostname,
security_groups=[sgs[1]['id']]))
vms.append(
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[index_to_host[3]],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[3])))
vms[3].block_until_boot()
netcat = net_helpers.NetcatTester(vms[3].namespace,
vms[0].namespace, vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
self.client.delete_security_group_rule(rule2['id'])
common_utils.wait_until_true(lambda: netcat.test_no_connectivity(),
sleep=8)
netcat.stop_processes()
# 7. check SCTP is supported by security group
self.assert_no_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NUM_SCTP,
port_range_min=3366, port_range_max=3366)
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
def test_tcp_securitygroup(self):
"""Tests if a TCP security group rule is working, by confirming
that 1. connection from allowed security group is allowed,
2. connection from elsewhere is blocked,
3. traffic not explicitly allowed (eg. ICMP) is blocked, and
4. a security group update takes effect.
"""
index_to_sg = [0, 0, 1]
if self.firewall_driver == 'iptables_hybrid':
# The iptables_hybrid driver lacks isolation between agents
index_to_host = [0] * 3
else:
index_to_host = [0, 1, 1]
tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(tenant_uuid, network['id'],
'20.0.0.0/24')
sgs = [
self.safe_client.create_security_group(tenant_uuid)
for i in range(2)
]
ports = [
self.safe_client.create_port(tenant_uuid,
network['id'],
self.environment.hosts[host].hostname,
security_groups=[sgs[sg]['id']])
for host, sg in zip(index_to_host, index_to_sg)
]
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
vms = [
self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[host],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[port]))
for port, host in enumerate(index_to_host)
]
for vm in vms:
vm.block_until_boot()
# 1. check if connection from allowed security group is allowed
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
# 2. check if connection from elsewhere is blocked
self.assert_no_connection(vms[2].namespace, vms[0].namespace,
vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# 3. check if traffic not explicitly allowed (eg. ICMP) is blocked
net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip)
# 4. check if a security group update takes effect
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3344,
port_range_max=3344)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3344, net_helpers.NetcatTester.TCP)
