def test():
global test_obj_dict
vm = test_stub.create_vm()
test_obj_dict.add_vm(vm)
vm.check()
# This is very basic and raw SG testing. The formal test should use the functions in test_lib.
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg = test_sg_header.ZstackTestSecurityGroup()
sg_creation_option = test_util.SecurityGroupOption()
sg_creation_option.set_name('test_sg')
sg_creation_option.set_description('test sg description')
sg.set_creation_option(sg_creation_option)
sg.create()
test_obj_dict.add_sg(sg.security_group.uuid)
rule = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, '10.0.101.10')
sg.add_rule([rule])
sg_vm.attach(sg, [(vm.vm.vmNics[0].uuid, vm)])
sg_vm.check()
sg_vm.detach(sg, vm.vm.vmNics[0].uuid)
sg_vm.attach(sg, [(vm.vm.vmNics[0].uuid, vm)])
sg_vm.check()
sg_vm.delete_sg(sg)
sg_vm.check()
test_obj_dict.rm_sg(sg.security_group.uuid)
vm.destroy()
sg_vm.check()
test_util.test_pass('Create VM with simple Security Group Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc(
"Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm4 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm4)
vm5 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm5)
vm1.check()
vm2.check()
vm3.check()
vm4.check()
vm5.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg4 = test_stub.create_sg()
test_obj_dict.add_sg(sg4.security_group.uuid)
sg5 = test_stub.create_sg()
test_obj_dict.add_sg(sg5.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vr_internal_ip = test_lib.lib_find_vr_private_ip(vr_vm)
vm1_ip = vm1.vm.vmNics[0].ip
vm2_ip = vm2.vm.vmNics[0].ip
vm3_ip = vm3.vm.vmNics[0].ip
vm4_ip = vm4.vm.vmNics[0].ip
vm5_ip = vm5.vm.vmNics[0].ip
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
nic_uuid3 = vm3.vm.vmNics[0].uuid
nic_uuid4 = vm4.vm.vmNics[0].uuid
nic_uuid5 = vm5.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
vm3_nics = (nic_uuid3, vm3)
vm4_nics = (nic_uuid4, vm4)
vm5_nics = (nic_uuid5, vm5)
vm_group1_nics = [vm1_nics, vm2_nics]
vm_group2_nics = [vm3_nics, vm4_nics]
#vms_nics = vm_group1_nics + vm_group1_nics + [vm5_nics]
vms_nics = vm_group1_nics + vm_group2_nics
test_util.test_dsc("Open some ports in 5 VMs for testing.")
for vm in vm1, vm2, vm3, vm4, vm5:
test_lib.lib_open_vm_listen_ports(vm.vm, test_stub.target_ports)
rule_ai1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vr_internal_ip)
rule_ae1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, vm5_ip)
rule_v3i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule_v3e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm3_ip)
rule_v3e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm3_ip)
rule_v3i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule_v4i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm4_ip)
rule_v4e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm4_ip)
rule_v1i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule_v1e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm1_ip)
rule_v2i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule_v2e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule_v1i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule_v1e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm1_ip)
sg1.add_rule([rule_ai1, rule_ae1])
sg2.add_rule([rule_v3i_2, rule_v4i_2, rule_v3e_2, rule_v4e_2])
sg3.add_rule([rule_v1i_2, rule_v2i_2, rule_v1e_2, rule_v2e_2])
sg4.add_rule([rule_v1i_3, rule_v1e_3])
sg5.add_rule([rule_v3e_3, rule_v3i_3])
sg_vm.add_stub_vm(l3_uuid, vm5)
sg_vm.check()
##add all vm1 vm2 vm3 vm4 vm5 to sg1.
test_util.test_dsc("Add all VMs to security group 1.")
test_util.test_dsc("Allowed ingress and egress [ports:] %s" %
test_stub.rule1_ports)
sg_vm.attach(sg1, vms_nics)
#add vm1 vm2 to SG2.
test_util.test_dsc("Add VM1 and VM2 to SG2.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM3 and VM4" %
test_stub.rule2_ports)
test_util.test_dsc("Allowed egress [ports:] %s to VM3 and VM4" %
test_stub.rule2_ports)
test_util.test_dsc(
"Since VM1/VM2 are in same SG group, VM1/VM2 can connect rule2 ports :%s each other."
% test_stub.rule2_ports)
sg_vm.attach(sg2, vm_group1_nics)
sg_vm.check()
test_util.test_dsc(
"Since VM3/VM4 didn't open rule2 ports for VM1/VM2, VM1/VM2 can't connect to VM3/VM4 rule2 ports :%s."
% test_stub.rule2_ports)
test_lib.lib_check_vm_ports(
vm3.vm, vm1.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm3.vm, vm2.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm1.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm2.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(
vm1.vm, [vm3.vm, vm4.vm], test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_util.test_dsc("Add rule2 ports to VM3 and VM4.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM1/VM2 to VM3/VM4" %
(test_stub.rule1_ports + test_stub.rule2_ports))
test_util.test_dsc("Allowed egress [ports:] %s to VM1 and VM2" %
test_stub.rule2_ports)
sg_vm.attach(sg3, vm_group2_nics)
test_lib.lib_check_vm_group_ports(
vm4.vm, [vm1.vm, vm2.vm],
(test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(
vm2.vm, [vm3.vm, vm4.vm],
(test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
sg_vm.check()
test_util.test_dsc("Add VM3 and VM4 to SG4.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM1" %
test_stub.rule3_ports)
test_util.test_dsc(
"But due to VM1 didn't open related ports, connection will be denied for [ports:] %s from VM1 to VM3 "
% test_stub.rule3_ports)
test_util.test_dsc(
"The enabled connections for VM1/VM3 are still [ports:] %s " %
(test_stub.rule1_ports + test_stub.rule2_ports))
sg_vm.attach(sg4, vm_group2_nics)
test_lib.lib_check_vm_ports(
vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
test_util.test_dsc(
"As VM3/VM4 are in same SG group, rule1+rule2+rule3 [ports:] %s are opened between VM4 and VM3 "
% (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports))
sg_vm.check()
test_util.test_dsc("Add VM1 and VM2 to SG5.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM3" %
test_stub.rule3_ports)
test_util.test_dsc(
"Connection between VM1 and VM3, between VM1 and VM2, between VM3 and VM4 are enabled for [ports:] %s"
% (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports))
sg_vm.attach(sg5, vm_group1_nics)
test_lib.lib_check_vm_ports(
vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports),
(test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm3.vm, vm1.vm, (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports),
(test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports),
(test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_util.test_dsc("Connection from VM2 to VM3 are enabled for [ports:]" %
(test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports))
test_lib.lib_check_vm_ports(
vm2.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm2.vm, (test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
#test_util.test_dsc("VM5 was not granted with rule2 and rule3 ports, so only rule1 [ports:] %s are allowned to connect to other VMs." % test_stub.rule1_ports)
#test_lib.lib_check_vm_ports(vm5.vm, vm3.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
#clean up.
for sg in sg1, sg2, sg3, sg4, sg5:
sg_vm.delete_sg(sg)
test_obj_dict.rm_sg(sg.security_group.uuid)
for vm in vm1, vm2, vm3, vm4, vm5:
vm.destroy()
test_obj_dict.rm_vm(vm)
test_util.test_pass(
'Security Group Vlan VirtualRouter VM complex testing with 2 Groups 5 VMs Test Success'
)
def test():
'''
Since VR ip address is assigned by zstack, so we need to use VR to test
PF rules' connectibility.
PF test needs at least 3 VR existence. The PF VM's VR is for set PF
rule. The PF rule will add VIP for PF_VM. Besides of PF_VM's VR, there
are needed another 2 VR VMs. 1st VR public IP address will be set as
allowedCidr. The 1st VR VM should be able to access PF_VM. So the 2nd VR
VM should not be able to access PF_VM.
In this test, will also add SG rules to check the coexistence between
PF and SG. SG rule will be added onto PF_VM's internal IP.
'''
pf_vm = test_stub.create_vr_vm('migrate_pf_sg_vm1', 'imageName_net', 'l3VlanNetwork2')
test_obj_dict.add_vm(pf_vm)
l3_name = os.environ.get('l3VlanNetworkName1')
vr1_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr1_l3_uuid)
temp_vm1 = None
if not vrs:
#create temp_vm1 for getting vlan1's vr for test pf_vm portforwarding
temp_vm1 = test_stub.create_vr_vm('migrate_temp_vm1', 'imageName_net', 'l3VlanNetworkName1')
test_obj_dict.add_vm(temp_vm1)
vr1 = test_lib.lib_find_vr_by_vm(temp_vm1.vm)[0]
else:
vr1 = vrs[0]
l3_name = os.environ.get('l3VlanNetwork3')
vr2_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr2_l3_uuid)
temp_vm2 = None
if not vrs:
#create temp_vm2 for getting novlan's vr for test pf_vm portforwarding
temp_vm2 = test_stub.create_vr_vm('migrate_temp_vm2', 'imageName_net', 'l3VlanNetwork3')
test_obj_dict.add_vm(temp_vm2)
vr2 = test_lib.lib_find_vr_by_vm(temp_vm2.vm)[0]
else:
vr2 = vrs[0]
vr1_pub_ip = test_lib.lib_find_vr_pub_ip(vr1)
vr2_pub_ip = test_lib.lib_find_vr_pub_ip(vr2)
pf_vm.check()
vm_nic = pf_vm.vm.vmNics[0]
vm_nic_uuid = vm_nic.uuid
pri_l3_uuid = vm_nic.l3NetworkUuid
vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr)
l3_uuid = vr_pub_nic.l3NetworkUuid
vip_option = test_util.VipOption()
vip_option.set_l3_uuid(l3_uuid)
vip_uuid = net_ops.create_vip(vip_option).uuid
pf_creation_opt = PfRule.generate_pf_rule_option(vr1_pub_ip, protocol=inventory.TCP, vip_target_rule=Port.rule1_ports, private_target_rule=Port.rule1_ports, vip_uuid=vip_uuid, vm_nic_uuid=vm_nic_uuid)
test_pf = zstack_pf_header.ZstackTestPortForwarding()
test_pf.set_creation_option(pf_creation_opt)
test_pf.create(pf_vm)
pf_vm.check()
#Ignore this check, since it has been checked many times in other PF cases.
#test_pf.check()
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = zstack_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vm_nics = (vm_nic_uuid, pf_vm)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vr1_pub_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vr2_pub_ip)
sg1.add_rule([rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("PF rule is allowed, since VR1's IP is granted by SG Rule1.")
sg_vm.attach(sg1, [vm_nics])
test_pf.check()
test_stub.migrate_vm_to_random_host(pf_vm)
test_util.test_dsc("Remove rule1 from security group 1.")
test_util.test_dsc("PF rule is still allowed")
sg1.delete_rule([rule1])
test_pf.check()
test_util.test_dsc("Add rule2")
test_util.test_dsc("PF rule is not allowed, since rule2 only allowed the ingress from VR2, but VR2 can't pass PF rule. ")
sg1.add_rule([rule2])
test_pf.check()
test_util.test_dsc("Delete SG")
sg_vm.delete_sg(sg1)
test_util.test_dsc("PF rule is allowed")
test_pf.check()
if temp_vm1:
temp_vm1.destroy()
test_obj_dict.rm_vm(temp_vm1)
if temp_vm2:
temp_vm2.destroy()
test_obj_dict.rm_vm(temp_vm2)
test_pf.delete()
pf_vm.destroy()
test_obj_dict.rm_vm(pf_vm)
net_ops.delete_vip(vip_uuid)
test_util.test_pass("Test Port Forwarding TCP Rule Successfully")
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc")
for vpc_name in vpc_name_list:
vr_list.append(test_stub.create_vpc_vrouter(vpc_name))
for vr, l3_list in izip(vr_list, vpc_l3_list):
test_stub.attach_l3_to_vpc_vr(vr, l3_list)
test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format(
VLAN1_NAME, VLAN2_NAME))
vm1 = test_stub.create_vm_with_random_offering(
vm_name='vpc_vm_{}'.format(VLAN1_NAME), l3_name=VLAN1_NAME)
test_obj_dict.add_vm(vm1)
vm1.check()
vm2 = test_stub.create_vm_with_random_offering(
vm_name='vpc_vm_{}'.format(VLAN2_NAME), l3_name=VLAN2_NAME)
test_obj_dict.add_vm(vm2)
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm2.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ports: %s" % Port.get_ports(Port.rule1_ports))
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
test_util.test_dsc("Remove nic from security group 1.")
sg_vm.detach(sg1, nic_uuid)
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add nic to security group 1 again.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add rule2, rule3 back to security group 1.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg1.add_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2
test_util.test_dsc("Add nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule2+rul3+rule4+rule5): %s" %
tmp_allowed_ports)
sg_vm.attach(sg3, [vm_nics])
sg_vm.check()
#detach nic from sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule3+rule4+rule5): %s" %
tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ports (rule1): %s" % test_stub.rule1_ports)
sg_vm.delete_sg(sg3)
sg_vm.check()
test_obj_dict.rm_sg(sg3.security_group.uuid)
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.check()
vm2.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass('Security Group Vlan VirtualRouter VMs Test Success')
test_lib.lib_error_cleanup(test_obj_dict)
test_stub.remove_all_vpc_vrouter()
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm1.check()
vm2.check()
vm3.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm3_ip = test_lib.lib_get_vm_nic_by_l3(vm3.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.add_stub_vm(l3_uuid, vm3)
sg_vm.check()
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
#vm_nics = [nic_uuid1, nic_uuid2]
#test_util.test_dsc("Create SG rule0: allow connection from vr to port 0~100. This is for enabling ssh connection from vr")
#rule0 = inventory.SecurityGroupRuleAO()
#rule0.allowedCidr = '%s/32' % vr_internal_ip
#rule0.protocol = inventory.TCP
#rule0.startPort = 0
#rule0.endPort = 100
#rule0.type = inventory.INGRESS
#test_stub.lib_add_sg_rules(sg1.uuid, [rule0, rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Remove nic from security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.target_ports)
sg_vm.detach(sg1, nic_uuid1)
sg_vm.detach(sg1, nic_uuid2)
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add nic to security group 1 again.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ingress ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg2.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2 to vm1
test_util.test_dsc("Add vm1 nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ingress ports for vm1 from vm3: %s" % tmp_allowed_ports)
test_util.test_dsc("Allowed ingress ports for vm1 from vm3: %s" % test_stub.rule1_ports)
test_util.test_dsc("Allowed ingress ports for vm2: %s" % test_stub.rule1_ports)
sg_vm.attach(sg2, [vm1_nics])
sg_vm.check()
#add sg2 to vm2
test_util.test_dsc("Add vm2 nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ingress ports for vm1/vm2: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm2_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add vm1/vm2 nics to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ingress ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg3, [vm1_nics, vm2_nics])
sg_vm.check()
#remove sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ingress ports: %s" % tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid1)
sg_vm.detach(sg2, nic_uuid2)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg_vm.delete_sg(sg3)
test_obj_dict.rm_sg(sg3.security_group.uuid)
sg_vm.check()
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vm3.destroy()
test_obj_dict.rm_vm(vm3)
test_util.test_pass('Security Group Vlan VirtualRouter 2 VMs Group Ingress Test Success')
def test():
'''
Since VR ip address is assigned by zstack, so we need to use VR to test
PF rules' connectibility.
PF test needs at least 3 VR existence. The PF VM's VR is for set PF
rule. The PF rule will add VIP for PF_VM. Besides of PF_VM's VR, there
are needed another 2 VR VMs. 1st VR public IP address will be set as
allowedCidr. The 1st VR VM should be able to access PF_VM. So the 2nd VR
VM should not be able to access PF_VM.
In this test, will also add SG rules to check the coexistence between
PF and SG. SG rule will be added onto PF_VM's internal IP.
'''
global eip_snatInboundTraffic_default_value
global pf_snatInboundTraffic_default_value
#enable snatInboundTraffic and save global config value
eip_snatInboundTraffic_default_value = \
conf_ops.change_global_config('eip', 'snatInboundTraffic', 'false')
pf_snatInboundTraffic_default_value = \
conf_ops.change_global_config('portForwarding', \
'snatInboundTraffic', 'false')
pf_vm = test_stub.create_dnat_vm()
test_obj_dict.add_vm(pf_vm)
l3_name = os.environ.get('l3VlanNetworkName1')
vr1 = test_stub.create_vr_vm(test_obj_dict, l3_name)
l3_name = os.environ.get('l3NoVlanNetworkName1')
vr2 = test_stub.create_vr_vm(test_obj_dict, l3_name)
vr1_pub_ip = test_lib.lib_find_vr_pub_ip(vr1)
vr2_pub_ip = test_lib.lib_find_vr_pub_ip(vr2)
pf_vm.check()
vm_nic = pf_vm.vm.vmNics[0]
vm_nic_uuid = vm_nic.uuid
pri_l3_uuid = vm_nic.l3NetworkUuid
vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr)
l3_uuid = vr_pub_nic.l3NetworkUuid
vip = test_stub.create_vip('pf_sg_test', l3_uuid)
test_obj_dict.add_vip(vip)
vip_uuid = vip.get_vip().uuid
pf_creation_opt = PfRule.generate_pf_rule_option(
vr1_pub_ip,
protocol=inventory.TCP,
vip_target_rule=Port.rule1_ports,
private_target_rule=Port.rule1_ports,
vip_uuid=vip_uuid,
vm_nic_uuid=vm_nic_uuid)
test_pf = zstack_pf_header.ZstackTestPortForwarding()
test_pf.set_creation_option(pf_creation_opt)
test_pf.create(pf_vm)
vip.attach_pf(test_pf)
pf_vm.check()
#Ignore this check, since it has been checked many times in other PF cases.
#test_pf.check()
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = zstack_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vm_nics = (vm_nic_uuid, pf_vm)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vr1_pub_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vr2_pub_ip)
sg1.add_rule([rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc(
"PF rule is allowed, since VR1's IP is granted by SG Rule1.")
sg_vm.attach(sg1, [vm_nics])
vip.check()
test_util.test_dsc("Remove rule1 from security group 1.")
test_util.test_dsc("PF rule is still allowed")
sg1.delete_rule([rule1])
vip.check()
test_util.test_dsc("Add rule2")
test_util.test_dsc(
"PF rule is not allowed, since rule2 only allowed the ingress from VR2, but VR2 can't pass PF rule. "
)
sg1.add_rule([rule2])
vip.check()
test_util.test_dsc("Delete SG")
sg_vm.delete_sg(sg1)
test_util.test_dsc("PF rule is allowed")
vip.check()
pf_vm.destroy()
test_obj_dict.rm_vm(pf_vm)
vip.check()
test_pf.delete()
vip.delete()
test_obj_dict.rm_vip(vip)
conf_ops.change_global_config('eip', 'snatInboundTraffic', \
eip_snatInboundTraffic_default_value )
conf_ops.change_global_config('portForwarding', 'snatInboundTraffic', \
pf_snatInboundTraffic_default_value)
test_util.test_pass("Test Port Forwarding TCP Rule Successfully")
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc(
"Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
#test_util.test_dsc("Create SG rule6: allow connection from VR to port 0~65535 to make VR can connect VMs to do testing")
#rule6 = inventory.SecurityGroupRuleAO()
#rule6.allowedCidr = '%s/32' % vr_internal_ip
#rule6.protocol = inventory.TCP
#rule6.startPort = 0
#rule6.endPort = 65535
#rule6.type = inventory.INGRESS
#test_util.test_dsc("Create SG rule7: allow connection from VR to port 0~65535 to make VR can connect VMs to do testing")
#rule7 = inventory.SecurityGroupRuleAO()
#rule7.allowedCidr = '%s/32' % vr_internal_ip
#rule7.protocol = inventory.ICMP
#rule7.startPort = -1
#rule7.endPort = -1
#rule7.type = inventory.EGRESS
#test_stub.lib_add_sg_rules(sg1.uuid, [rule1, rule6, rule7])
#add sg1
test_util.test_dsc("Add VM1 nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1")
vm1.stop()
sg_vm.check()
#add sg2
test_util.test_dsc("Add VM1 nic to security group 2 to stopped vm1.")
sg_vm.attach(sg2, [vm_nics])
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports(rules1 + rule2 + rule3): %s" %
tmp_allowed_ports)
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1 again")
vm1.stop()
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3 to stopped vm1.")
sg_vm.attach(sg3, [vm_nics])
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1 again")
vm1.stop()
sg_vm.check()
test_util.test_dsc("remove rule2 from sg2 and rule4 from sg3")
sg2.delete_rule([rule2])
sg3.delete_rule([rule4])
sg_vm.check()
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
sg_vm.check()
sg_vm.delete_sg(sg3)
test_obj_dict.rm_sg(sg3.security_group.uuid)
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
test_util.test_pass(
'Security Group Vlan VirtualRouter VM Add/Remove rules to stopped VM Test Success'
)
def test():
global eip_snatInboundTraffic_default_value
global pf_snatInboundTraffic_default_value
vm = test_stub.create_dnat_vm()
test_obj_dict.add_vm(vm)
#disable snatInboundTraffic and save global config value
eip_snatInboundTraffic_default_value = \
conf_ops.change_global_config('eip', 'snatInboundTraffic', 'false')
pf_snatInboundTraffic_default_value = \
conf_ops.change_global_config('portForwarding', \
'snatInboundTraffic', 'false')
l3_name = os.environ.get('l3VlanNetworkName1')
vr1_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr1_l3_uuid)
temp_vm1 = None
if not vrs:
#create temp_vm1 for getting vlan1's vr for test vm portforwarding
temp_vm1 = test_stub.create_vlan_vm()
test_obj_dict.add_vm(temp_vm1)
vr1 = test_lib.lib_find_vr_by_vm(temp_vm1.vm)[0]
else:
vr1 = vrs[0]
l3_name = os.environ.get('l3NoVlanNetworkName1')
vr2_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr2_l3_uuid)
temp_vm2 = None
if not vrs:
#create temp_vm2 for getting novlan's vr for test vm portforwarding
temp_vm2 = test_stub.create_user_vlan_vm()
test_obj_dict.add_vm(temp_vm2)
vr2 = test_lib.lib_find_vr_by_vm(temp_vm2.vm)[0]
else:
vr2 = vrs[0]
if temp_vm1:
temp_vm1.destroy()
test_obj_dict.rm_vm(temp_vm1)
if temp_vm2:
temp_vm2.destroy()
test_obj_dict.rm_vm(temp_vm2)
vr1_pub_ip = test_lib.lib_find_vr_pub_ip(vr1)
vr2_pub_ip = test_lib.lib_find_vr_pub_ip(vr2)
vm.check()
vm_nic = vm.vm.vmNics[0]
vm_nic_uuid = vm_nic.uuid
pri_l3_uuid = vm_nic.l3NetworkUuid
vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr)
l3_uuid = vr_pub_nic.l3NetworkUuid
vip = test_stub.create_vip('eip_sg_test', l3_uuid)
test_obj_dict.add_vip(vip)
vip_uuid = vip.get_vip().uuid
eip = test_stub.create_eip('eip sg test', vip_uuid, vm_nic_uuid, vm)
vip.attach_eip(eip)
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = zstack_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vm_nics = (vm_nic_uuid, vm)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vr1_pub_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vr2_pub_ip)
sg1.add_rule([rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("EIP connection is allowed from VR1, but denied from VR2.")
sg_vm.attach(sg1, [vm_nics])
vip.check()
test_util.test_dsc("Remove rule1 from security group 1.")
test_util.test_dsc("EIP is still allowed from all VR")
sg1.delete_rule([rule1])
vip.check()
test_util.test_dsc("Add rule2")
test_util.test_dsc("EIP is not allowed by VR2, VR1 is allowed. ")
sg1.add_rule([rule2])
vip.check()
test_util.test_dsc("Delete SG")
sg_vm.delete_sg(sg1)
test_util.test_dsc("PF rule is allowed")
vip.check()
vm.destroy()
test_obj_dict.rm_vm(vm)
vip.check()
eip.delete()
vip.delete()
test_obj_dict.rm_vip(vip)
conf_ops.change_global_config('eip', 'snatInboundTraffic', \
eip_snatInboundTraffic_default_value )
conf_ops.change_global_config('portForwarding', 'snatInboundTraffic', \
pf_snatInboundTraffic_default_value)
test_util.test_pass("Test EIP and SG coexistance Successfully")
test_obj_dict.add_vm(vm2)
vm2.check()
vm2_ip = vm2.get_vm().vmNics[0].ip
# create vm3; vm,vm2,vm3 are in the same network segment
vm3 = test_stub.create_vlan_vm()
test_obj_dict.add_vm(vm3)
vm3.check()
# vm's new ip is set to vm3's ip
new_vm_ip = vm3.get_vm().vmNics[0].ip
vm3.destroy()
test_obj_dict.rm_vm(vm3)
# create security group and add rule
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg = test_sg_header.ZstackTestSecurityGroup()
sg_creation_option = test_util.SecurityGroupOption()
sg_creation_option.set_name('test_sg')
sg_creation_option.set_description('test sg description')
sg.set_creation_option(sg_creation_option)
sg.create()
test_obj_dict.add_sg(sg.security_group.uuid)
# create SG rule1: allow icmp to vm2
rule1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.EGRESS, vm2_ip)
# create SG rule2: allow icmp from vm2
rule2 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm2_ip)
sg.add_rule([rule1, rule2])
sg_vm.add_stub_vm(l3_uuid, vm2)
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc("Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
#test_util.test_dsc("Create SG rule6: allow connection from vr to port 0~65535")
#rule6 = inventory.SecurityGroupRuleAO()
#rule6.allowedCidr = '%s/32' % vr_internal_ip
#rule6.protocol = inventory.TCP
#rule6.startPort = 0
#rule6.endPort = 65535
#rule6.type = inventory.INGRESS
#test_stub.lib_add_sg_rules(sg1.uuid, [rule1, rule6])
#add sg1
test_util.test_dsc("Attach security group 1 to [nic:] %s L3." % nic_uuid)
test_util.test_dsc("Add nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#add sg2
test_util.test_dsc("Attach security group 2 to [nic:] %s L3." % nic_uuid)
test_util.test_dsc("Add nic to security group 2.")
sg_vm.attach(sg2, [vm_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Attach security group 3 to [nic:] %s L3." % nic_uuid)
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg3, [vm_nics])
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1")
vm1.stop()
sg_vm.check()
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
test_util.test_dsc("Restart VM1")
vm1.reboot()
vm1.check()
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
test_util.test_dsc("Destroy VM1. All its SG rules should be removed.")
vm_internalId = test_lib.lib_get_vm_internal_id(vm1.vm)
vm1.destroy()
test_obj_dict.rm_vm(vm1)
if linux.wait_callback_success(do_check, (vm1.vm, "vnic%s.0-in" % vm_internalId), 5, 0.2):
test_util.test_logger('[vm:] %s SG INGRESS rules are removed, after it is destroyed.' % vm1.vm.uuid)
else:
test_util.test_fail('[vm:] %s SG INGRESS rules are not removed, after it is destroyed 5 seconds. ' % vm1.vm.uuid)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
sg_vm.delete_sg(sg3)
test_obj_dict.rm_sg(sg3.security_group.uuid)
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
test_util.test_pass('Security Group Vlan VirtualRouter VM Start/Stop/Reboot/Destroy Test Success')
def test():
vm1 = test_stub.create_vr_vm('migrate_vm1', 'imageName_net',
'l3VlanNetwork3')
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_vr_vm('migrate_vm2', 'imageName_net',
'l3VlanNetwork3')
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_vr_vm('migrate_vm3', 'imageName_net',
'l3VlanNetwork3')
test_obj_dict.add_vm(vm3)
vm1.check()
vm2.check()
vm3.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
if not test_lib.lib_find_vr_by_vm(vm1.vm)[0]:
test_util.test_skip("skip the test for no vr found in the env.")
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm3_ip = test_lib.lib_get_vm_nic_by_l3(vm3.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg_vm.add_stub_vm(l3_uuid, vm3)
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.attach(sg2, [vm1_nics, vm2_nics])
test_stub.migrate_vm_to_random_host(vm1)
test_stub.migrate_vm_to_random_host(vm2)
test_stub.migrate_vm_to_random_host(vm3)
vm1.check()
vm2.check()
vm3.check()
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vm3.destroy()
test_obj_dict.rm_vm(vm3)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
test_util.test_pass('Migrate SG VM Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc(
"Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm1_ip = vm1.vm.vmNics[0].ip
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm2_ip = vm2.vm.vmNics[0].ip
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vm1_nic_uuid = vm1.vm.vmNics[0].uuid
vm2_nic_uuid = vm2.vm.vmNics[0].uuid
#Attach security group to l3 network
net_ops.attach_security_group_to_l3(sg1.security_group.uuid, l3_uuid)
net_ops.attach_security_group_to_l3(sg2.security_group.uuid, l3_uuid)
#Add vm1 nic to security group
sg_vm.attach(sg1, [(vm1_nic_uuid, vm1)])
sg_vm.check()
sg_vm.attach(sg2, [(vm2_nic_uuid, vm2)])
sg_vm.check()
rule1_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vm2_ip)
rule1_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule1_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP,
inventory.INGRESS, vm2_ip)
sg1.add_rule([rule1_1, rule1_2, rule1_3], [sg2.security_group.uuid])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.check()
sg_vm.delete_stub_vm(l3_uuid)
rule2_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vm1_ip)
rule2_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule2_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP,
inventory.INGRESS, vm1_ip)
sg2.add_rule([rule2_1, rule2_2, rule2_3], [sg1.security_group.uuid])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm1)
#sg_vm.check()
try:
test_lib.lib_open_vm_listen_ports(vm1.vm,
Port.ports_range_dict['rule1_ports'],
l3_uuid)
test_lib.lib_open_vm_listen_ports(vm2.vm,
Port.ports_range_dict['rule1_ports'],
l3_uuid)
test_lib.lib_check_vm_ports_in_a_command(
vm1.vm, vm2.vm, Port.ports_range_dict['rule1_ports'], [])
except:
test_util.test_fail(
'Security Group Meets Failure When Checking Ingress Rule. ')
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass(
'Security Group Vlan VirtualRouter 2 VMs Group Ingress Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc(
"Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
sg_vm = test_sg_vm_header.ZstackTestSgVm()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.add_stub_vm(l3_uuid, vm2)
#add sg1
test_util.test_dsc("Add VM1 nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1")
vm1.stop()
#remove vm1 nic from sg1
test_util.test_dsc("Remove nic from security group 1 to stopped vm1.")
sg_vm.detach(sg1, nic_uuid)
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
sg_vm.check()
vm1.destroy()
vm2.destroy()
sg_vm.delete_sg(sg1)
test_util.test_pass(
'Detach stopped VM NIC from Security Group Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc(
"Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vm_internalId = test_lib.lib_get_vm_internal_id(vm1.vm)
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.UDP,
inventory.INGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP,
inventory.INGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.UDP,
inventory.EGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.UDP,
inventory.EGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.UDP,
inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.check()
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#
test_util.test_dsc("Remove nic from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.target_ports)
sg_vm.detach(sg1, nic_uuid)
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add nic to security group 1 again.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#can't directly remove rule1, as it will block vr ssh connection.
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2
test_util.test_dsc("Add nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule2+rul3+rule4+rule5): %s" %
tmp_allowed_ports)
sg_vm.attach(sg3, [vm_nics])
sg_vm.check()
#detach nic from sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule3+rule4+rule5): %s" %
tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ports (rule1): %s" % test_stub.rule1_ports)
sg_vm.delete_sg(sg3)
sg_vm.check()
test_obj_dict.rm_sg(sg3.security_group.uuid)
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass(
'Security Group UDP Vlan VirtualRouter VMs Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc(
"Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
vr_internal_ip = test_lib.lib_find_vr_private_ip(vr_vm)
test_util.test_dsc("Create SG rule1: allow connection to vm2 port 0~100")
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
test_util.test_dsc(
"Create SG rule2: allow connection from vm2 to port 9000~10000")
rule2 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
test_util.test_dsc(
"Create SG rule3: allow connection from VR to port 0~65535 to make VR can connect VMs to do testing"
)
rule3 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vr_internal_ip)
test_util.test_dsc("Create SG rule4: allow ICMP connection to VR")
rule4 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.EGRESS, vr_internal_ip)
test_util.test_dsc("Create SG rule5: allow icmp from vm2")
rule5 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vm2_ip)
test_util.test_dsc("Create SG rule6: allow icmp to vm2")
rule6 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1, rule2, rule3, rule4])
sg2.add_rule([rule5])
sg3.add_rule([rule6])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.check()
#add sg1
test_util.test_dsc("Add VM1 nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail(
'Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.'
% (vm1.vm.uuid, vr_internal_ip))
#add sg2
test_util.test_dsc("Add VM1 nic to security group 2.")
sg_vm.attach(sg2, [vm_nics])
test_util.test_dsc("Allowed ports egress rules1: %s, ingress rule2: %s" %
(test_stub.rule1_ports, test_stub.rule2_ports))
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail(
'Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.'
% (vm1.uuid, vr_internal_ip))
#add sg3
test_util.test_dsc("Add nic to security group 3 to stopped vm1.")
sg_vm.attach(sg3, [vm_nics])
test_util.test_dsc("Allowed ports egress rules1: %s, ingress rule2: %s" %
(test_stub.rule1_ports, test_stub.rule2_ports))
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail(
'Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.'
% (vm1.uuid, vr_internal_ip))
test_util.test_dsc("remove rule5 from sg2")
sg2.delete_rule([rule5])
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail(
'Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.'
% (vm1.uuid, vr_internal_ip))
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
sg_vm.check()
sg1.delete()
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg2.delete()
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.check()
sg3.delete()
test_obj_dict.rm_sg(sg3.security_group.uuid)
test_util.test_pass(
'Security Group Vlan VirtualRouter VM ICMP rules Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm1.check()
vm2.check()
vm3.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm3_ip = test_lib.lib_get_vm_nic_by_l3(vm3.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.add_stub_vm(l3_uuid, vm3)
sg_vm.check()
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
#vm_nics = [nic_uuid1, nic_uuid2]
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Remove nic from security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.target_ports)
sg_vm.detach(sg1, nic_uuid1)
sg_vm.detach(sg1, nic_uuid2)
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
test_util.test_dsc("Add nic to security group 1 again.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.target_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
#can't directly remove rule1, as it will block vr ssh connection.
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add rule2, rule3 back to security group 1.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed egress ports: %s" % tmp_allowed_ports)
sg1.add_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2 to vm1
test_util.test_dsc("Add vm 1 nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed egress ports for vm1 to vm3: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm1_nics])
sg_vm.check()
#add sg2 to vm2
test_util.test_dsc("Add vm 2 nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed egress ports for vm1 and vm2: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm2_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed egress ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg3, [vm1_nics, vm2_nics])
sg_vm.check()
#remove sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed egress ports: %s" % tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid1)
sg_vm.detach(sg2, nic_uuid2)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg3.delete()
test_obj_dict.rm_sg(sg3.security_group.uuid)
sg_vm.check()
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vm3.destroy()
test_obj_dict.rm_vm(vm3)
test_util.test_pass('Security Group Vlan VirtualRouter 2 VMs Group Egress Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm1.check()
vm2.check()
vm3.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm3_ip = test_lib.lib_get_vm_nic_by_l3(vm3.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
sg1.add_rule([rule1])
sg_vm.add_stub_vm(l3_uuid, vm3)
sg_vm.check()
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
#test_stub.lib_add_sg_rules(sg1.uuid, [rule0, rule1])
test_util.test_dsc("Add vm 1 nic to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm1_nics])
sg_vm.check()
test_util.test_dsc("Detach security group 1 from vm1's l3 network.")
test_util.test_dsc("VM1 nic will be automatically removed from SG1")
sg_vm.detach_l3(sg1, l3_uuid)
sg_vm.check()
test_util.test_dsc("Add vm 1 & vm 2 nics to security group 1.")
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Detach security group 1 from vm1's l3 network. It will cause both vm1 and vm2 nics are detached from sg1.")
sg_vm.detach_l3(sg1, l3_uuid)
sg_vm.check()
#Reboot Vm1 and check sg again.
vm1.reboot()
vm1.check()
sg_vm.check()
test_util.test_dsc("Add vm 1 & vm 2 nics to security group 1.")
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Detach security group 1 from vm1's l3 network. It will cause both vm1 and vm2 nics are detached from sg1.")
sg_vm.detach_l3(sg1, l3_uuid)
sg_vm.check()
#delete sg1
test_util.test_dsc("Delete security group 1.")
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
#Cleanup
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vm3.destroy()
test_obj_dict.rm_vm(vm3)
test_util.test_pass('Security Group Detach from L3 network with 2 VMs on virtual router Test Success')
