def run(test, params, env): """ Test command: virsh nwfilter-undefine. 1) Prepare parameters. 2) Run nwfilter-undefine command. 3) Check result. 4) Clean env """ # Prepare parameters filter_ref = params.get("undefine_filter_ref", "") options_ref = params.get("undefine_options_ref", "") status_error = params.get("status_error", "no") # libvirt acl polkit related params uri = params.get("virsh_uri") unprivileged_user = params.get('unprivileged_user') try: if unprivileged_user: if unprivileged_user.count('EXAMPLE'): unprivileged_user = '******' if not libvirt_version.version_compare(1, 1, 1): if params.get('setup_libvirt_polkit') == 'yes': test.cancel("API acl test not supported in current" " libvirt version.") # Backup filter xml if filter_ref: new_filter = libvirt_xml.NwfilterXML() filterxml = new_filter.new_from_filter_dumpxml(filter_ref) logging.debug("the filter xml is: %s" % filterxml.xmltreefile) filter_xml = filterxml.xmltreefile.name # Run command cmd_result = virsh.nwfilter_undefine( filter_ref, options=options_ref, unprivileged_user=unprivileged_user, uri=uri, ignore_status=True, debug=True) status = cmd_result.exit_status # Check result if status_error == "yes": if status == 0: test.fail("Run successfully with wrong command.") elif status_error == "no": if status: test.fail("Run failed with right command.") chk_result = check_list(filter_ref) if chk_result: test.fail("filter %s show up in filter list." % filter_ref) finally: # Clean env if status == 0: virsh.nwfilter_define(filter_xml, options="", ignore_status=True, debug=True)
def nwfilter_sync_loop(filter_name, filerxml): """ Undefine filter and redefine filter from xml in loop """ for i in range(2400): virsh.nwfilter_undefine(filter_name, ignore_status=True) time.sleep(0.1) virsh.nwfilter_define(filterxml.xml, ignore_status=True)
def run(test, params, env): """ Test virsh nwfilter-edit with uuid. 1) Prepare parameters. 2) Run nwfilter-edit command. 3) Check result. 4) Clean env """ # Prepare parameters filter_name = params.get("edit_filter_name", "") status_error = params.get("status_error", "no") new_uuid = "11111111-1111-1111-1111-111111111111" edit_cmd = ":2s/<uuid>.*$/<uuid>%s<\/uuid>/" % new_uuid # Since commit 46a811d, the logic changed for not allow update filter # uuid, so decide status_error with libvirt version. if libvirt_version.version_compare(1, 2, 7): status_error = True else: status_error = False # Backup filter xml new_filter = libvirt_xml.NwfilterXML() filterxml = new_filter.new_from_filter_dumpxml(filter_name) logging.debug("the filter xml is: %s" % filterxml.xmltreefile) try: # Run command session = aexpect.ShellSession("sudo -s") try: session.sendline("virsh nwfilter-edit %s" % filter_name) session.sendline(edit_cmd) # Press ESC session.send('\x1b') # Save and quit session.send('ZZ') remote.handle_prompts(session, None, None, r"[\#\$]\s*$") session.close() if not status_error: logging.info("Succeed to do nwfilter edit") else: test.fail("edit uuid should fail but got succeed.") except (aexpect.ShellError, aexpect.ExpectError, remote.LoginTimeoutError) as details: log = session.get_output() session.close() if "Try again? [y,n,f,?]:" in log and status_error: logging.debug("edit uuid failed as expected.") else: test.fail("Failed to do nwfilter-edit: %s\n%s" % (details, log)) finally: # Clean env virsh.nwfilter_undefine(filter_name, debug=True) virsh.nwfilter_define(filterxml.xml, debug=True)
def run(test, params, env): """ Test command: virsh nwfilter-undefine. 1) Prepare parameters. 2) Run nwfilter-undefine command. 3) Check result. 4) Clean env """ # Prepare parameters filter_ref = params.get("undefine_filter_ref", "") options_ref = params.get("undefine_options_ref", "") status_error = params.get("status_error", "no") # libvirt acl polkit related params uri = params.get("virsh_uri") unprivileged_user = params.get('unprivileged_user') if unprivileged_user: if unprivileged_user.count('EXAMPLE'): unprivileged_user = '******' if not libvirt_version.version_compare(1, 1, 1): if params.get('setup_libvirt_polkit') == 'yes': raise error.TestNAError("API acl test not supported in current" " libvirt version.") # Backup filter xml if filter_ref: new_filter = libvirt_xml.NwfilterXML() filterxml = new_filter.new_from_filter_dumpxml(filter_ref) logging.debug("the filter xml is: %s" % filterxml.xmltreefile) filter_xml = filterxml.xmltreefile.name # Run command cmd_result = virsh.nwfilter_undefine(filter_ref, options=options_ref, unprivileged_user=unprivileged_user, uri=uri, ignore_status=True, debug=True) status = cmd_result.exit_status # Check result if status_error == "yes": if status == 0: raise error.TestFail("Run successfully with wrong command.") elif status_error == "no": if status: raise error.TestFail("Run failed with right command.") chk_result = check_list(filter_ref) if chk_result: raise error.TestFail("filter %s show up in filter list." % filter_ref) # Clean env if status == 0: virsh.nwfilter_define(filter_xml, options="", ignore_status=True, debug=True)
def define_nwfilter(filter_name): """ Define nwfilter vdsm-no-mac-spoofing with content like: <filter name='vdsm-no-mac-spoofing' chain='root'> <filterref filter='no-mac-spoofing'/> <filterref filter='no-arp-mac-spoofing'/> </filter> :param filter_name: the name of nwfilter :return: filter created or raise exception """ filter_uuid = params.get("filter_uuid", "11111111-b071-6127-b4ec-111111111111") filter_params = { "filter_name": "vdsm-no-mac-spoofing", "filter_chain": "root", "filter_uuid": filter_uuid, "filterref_name_1": "no-mac-spoofing", "filterref_name_2": "no-arp-mac-spoofing" } filter_xml = libvirt.create_nwfilter_xml(filter_params).xml # Run command result = virsh.nwfilter_define(filter_xml, ignore_status=True, debug=True) if result.exit_status: test.fail("Failed to define nwfilter with %s" % filter_xml)
def run(test, params, env): """ Test command: virsh nwfilter-undefine. 1) Prepare parameters. 2) Run nwfilter-undefine command. 3) Check result. 4) Clean env """ # Prepare parameters filter_ref = params.get("undefine_filter_ref", "") options_ref = params.get("undefine_options_ref", "") status_error = params.get("status_error", "no") # Backup filter xml if filter_ref: new_filter = libvirt_xml.NwfilterXML() filterxml = new_filter.new_from_filter_dumpxml(filter_ref) logging.debug("the filter xml is: %s" % filterxml.xmltreefile) filter_xml = filterxml.xmltreefile.name # Run command cmd_result = virsh.nwfilter_undefine(filter_ref, options=options_ref, ignore_status=True, debug=True) status = cmd_result.exit_status # Check result if status_error == "yes": if status == 0: raise error.TestFail("Run successfully with wrong command.") elif status_error == "no": if status: raise error.TestFail("Run failed with right command.") chk_result = check_list(filter_ref) if chk_result: raise error.TestFail("filter %s show up in filter list." % filter_ref) # Clean env if status == 0: virsh.nwfilter_define(filter_xml, options="", ignore_status=True, debug=True)
def define_nwfilter(filter_name): """ Define nwfilter vdsm-no-mac-spoofing with content like: <filter name='vdsm-no-mac-spoofing' chain='root'> <filterref filter='no-mac-spoofing'/> <filterref filter='no-arp-mac-spoofing'/> </filter> :param filter_name: the name of nwfilter :return: filter created or raise exception """ filter_uuid = params.get("filter_uuid", "11111111-b071-6127-b4ec-111111111111") filter_params = {"filter_name": "vdsm-no-mac-spoofing", "filter_chain": "root", "filter_uuid": filter_uuid, "filterref_name_1": "no-mac-spoofing", "filterref_name_2": "no-arp-mac-spoofing"} filter_xml = libvirt.create_nwfilter_xml(filter_params).xml # Run command result = virsh.nwfilter_define(filter_xml, ignore_status=True, debug=True) if result.exit_status: test.fail("Failed to define nwfilter with %s" % filter_xml)
def run(test, params, env): """ Test start domain with nwfilter rules. 1) Prepare parameters. 2) Prepare nwfilter rule and update domain interface to apply. 3) Start domain and check rule. 4) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") exist_filter = params.get("exist_filter", "no-mac-spoofing") status_error = "yes" == params.get("status_error", "no") mount_noexec_tmp = "yes" == params.get("mount_noexec_tmp", "no") kill_libvirtd = "yes" == params.get("kill_libvirtd", "no") bug_url = params.get("bug_url", "") ipset_command = params.get("ipset_command") vm_name = params.get("main_vm") vm = env.get_vm(vm_name) username = params.get("username") password = params.get("password") need_vm2 = "yes" == params.get("need_vm2", "no") add_vm_name = params.get("add_vm_name", "vm2") vms = [vm] dst_outside = params.get("dst_outside", "www.google.com") ping_timeout = int(params.get("ping_timeout", "10")) # Prepare vm filterref parameters dict list filter_param_list = [] params_key = [] for i in params.keys(): if 'parameter_name_' in i: params_key.append(i) params_key.sort() for i in range(len(params_key)): params_dict = {} params_dict['name'] = params[params_key[i]] params_dict['value'] = params['parameter_value_%s' % i] if params_dict['value'] == "MAC_of_virbr0": virbr0_info = process.run("ip a | grep virbr0: -A1", shell=True).stdout_text.strip() virbr0_mac = re.search( r'link/ether\s+(\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2})', virbr0_info, re.M | re.I).group(1) params_dict['value'] = virbr0_mac logging.debug("params_dict['value'] is %s " % params_dict['value']) filter_param_list.append(params_dict) filterref_dict = {} filterref_dict['name'] = filter_name filterref_dict['parameters'] = filter_param_list params['filter_uuid'] = process.run("uuidgen", ignore_status=True, shell=True).stdout_text.strip() # get all the check commands and corresponding expected results form config file and make a dictionary cmd_list_ = params.get('check_cmd', '') if cmd_list_: cmd_list = cmd_list_.split(',') expect_res = params.get('expect_match', '').split(',') logging.debug("cmd_list is %s" % cmd_list) logging.debug("expect_res is %s" % expect_res) cmd_result_dict = dict(zip(cmd_list, expect_res)) logging.debug("the check dict is %s" % cmd_result_dict) # backup vm xml vmxml_backup = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) libvirtd = utils_libvirtd.Libvirtd("virtqemud") device_name = None def check_nwfilter_rules(check_cmd, expect_match): """"check the nwfilter corresponding rule is added by iptables commands""" ret = utils_misc.wait_for(lambda: not process.system( check_cmd, ignore_status=True, shell=True), timeout=30) if not ret: test.fail("Rum command '%s' failed" % check_cmd) # This change anchors nwfilter_vm_start.possitive_test.new_filter.variable_notation case # The matched destination could be ip address or hostname if "iptables -L" in check_cmd and expect_match and 'ACCEPT' in expect_match: # ip address that need to be replaced replace_param = params.get("parameter_value_2") # Get hostname by ip address. hostname_info = None try: hostname_info = socket.gethostbyaddr(replace_param) except socket.error as e: logging.info( "Failed to get hostname from ip address with error: %s", str(e)) if hostname_info: # String is used to replace ip address replace_with = "%s|%s" % (replace_param, hostname_info[0]) expect_match = r"%s" % expect_match.replace( replace_param, replace_with) logging.debug("final iptables match string:%s", expect_match) out = astring.to_text( process.system_output(check_cmd, ignore_status=False, shell=True)) if expect_match and not re.search(expect_match, out): test.fail("'%s' not found in output: %s" % (expect_match, out)) def clean_up_dirty_nwfilter_binding(): cmd_result = virsh.nwfilter_binding_list(debug=True) binding_list = cmd_result.stdout_text.strip().splitlines() binding_list = binding_list[2:] result = [] # If binding list is not empty. if binding_list: for line in binding_list: # Split on whitespace, assume 1 column linesplit = line.split(None, 1) result.append(linesplit[0]) logging.info("nwfilter binding list is: %s", result) for binding_uuid in result: try: virsh.nwfilter_binding_delete(binding_uuid) except Exception as e: logging.error( "Exception thrown while undefining nwfilter-binding: %s", str(e)) raise try: # Clean up dirty nwfilter binding if there are. clean_up_dirty_nwfilter_binding() rule = params.get("rule") if rule: # Add pre-check whether nwfilter exists or not since # utlv.create_nwfilter_xml will fail if there is no any nwfilter exists nwfilter_list = libvirt_nwfilter.get_nwfilter_list() if not nwfilter_list: test.error("There is no any nwfilter existed on the host") # Create new filter xml filterxml = utlv.create_nwfilter_xml(params) # Define filter xml virsh.nwfilter_define(filterxml.xml, debug=True) # Update first vm interface with filter vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] vmxml.del_device(iface_xml) new_iface = interface.Interface('network') new_iface.xml = iface_xml.xml new_filterref = new_iface.new_filterref(**filterref_dict) new_iface.filterref = new_filterref logging.debug("new interface xml is: %s" % new_iface) vmxml.add_device(new_iface) vmxml.sync() if mount_noexec_tmp: device_name = utlv.setup_or_cleanup_iscsi(is_setup=True) utlv.mkfs(device_name, 'ext4') cmd = "mount %s /tmp -o noexec,nosuid" % device_name process.run(cmd, shell=True) if ipset_command: pkg = "ipset" if not utils_package.package_install(pkg): test.cancel("Can't install ipset on host") process.run(ipset_command, shell=True) # Run command try: vm.start() if not mount_noexec_tmp: vm.wait_for_serial_login(username=username, password=password) vmxml = libvirt_xml.VMXML.new_from_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] iface_target = iface_xml.target['dev'] iface_mac = iface_xml.mac_address logging.debug("iface target dev name is %s", iface_target) # Check iptables or ebtables on host if need_vm2: # Clone more vm for testing result = virsh.dom_list('--inactive').stdout_text if add_vm_name in result: logging.debug("%s is already exists!" % add_vm_name) vms.append(env.get_vm(add_vm_name)) else: vm.destroy() ret_clone = utils_libguestfs.virt_clone_cmd(vm_name, add_vm_name, True, timeout=360) if ret_clone.exit_status: test.fail("Error when clone a second vm!") vms.append(vm.clone(add_vm_name)) vm.start() vm2 = vms[1] logging.debug("Now the vms is: %s", [dom.name for dom in vms]) # update the vm2 interface with the nwfilter logging.debug("filter_params_list is %s" % filter_param_list) iface_dict = { "filter": filter_name, "filter_parameters": filter_param_list, "del_mac": True } if vm2.is_alive(): vm2.destroy() utlv.modify_vm_iface(vm2.name, "update_iface", iface_dict) vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm2.name) iface_xml = vmxml.get_devices('interface')[0] logging.debug("iface_xml for vm2 is %s" % iface_xml) vm2.start() vm2_session = vm2.wait_for_serial_login() vm2_mac = vm2.get_mac_address() vm2_ip = utils_net.get_guest_ip_addr(vm2_session, vm2_mac) vm.session = vm.wait_for_serial_login() # test network functions, the 2 vms can not access to each other gateway_ip = utils_net.get_ip_address_by_interface("virbr0") status1, output1 = utils_net.ping(dest=vm2_ip, count='3', timeout=ping_timeout, session=vm.session, force_ipv4=True) status2, output2 = utils_net.ping(dest=gateway_ip, count='3', timeout=ping_timeout, session=vm.session, force_ipv4=True) status3, output3 = utils_net.ping(dest=dst_outside, count='3', timeout=ping_timeout, session=vm.session, force_ipv4=True) if not status1: test.fail( "vm with clean-traffic-gateway ping succeed to %s %s, but it is not expected!" % (vm2.name, vm2_ip)) if status2 or status3: test.fail("vm ping failed! check %s \n %s" % (output2, output3)) if cmd_list_: loop = 0 for check_cmd_, expect_match_ in cmd_result_dict.items(): check_cmd = check_cmd_.strip() expect_match = expect_match_.strip() if "DEVNAME" in check_cmd: check_cmd = check_cmd.replace("DEVNAME", iface_target) if "VMMAC" in expect_match: expect_match = expect_match.replace("VMMAC", iface_mac) logging.debug( "the check_cmd is %s, and expected result is %s" % (check_cmd, expect_match)) check_nwfilter_rules(check_cmd, expect_match) loop += 1 except virt_vm.VMStartError as e: # Starting VM failed. if not status_error: test.fail("Test failed in positive case.\n error:" " %s\n%s" % (e, bug_url)) if kill_libvirtd: daemon_name = libvirtd.service_name pid = process.run('pidof %s' % daemon_name, shell=True).stdout_text.strip() cmd = "kill -s TERM %s" % pid process.run(cmd, shell=True) ret = utils_misc.wait_for(lambda: not libvirtd.is_running(), timeout=30) # After libvirt 5.6.0, libvirtd is using systemd socket activation by default if not ret and not libvirt_version.version_compare(5, 6, 0): test.fail("Failed to kill libvirtd. %s" % bug_url) finally: if kill_libvirtd: libvirtd.restart() # Clean env if vm.is_alive(): vm.destroy(gracefully=False) # Recover xml of vm. vmxml_backup.sync() # Undefine created filter except clean-traffic as it is built-in nwfilter if filter_name != exist_filter and filter_name != 'clean-traffic': virsh.nwfilter_undefine(filter_name, debug=True) if mount_noexec_tmp: if device_name: process.run("umount -l %s" % device_name, ignore_status=True, shell=True) utlv.setup_or_cleanup_iscsi(is_setup=False) if ipset_command: process.run("ipset destroy blacklist", shell=True) # Remove additional vms if need_vm2: result = virsh.dom_list("--all").stdout_text if add_vm_name in result: virsh.remove_domain(add_vm_name, "--remove-all-storage")
def run(test, params, env): """ Test command: virsh nwfilter-define. 1) Prepare parameters. 2) Set options of virsh define. 3) Run define command. 4) Check result. 5) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") filter_uuid = params.get("filter_uuid", "11111111-b071-6127-b4ec-111111111111") exist_filter = params.get("exist_filter", "no-mac-spoofing") filter_xml = params.get("filter_create_xml_file") options_ref = params.get("options_ref", "") status_error = params.get("status_error", "no") boundary_test_skip = "yes" == params.get("boundary_test_skip") new_uuid = "yes" == params.get("new_uuid", 'no') bug_url = params.get("bug_url") # libvirt acl polkit related params uri = params.get("virsh_uri") unprivileged_user = params.get('unprivileged_user') if unprivileged_user: if unprivileged_user.count('EXAMPLE'): unprivileged_user = '******' if not libvirt_version.version_compare(1, 1, 1): if params.get('setup_libvirt_polkit') == 'yes': test.cancel("API acl test not supported in current" " libvirt version.") if exist_filter == filter_name and new_uuid: # Since commit 46a811d, update filter with new uuid will fail. if libvirt_version.version_compare(1, 2, 7): status_error = 'yes' else: status_error = 'no' try: if filter_xml == "invalid-filter-xml": tmp_xml = xml_utils.TempXMLFile() tmp_xml.write('"<filter><<<BAD>>><\'XML</name\>' '!@#$%^&*)>(}>}{CORRUPTE|>!</filter>') tmp_xml.flush() filter_xml = tmp_xml.name logging.info("Test invalid xml is: %s" % filter_xml) elif filter_xml: # Create filter xml new_filter = libvirt_xml.NwfilterXML() filterxml_backup = new_filter.new_from_filter_dumpxml(exist_filter) # Backup xml if only update exist filter if exist_filter == filter_name and not new_uuid: filter_uuid = filterxml_backup.uuid params['filter_uuid'] = filter_uuid filterxml = utlv.create_nwfilter_xml(params) filterxml.xmltreefile.write(filter_xml) # Run command cmd_result = virsh.nwfilter_define(filter_xml, options=options_ref, unprivileged_user=unprivileged_user, uri=uri, ignore_status=True, debug=True) status = cmd_result.exit_status # Check result chk_result = check_list(filter_uuid, filter_name) xml_path = "%s/%s.xml" % (NWFILTER_ETC_DIR, filter_name) if status_error == "yes": if status == 0: if boundary_test_skip: test.cancel("Boundary check commit 4f20943 not" " in this libvirt build yet.") else: err_msg = "Run successfully with wrong command." if bug_url: err_msg += " Check more info in %s" % bug_url test.fail(err_msg) elif status_error == "no": if status: err_msg = "Run failed with right command." if bug_url: err_msg += " Check more info in %s" % bug_url test.fail(err_msg) if not chk_result: test.fail("Can't find filter in nwfilter-list" + " output") if not os.path.exists(xml_path): test.fail("Can't find filter xml under %s" % NWFILTER_ETC_DIR) logging.info("Dump the xml after define:") virsh.nwfilter_dumpxml(filter_name, ignore_status=True, debug=True) finally: # Clean env if exist_filter == filter_name: logging.info("Restore exist filter: %s" % exist_filter) virsh.nwfilter_undefine(filter_name, ignore_status=True) virsh.nwfilter_define(filterxml_backup.xml, ignore_status=True) else: if chk_result: virsh.nwfilter_undefine(filter_name, ignore_status=True) if os.path.exists(filter_xml): os.remove(filter_xml)
def run(test, params, env): """ Test command: virsh nwfilter-edit. 1) Prepare parameters. 2) Run nwfilter-edit command. 3) Check result. 4) Clean env """ # Prepare parameters filter_name = params.get("edit_filter_name", "") filter_ref = params.get("edit_filter_ref", "") edit_priority = params.get("edit_priority", "") extra_option = params.get("edit_extra_option", "") status_error = params.get("status_error", "no") status = True edit_cmd = [] edit_cmd.append(":1s/priority=.*$/priority='" + edit_priority + "'>") # Backup filter xml if filter_name and filter_ref.find("invalid") == -1: new_filter = libvirt_xml.NwfilterXML() filterxml = new_filter.new_from_filter_dumpxml(filter_name) logging.debug("the filter xml is: %s" % filterxml.xmltreefile) filter_xml = filterxml.xmltreefile.name uuid = filterxml.uuid pre_priority = filterxml.filter_priority # Run command if status_error == "no": if filter_ref == "name": edit_filter_xml(filter_name, edit_cmd) elif filter_ref == "uuid": edit_filter_xml(uuid, edit_cmd) else: raise error.TestNAError("For positive test, edit_filter_ref cloud" " be either 'name' or 'uuid'.") else: if filter_ref.find("invalid") == 0: if extra_option == "": filter_name = filter_ref edit_result = virsh.nwfilter_edit(filter_name, extra_option, ignore_status=True, debug=True) if edit_result.exit_status == 0: raise error.TestFail("nwfilter-edit should fail but succeed") else: logging.info("Run command failed as expected") status = False else: raise error.TestNAError("For negative test, string 'invalid' is" " required in edit_filter_ref.") # no check and clean env if command fail if status: # Check result if filter_name and filter_ref.find("invalid") == -1: post_filter = libvirt_xml.NwfilterXML() postxml = post_filter.new_from_filter_dumpxml(filter_name) logging.debug("the filter xml after edit is: %s" % postxml.xmltreefile) post_priority = postxml.filter_priority if pre_priority == edit_priority: if post_priority != pre_priority: raise error.TestFail("nwfilter-edit fail to update filter" " priority") else: if post_priority == pre_priority: raise error.TestFail("nwfilter-edit fail to update filter" " priority") # Clean env if post_priority != pre_priority: virsh.nwfilter_define(filter_xml, options="", ignore_status=True, debug=True)
def run(test, params, env): """ Test start domain with nwfilter rules. 1) Prepare parameters. 2) Prepare nwfilter rule and update domain interface to apply. 3) Start domain and check rule. 4) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") exist_filter = params.get("exist_filter", "no-mac-spoofing") check_cmd = params.get("check_cmd") expect_match = params.get("expect_match") status_error = "yes" == params.get("status_error", "no") mount_noexec_tmp = "yes" == params.get("mount_noexec_tmp", "no") kill_libvirtd = "yes" == params.get("kill_libvirtd", "no") bug_url = params.get("bug_url", "") ipset_command = params.get("ipset_command") vm_name = params.get("main_vm") vm = env.get_vm(vm_name) username = params.get("username") password = params.get("password") # Prepare vm filterref parameters dict list filter_param_list = [] params_key = [] for i in params.keys(): if "parameter_name_" in i: params_key.append(i) params_key.sort() for i in range(len(params_key)): params_dict = {} params_dict["name"] = params[params_key[i]] params_dict["value"] = params["parameter_value_%s" % i] filter_param_list.append(params_dict) filterref_dict = {} filterref_dict["name"] = filter_name filterref_dict["parameters"] = filter_param_list # backup vm xml vmxml_backup = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) libvirtd = utils_libvirtd.Libvirtd() device_name = None try: rule = params.get("rule") if rule: # Create new filter xml filterxml = utlv.create_nwfilter_xml(params) # Define filter xml virsh.nwfilter_define(filterxml.xml, debug=True) # Update first vm interface with filter vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) iface_xml = vmxml.get_devices("interface")[0] vmxml.del_device(iface_xml) new_iface = interface.Interface("network") new_iface.xml = iface_xml.xml new_filterref = new_iface.new_filterref(**filterref_dict) new_iface.filterref = new_filterref logging.debug("new interface xml is: %s" % new_iface) vmxml.add_device(new_iface) vmxml.sync() if mount_noexec_tmp: device_name = utlv.setup_or_cleanup_iscsi(is_setup=True) utlv.mkfs(device_name, "ext4") cmd = "mount %s /tmp -o noexec,nosuid" % device_name utils.run(cmd) if ipset_command: try: os_dep.command("ipset") except ValueError: ret = utils.run("yum install ipset -y") if ret.exit_status: raise error.TestNAError("Can't install ipset on host") utils.run(ipset_command) # Run command try: vm.start() if not mount_noexec_tmp: vm.wait_for_serial_login(username=username, password=password) vmxml = libvirt_xml.VMXML.new_from_dumpxml(vm_name) iface_xml = vmxml.get_devices("interface")[0] iface_target = iface_xml.target["dev"] logging.debug("iface target dev name is %s", iface_target) # Check iptables or ebtables on host if check_cmd: if "DEVNAME" in check_cmd: check_cmd = check_cmd.replace("DEVNAME", iface_target) ret = utils_misc.wait_for(lambda: not utils.system(check_cmd, ignore_status=True), timeout=30) if not ret: raise error.TestFail("Rum command '%s' failed" % check_cmd) out = utils.system_output(check_cmd, ignore_status=False) if expect_match and not re.search(expect_match, out): raise error.TestFail("'%s' not found in output: %s" % (expect_match, out)) except virt_vm.VMStartError, e: # Starting VM failed. if not status_error: raise error.TestFail("Test failed in positive case.\n error:" " %s\n%s" % (e, bug_url)) if kill_libvirtd: cmd = "kill -SIGTERM `pidof libvirtd`" utils.run(cmd) ret = utils_misc.wait_for(lambda: not libvirtd.is_running(), timeout=30) if not ret: raise error.TestFail("Failed to kill libvirtd. %s" % bug_url)
def run(test, params, env): """ Test command: virsh nwfilter-edit. 1) Prepare parameters. 2) Run nwfilter-edit command. 3) Check result. 4) Clean env """ # Prepare parameters filter_name = params.get("edit_filter_name", "") filter_ref = params.get("edit_filter_ref", "") edit_priority = params.get("edit_priority", "") extra_option = params.get("edit_extra_option", "") status_error = params.get("status_error", "no") status = True edit_cmd = [] edit_cmd.append(":1s/priority=.*$/priority='" + edit_priority + "'>") # Backup filter xml if filter_name and filter_ref.find("invalid") == -1: new_filter = libvirt_xml.NwfilterXML() filterxml = new_filter.new_from_filter_dumpxml(filter_name) logging.debug("the filter xml is: %s" % filterxml.xmltreefile) filter_xml = filterxml.xmltreefile.name uuid = filterxml.uuid pre_priority = filterxml.filter_priority # Run command if status_error == "no": if filter_ref == "name": edit_filter_xml(filter_name, edit_cmd) elif filter_ref == "uuid": edit_filter_xml(uuid, edit_cmd) else: raise error.TestNAError("For positive test, edit_filter_ref cloud" " be either 'name' or 'uuid'.") else: if filter_ref.find("invalid") == 0: if extra_option == "": filter_name = filter_ref edit_result = virsh.nwfilter_edit(filter_name, extra_option, ignore_statu=True, debug=True) if edit_result.exit_status == 0: raise error.TestFail("nwfilter-edit should fail but succeed") else: logging.info("Run command failed as expected") status = False else: raise error.TestNAError("For negative test, string 'invalid' is" " required in edit_filter_ref.") # no check and clean env if command fail if status: # Check result if filter_name and filter_ref.find("invalid") == -1: post_filter = libvirt_xml.NwfilterXML() postxml = post_filter.new_from_filter_dumpxml(filter_name) logging.debug("the filter xml after edit is: %s" % postxml.xmltreefile) post_priority = postxml.filter_priority if pre_priority == edit_priority: if post_priority != pre_priority: raise error.TestFail("nwfilter-edit fail to update filter" " priority") else: if post_priority == pre_priority: raise error.TestFail("nwfilter-edit fail to update filter" " priority") # Clean env if post_priority != pre_priority: virsh.nwfilter_define(filter_xml, options="", ignore_status=True, debug=True)
def run(test, params, env): """ Test update filter rules when domain is running. 1) Prepare parameters. 2) Add filter to domain interface. 3) Start domain. 4) Update filter rule and check 5) Cleanup """ # Prepare parameters filter_name = params.get("filter_name", "testcase") check_cmd = params.get("check_cmd") expect_match = params.get("expect_match") check_vm_cmd = params.get("check_vm_cmd") vm_expect_match = params.get("vm_expect_match") vm_name = params.get("main_vm") vm = env.get_vm(vm_name) filterref_dict = {} filterref_dict['name'] = filter_name # backup vm xml vmxml_backup = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) new_filter = libvirt_xml.NwfilterXML() filter_backup = new_filter.new_from_filter_dumpxml(filter_name) def clean_up_dirty_nwfilter_binding(): cmd_result = virsh.nwfilter_binding_list(debug=True) binding_list = cmd_result.stdout_text.strip().splitlines() binding_list = binding_list[2:] result = [] # If binding list is not empty. if binding_list: for line in binding_list: # Split on whitespace, assume 1 column linesplit = line.split(None, 1) result.append(linesplit[0]) logging.info("nwfilter binding list is: %s", result) for binding_uuid in result: try: virsh.nwfilter_binding_delete(binding_uuid) except Exception as e: logging.error( "Exception thrown while undefining nwfilter-binding: %s", str(e)) raise try: # Clean up dirty nwfilter binding if there are. clean_up_dirty_nwfilter_binding() # Update first vm interface with filter vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] vmxml.del_device(iface_xml) new_iface = interface.Interface('network') new_iface.xml = iface_xml.xml new_filterref = new_iface.new_filterref(**filterref_dict) new_iface.filterref = new_filterref logging.debug("new interface xml is: %s" % new_iface) vmxml.add_device(new_iface) vmxml.sync() # Start vm vm.start() session = vm.wait_for_login() vmxml = libvirt_xml.VMXML.new_from_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] iface_target = iface_xml.target['dev'] logging.debug("iface target dev name is %s", iface_target) # Update filter rule by nwfilter-define filterxml = utlv.create_nwfilter_xml(params) # Define filter xml virsh.nwfilter_define(filterxml.xml, debug=True) # Check ebtables on host after filter update if "DEVNAME" in check_cmd: check_cmd = check_cmd.replace("DEVNAME", iface_target) ret = utils_misc.wait_for(lambda: not process.system( check_cmd, ignore_status=True, shell=True), timeout=30) if not ret: test.fail("Rum command '%s' failed" % check_cmd) out = astring.to_text( process.system_output(check_cmd, ignore_status=False, shell=True)) if expect_match and not re.search(expect_match, out): test.fail("'%s' not found in output: %s" % (expect_match, out)) # Check in vm if check_vm_cmd: output = session.cmd_output(check_vm_cmd) logging.debug("cmd output: %s", output) if vm_expect_match and not re.search(vm_expect_match, output): test.fail("'%s' not found in output: %s" % (vm_expect_match, output)) finally: # Clean env if vm.is_alive(): vm.destroy(gracefully=False) # Recover xml of vm. vmxml_backup.sync() # Restore created filter virsh.nwfilter_undefine(filter_name, debug=True) virsh.nwfilter_define(filter_backup.xml, debug=True)
def run(test, params, env): """ Test start domain with nwfilter rules. 1) Prepare parameters. 2) Prepare nwfilter rule and update domain interface to apply. 3) Start domain and check rule. 4) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") bug_url = params.get("bug_url", "") vm_name = params.get("main_vm") if not libvirt_version.version_compare(1, 2, 6): raise error.TestNAError("Bug %s not fixed on current build" % bug_url) vm = env.get_vm(vm_name) # Prepare vm filterref parameters dict list filterref_dict = {} filterref_dict['name'] = filter_name # backup vm and filter xml vmxml_backup = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) backup_filter = libvirt_xml.NwfilterXML() filterxml = backup_filter.new_from_filter_dumpxml(filter_name) libvirtd = utils_libvirtd.LibvirtdSession() def nwfilter_sync_loop(filter_name, filerxml): """ Undefine filter and redefine filter from xml in loop """ for i in range(2400): virsh.nwfilter_undefine(filter_name, ignore_status=True) time.sleep(0.1) virsh.nwfilter_define(filterxml.xml, ignore_status=True) def vm_start_destory_loop(vm): """ Start and destroy vm in loop """ for i in range(2400): vm.start() time.sleep(0.1) vm.destroy(gracefully=False) try: libvirtd.start() # Update first vm interface with filter vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] vmxml.del_device(iface_xml) new_iface = interface.Interface('network') new_iface.xml = iface_xml.xml new_filterref = new_iface.new_filterref(**filterref_dict) new_iface.filterref = new_filterref logging.debug("new interface xml is: %s" % new_iface) vmxml.add_device(new_iface) vmxml.sync() filter_thread = threading.Thread(target=nwfilter_sync_loop, args=(filter_name, filterxml)) vm_thread = threading.Thread(target=vm_start_destory_loop, args=(vm,)) filter_thread.start() time.sleep(0.3) vm_thread.start() ret = utils_misc.wait_for(lambda: not libvirtd.is_working(), timeout=240, step=1) filter_thread.join() vm_thread.join() if ret: raise error.TestFail("Libvirtd hang, %s" % bug_url) finally: libvirtd.exit() # Clean env if vm.is_alive(): vm.destroy(gracefully=False) # Recover xml of vm and filter. vmxml_backup.sync() virsh.nwfilter_undefine(filter_name, ignore_status=True) virsh.nwfilter_define(filterxml.xml, ignore_status=True)
def run(test, params, env): """ Test command: virsh nwfilter-define. 1) Prepare parameters. 2) Set options of virsh define. 3) Run define command. 4) Check result. 5) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") filter_chain = params.get("filter_chain", "root") filter_priority = params.get("filter_priority", "") filter_uuid = params.get("filter_uuid", "5c6d49af-b071-6127-b4ec-6f8ed4b55335") filterref = params.get("filterref") filterref_name = params.get("filterref_name") exist_filter = params.get("exist_filter", "no-mac-spoofing") filter_xml = params.get("filter_create_xml_file") options_ref = params.get("options_ref", "") status_error = params.get("status_error", "no") # prepare rule and protocol attributes protocol = {} rule_dict = {} rule_dict_tmp = {} # rule string should end with EOL as separator, multiple rules is supported rule = params.get( "rule", "rule_action=accept rule_direction=out protocol=mac EOL") rule_list = rule.split('EOL') for i in range(len(rule_list)): if rule_list[i]: attr = rule_list[i].split() for j in range(len(attr)): attr_list = attr[j].split('=') rule_dict_tmp[attr_list[0]] = attr_list[1] rule_dict[i] = rule_dict_tmp rule_dict_tmp = {} # process protocol parameter for i in rule_dict.keys(): if 'protocol' not in rule_dict[i]: # Set protocol as string 'None' as parse from cfg is # string 'None' protocol[i] = 'None' else: protocol[i] = rule_dict[i]['protocol'] rule_dict[i].pop('protocol') if protocol[i] in PROTOCOL_TYPES: # replace '-' with '_' in ipv6 types as '-' is not # supposed to be in class name if '-' in protocol[i]: protocol[i] = protocol[i].replace('-', '_') else: raise error.TestFail("Given protocol type %s" % protocol[i] + " is not in supported list %s" % PROTOCOL_TYPES) if filter_xml == "invalid-filter-xml": tmp_xml = xml_utils.TempXMLFile() tmp_xml.write('"<filter><<<BAD>>><\'XML</name\>' '!@#$%^&*)>(}>}{CORRUPTE|>!</filter>') tmp_xml.flush() filter_xml = tmp_xml.name logging.info("Test invalid xml is: %s" % filter_xml) elif filter_xml != " ": # Use exist xml as template with new attributes new_filter = libvirt_xml.NwfilterXML() filterxml = new_filter.new_from_filter_dumpxml(exist_filter) logging.debug("the exist xml is:\n%s" % filterxml.xmltreefile) # Backup xml if only update exist filter if exist_filter == filter_name: backup_xml = filterxml.xmltreefile.backup_copy() # Set filter attribute filterxml.filter_name = filter_name filterxml.filter_chain = filter_chain filterxml.filter_priority = filter_priority filterxml.uuid = filter_uuid if filterref: filterxml.filterref = filterref filterxml.filterref_name = filterref_name # Set rule attribute index_total = filterxml.get_rule_index() rule = filterxml.get_rule(0) rulexml = rule.backup_rule() for i in range(len(rule_dict.keys())): rulexml.rule_action = rule_dict[i].get('rule_action') rulexml.rule_direction = rule_dict[i].get('rule_direction') rulexml.rule_priority = rule_dict[i].get('rule_priority') rulexml.rule_statematch = rule_dict[i].get('rule_statematch') for j in RULE_ATTR: if j in rule_dict[i].keys(): rule_dict[i].pop(j) # set protocol attribute if protocol[i] != 'None': protocolxml = rulexml.get_protocol(protocol[i]) new_one = protocolxml.new_attr(**rule_dict[i]) protocolxml.attrs = new_one rulexml.xmltreefile = protocolxml.xmltreefile else: rulexml.del_protocol() if i <= len(index_total) - 1: filterxml.set_rule(rulexml, i) else: filterxml.add_rule(rulexml) # Reset rulexml rulexml = rule.backup_rule() logging.info("The xml for define is:\n%s" % filterxml.xmltreefile) filterxml.xmltreefile.write(filter_xml) # Run command cmd_result = virsh.nwfilter_define(filter_xml, options=options_ref, ignore_status=True, debug=True) status = cmd_result.exit_status # Check result chk_result = check_list(filter_uuid, filter_name) xml_path = "%s/%s.xml" % (NWFILTER_ETC_DIR, filter_name) if status_error == "yes": if status == 0: raise error.TestFail("Run successfully with wrong command.") elif status_error == "no": if status: raise error.TestFail("Run failed with right command.") if not chk_result: raise error.TestFail("Can't find filter in nwfilter-list output") if not os.path.exists(xml_path): raise error.TestFail("Can't find filter xml under %s" % NWFILTER_ETC_DIR) logging.info("Dump the xml after define:") virsh.nwfilter_dumpxml(filter_name, ignore_status=True, debug=True) # Clean env if exist_filter == filter_name: logging.info("Restore exist filter: %s" % exist_filter) backup_xml.write(filter_xml) virsh.nwfilter_define(filter_xml, options="", ignore_status=True, debug=True) else: if chk_result: virsh.nwfilter_undefine(filter_name, options="", ignore_status=True, debug=True) if os.path.exists(filter_xml): os.remove(filter_xml)
def run(test, params, env): """ Test start domain with nwfilter rules. 1) Prepare parameters. 2) Prepare nwfilter rule and update domain interface to apply. 3) Start domain and check rule. 4) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") exist_filter = params.get("exist_filter", "no-mac-spoofing") check_cmd = params.get("check_cmd") expect_match = params.get("expect_match") status_error = "yes" == params.get("status_error", "no") mount_noexec_tmp = "yes" == params.get("mount_noexec_tmp", "no") kill_libvirtd = "yes" == params.get("kill_libvirtd", "no") bug_url = params.get("bug_url", "") ipset_command = params.get("ipset_command") vm_name = params.get("main_vm") vm = env.get_vm(vm_name) username = params.get("username") password = params.get("password") # Prepare vm filterref parameters dict list filter_param_list = [] params_key = [] for i in params.keys(): if 'parameter_name_' in i: params_key.append(i) params_key.sort() for i in range(len(params_key)): params_dict = {} params_dict['name'] = params[params_key[i]] params_dict['value'] = params['parameter_value_%s' % i] filter_param_list.append(params_dict) filterref_dict = {} filterref_dict['name'] = filter_name filterref_dict['parameters'] = filter_param_list # backup vm xml vmxml_backup = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) libvirtd = utils_libvirtd.Libvirtd() device_name = None try: rule = params.get("rule") if rule: # Create new filter xml filterxml = utlv.create_nwfilter_xml(params) # Define filter xml virsh.nwfilter_define(filterxml.xml, debug=True) # Update first vm interface with filter vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] vmxml.del_device(iface_xml) new_iface = interface.Interface('network') new_iface.xml = iface_xml.xml new_filterref = new_iface.new_filterref(**filterref_dict) new_iface.filterref = new_filterref logging.debug("new interface xml is: %s" % new_iface) vmxml.add_device(new_iface) vmxml.sync() if mount_noexec_tmp: device_name = utlv.setup_or_cleanup_iscsi(is_setup=True) utlv.mkfs(device_name, 'ext4') cmd = "mount %s /tmp -o noexec,nosuid" % device_name process.run(cmd, shell=True) if ipset_command: pkg = "ipset" if not utils_package.package_install(pkg): test.cancel("Can't install ipset on host") process.run(ipset_command, shell=True) # Run command try: vm.start() if not mount_noexec_tmp: vm.wait_for_serial_login(username=username, password=password) vmxml = libvirt_xml.VMXML.new_from_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] iface_target = iface_xml.target['dev'] logging.debug("iface target dev name is %s", iface_target) # Check iptables or ebtables on host if check_cmd: if "DEVNAME" in check_cmd: check_cmd = check_cmd.replace("DEVNAME", iface_target) ret = utils_misc.wait_for(lambda: not process.system(check_cmd, ignore_status=True, shell=True), timeout=30) if not ret: test.fail("Rum command '%s' failed" % check_cmd) out = to_text(process.system_output(check_cmd, ignore_status=False, shell=True)) if expect_match and not re.search(expect_match, out): test.fail("'%s' not found in output: %s" % (expect_match, out)) except virt_vm.VMStartError as e: # Starting VM failed. if not status_error: test.fail("Test failed in positive case.\n error:" " %s\n%s" % (e, bug_url)) if kill_libvirtd: cmd = "kill -s TERM `pidof libvirtd`" process.run(cmd, shell=True) ret = utils_misc.wait_for(lambda: not libvirtd.is_running(), timeout=30) if not ret: test.fail("Failed to kill libvirtd. %s" % bug_url) finally: if kill_libvirtd: libvirtd.restart() # Clean env if vm.is_alive(): vm.destroy(gracefully=False) # Recover xml of vm. vmxml_backup.sync() # Undefine created filter if filter_name != exist_filter: virsh.nwfilter_undefine(filter_name, debug=True) if mount_noexec_tmp: if device_name: process.run("umount -l %s" % device_name, ignore_status=True, shell=True) utlv.setup_or_cleanup_iscsi(is_setup=False) if ipset_command: process.run("ipset destroy blacklist", shell=True)
def run(test, params, env): """ Test start domain with nwfilter rules. 1) Prepare parameters. 2) Prepare nwfilter rule and update domain interface to apply. 3) Start domain and check rule. 4) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") exist_filter = params.get("exist_filter", "no-mac-spoofing") check_cmd = params.get("check_cmd") expect_match = params.get("expect_match") status_error = "yes" == params.get("status_error", "no") mount_noexec_tmp = "yes" == params.get("mount_noexec_tmp", "no") kill_libvirtd = "yes" == params.get("kill_libvirtd", "no") bug_url = params.get("bug_url", "") ipset_command = params.get("ipset_command") vm_name = params.get("main_vm") vm = env.get_vm(vm_name) username = params.get("username") password = params.get("password") # Prepare vm filterref parameters dict list filter_param_list = [] params_key = [] for i in params.keys(): if 'parameter_name_' in i: params_key.append(i) params_key.sort() for i in range(len(params_key)): params_dict = {} params_dict['name'] = params[params_key[i]] params_dict['value'] = params['parameter_value_%s' % i] filter_param_list.append(params_dict) filterref_dict = {} filterref_dict['name'] = filter_name filterref_dict['parameters'] = filter_param_list # backup vm xml vmxml_backup = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) libvirtd = utils_libvirtd.Libvirtd() device_name = None try: rule = params.get("rule") if rule: # Create new filter xml filterxml = utlv.create_nwfilter_xml(params) # Define filter xml virsh.nwfilter_define(filterxml.xml, debug=True) # Update first vm interface with filter vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] vmxml.del_device(iface_xml) new_iface = interface.Interface('network') new_iface.xml = iface_xml.xml new_filterref = new_iface.new_filterref(**filterref_dict) new_iface.filterref = new_filterref logging.debug("new interface xml is: %s" % new_iface) vmxml.add_device(new_iface) vmxml.sync() if mount_noexec_tmp: device_name = utlv.setup_or_cleanup_iscsi(is_setup=True) utlv.mkfs(device_name, 'ext4') cmd = "mount %s /tmp -o noexec,nosuid" % device_name process.run(cmd, shell=True) if ipset_command: pkg = "ipset" if not utils_package.package_install(pkg): test.cancel("Can't install ipset on host") process.run(ipset_command, shell=True) # Run command try: vm.start() if not mount_noexec_tmp: vm.wait_for_serial_login(username=username, password=password) vmxml = libvirt_xml.VMXML.new_from_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] iface_target = iface_xml.target['dev'] logging.debug("iface target dev name is %s", iface_target) # Check iptables or ebtables on host if check_cmd: if "DEVNAME" in check_cmd: check_cmd = check_cmd.replace("DEVNAME", iface_target) ret = utils_misc.wait_for(lambda: not process.system( check_cmd, ignore_status=True, shell=True), timeout=30) if not ret: test.fail("Rum command '%s' failed" % check_cmd) # This change anchors nwfilter_vm_start.possitive_test.new_filter.variable_notation case # The matched destination could be ip address or hostname if "iptables -L" in check_cmd and expect_match: # ip address that need to be replaced replace_param = params.get("parameter_value_2") #Get hostname by ip address. hostname_info = None try: hostname_info = socket.gethostbyaddr(replace_param) except socket.error as e: logging.info( "Failed to get hostname from ip address with error: %s", str(e)) if hostname_info: # String is used to replace ip address replace_with = "%s|%s" % (replace_param, hostname_info[0]) expect_match = r"%s" % expect_match.replace( replace_param, replace_with) logging.debug("final iptables match string:%s", expect_match) out = to_text( process.system_output(check_cmd, ignore_status=False, shell=True)) if expect_match and not re.search(expect_match, out): test.fail("'%s' not found in output: %s" % (expect_match, out)) except virt_vm.VMStartError as e: # Starting VM failed. if not status_error: test.fail("Test failed in positive case.\n error:" " %s\n%s" % (e, bug_url)) if kill_libvirtd: cmd = "kill -s TERM `pidof libvirtd`" process.run(cmd, shell=True) ret = utils_misc.wait_for(lambda: not libvirtd.is_running(), timeout=30) # After libvirt 5.6.0, libvirtd is using systemd socket activation by default if not ret and not libvirt_version.version_compare(5, 6, 0): test.fail("Failed to kill libvirtd. %s" % bug_url) finally: if kill_libvirtd: libvirtd.restart() # Clean env if vm.is_alive(): vm.destroy(gracefully=False) # Recover xml of vm. vmxml_backup.sync() # Undefine created filter if filter_name != exist_filter: virsh.nwfilter_undefine(filter_name, debug=True) if mount_noexec_tmp: if device_name: process.run("umount -l %s" % device_name, ignore_status=True, shell=True) utlv.setup_or_cleanup_iscsi(is_setup=False) if ipset_command: process.run("ipset destroy blacklist", shell=True)
def run(test, params, env): """ Test update filter rules when domain is running. 1) Prepare parameters. 2) Add filter to domain interface. 3) Start domain. 4) Update filter rule and check 5) Cleanup """ # Prepare parameters filter_name = params.get("filter_name", "testcase") check_cmd = params.get("check_cmd") expect_match = params.get("expect_match") check_vm_cmd = params.get("check_vm_cmd") vm_expect_match = params.get("vm_expect_match") vm_name = params.get("main_vm") vm = env.get_vm(vm_name) filterref_dict = {} filterref_dict['name'] = filter_name # backup vm xml vmxml_backup = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) new_filter = libvirt_xml.NwfilterXML() filter_backup = new_filter.new_from_filter_dumpxml(filter_name) try: # Update first vm interface with filter vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] vmxml.del_device(iface_xml) new_iface = interface.Interface('network') new_iface.xml = iface_xml.xml new_filterref = new_iface.new_filterref(**filterref_dict) new_iface.filterref = new_filterref logging.debug("new interface xml is: %s" % new_iface) vmxml.add_device(new_iface) vmxml.sync() # Start vm vm.start() session = vm.wait_for_login() vmxml = libvirt_xml.VMXML.new_from_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] iface_target = iface_xml.target['dev'] logging.debug("iface target dev name is %s", iface_target) # Update filter rule by nwfilter-define filterxml = utlv.create_nwfilter_xml(params) # Define filter xml virsh.nwfilter_define(filterxml.xml, debug=True) # Check ebtables on host after filter update if "DEVNAME" in check_cmd: check_cmd = check_cmd.replace("DEVNAME", iface_target) ret = utils_misc.wait_for(lambda: not utils.system(check_cmd, ignore_status=True), timeout=30) if not ret: raise error.TestFail("Rum command '%s' failed" % check_cmd) out = utils.system_output(check_cmd, ignore_status=False) if expect_match and not re.search(expect_match, out): raise error.TestFail("'%s' not found in output: %s" % (expect_match, out)) # Check in vm if check_vm_cmd: output = session.cmd_output(check_vm_cmd) logging.debug("cmd output: %s", output) if vm_expect_match and not re.search(vm_expect_match, output): raise error.TestFail("'%s' not found in output: %s" % (vm_expect_match, output)) finally: # Clean env if vm.is_alive(): vm.destroy(gracefully=False) # Recover xml of vm. vmxml_backup.sync() # Restore created filter virsh.nwfilter_undefine(filter_name, debug=True) virsh.nwfilter_define(filter_backup.xml, debug=True)
def run(test, params, env): """ Test command: virsh nwfilter-define. 1) Prepare parameters. 2) Set options of virsh define. 3) Run define command. 4) Check result. 5) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") filter_chain = params.get("filter_chain", "root") filter_priority = params.get("filter_priority", "") filter_uuid = params.get("filter_uuid", "5c6d49af-b071-6127-b4ec-6f8ed4b55335") filterref = params.get("filterref") filterref_name = params.get("filterref_name") exist_filter = params.get("exist_filter", "no-mac-spoofing") filter_xml = params.get("filter_create_xml_file") options_ref = params.get("options_ref", "") status_error = params.get("status_error", "no") # prepare rule and protocol attributes protocol = {} rule_dict = {} rule_dict_tmp = {} # rule string should end with EOL as separator, multiple rules is supported rule = params.get("rule", "rule_action=accept rule_direction=out protocol=mac EOL") rule_list = rule.split('EOL') for i in range(len(rule_list)): if rule_list[i]: attr = rule_list[i].split() for j in range(len(attr)): attr_list = attr[j].split('=') rule_dict_tmp[attr_list[0]] = attr_list[1] rule_dict[i] = rule_dict_tmp rule_dict_tmp = {} # process protocol parameter for i in rule_dict.keys(): if 'protocol' not in rule_dict[i]: # Set protocol as string 'None' as parse from cfg is # string 'None' protocol[i] = 'None' else: protocol[i] = rule_dict[i]['protocol'] rule_dict[i].pop('protocol') if protocol[i] in PROTOCOL_TYPES: # replace '-' with '_' in ipv6 types as '-' is not # supposed to be in class name if '-' in protocol[i]: protocol[i] = protocol[i].replace('-', '_') else: raise error.TestFail("Given protocol type %s" % protocol[i] + " is not in supported list %s" % PROTOCOL_TYPES) if filter_xml == "invalid-filter-xml": tmp_xml = xml_utils.TempXMLFile() tmp_xml.write('"<filter><<<BAD>>><\'XML</name\>' '!@#$%^&*)>(}>}{CORRUPTE|>!</filter>') tmp_xml.flush() filter_xml = tmp_xml.name logging.info("Test invalid xml is: %s" % filter_xml) elif filter_xml != " ": # Use exist xml as template with new attributes new_filter = libvirt_xml.NwfilterXML() filterxml = new_filter.new_from_filter_dumpxml(exist_filter) logging.debug("the exist xml is:\n%s" % filterxml.xmltreefile) # Backup xml if only update exist filter if exist_filter == filter_name: backup_xml = filterxml.xmltreefile.backup_copy() # Set filter attribute filterxml.filter_name = filter_name filterxml.filter_chain = filter_chain filterxml.filter_priority = filter_priority filterxml.uuid = filter_uuid if filterref: filterxml.filterref = filterref filterxml.filterref_name = filterref_name # Set rule attribute index_total = filterxml.get_rule_index() rule = filterxml.get_rule(0) rulexml = rule.backup_rule() for i in range(len(rule_dict.keys())): rulexml.rule_action = rule_dict[i].get('rule_action') rulexml.rule_direction = rule_dict[i].get('rule_direction') rulexml.rule_priority = rule_dict[i].get('rule_priority') rulexml.rule_statematch = rule_dict[i].get('rule_statematch') for j in RULE_ATTR: if j in rule_dict[i].keys(): rule_dict[i].pop(j) # set protocol attribute if protocol[i] != 'None': protocolxml = rulexml.get_protocol(protocol[i]) new_one = protocolxml.new_attr(**rule_dict[i]) protocolxml.attrs = new_one rulexml.xmltreefile = protocolxml.xmltreefile else: rulexml.del_protocol() if i <= len(index_total) - 1: filterxml.set_rule(rulexml, i) else: filterxml.add_rule(rulexml) # Reset rulexml rulexml = rule.backup_rule() logging.info("The xml for define is:\n%s" % filterxml.xmltreefile) filterxml.xmltreefile.write(filter_xml) # Run command cmd_result = virsh.nwfilter_define(filter_xml, options=options_ref, ignore_status=True, debug=True) status = cmd_result.exit_status # Check result chk_result = check_list(filter_uuid, filter_name) xml_path = "%s/%s.xml" % (NWFILTER_ETC_DIR, filter_name) if status_error == "yes": if status == 0: raise error.TestFail("Run successfully with wrong command.") elif status_error == "no": if status: raise error.TestFail("Run failed with right command.") if not chk_result: raise error.TestFail("Can't find filter in nwfilter-list output") if not os.path.exists(xml_path): raise error.TestFail("Can't find filter xml under %s" % NWFILTER_ETC_DIR) logging.info("Dump the xml after define:") virsh.nwfilter_dumpxml(filter_name, ignore_status=True, debug=True) # Clean env if exist_filter == filter_name: logging.info("Restore exist filter: %s" % exist_filter) backup_xml.write(filter_xml) virsh.nwfilter_define(filter_xml, options="", ignore_status=True, debug=True) else: if chk_result: virsh.nwfilter_undefine(filter_name, options="", ignore_status=True, debug=True) if os.path.exists(filter_xml): os.remove(filter_xml)
def run(test, params, env): """ Test start domain with nwfilter rules. 1) Prepare parameters. 2) Prepare nwfilter rule and update domain interface to apply. 3) Start domain and check rule. 4) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") exist_filter = params.get("exist_filter", "no-mac-spoofing") check_cmd = params.get("check_cmd") expect_match = params.get("expect_match") status_error = "yes" == params.get("status_error", "no") mount_noexec_tmp = "yes" == params.get("mount_noexec_tmp", "no") kill_libvirtd = "yes" == params.get("kill_libvirtd", "no") bug_url = params.get("bug_url", "") ipset_command = params.get("ipset_command") vm_name = params.get("main_vm") vm = env.get_vm(vm_name) username = params.get("username") password = params.get("password") # Prepare vm filterref parameters dict list filter_param_list = [] params_key = [] for i in params.keys(): if 'parameter_name_' in i: params_key.append(i) params_key.sort() for i in range(len(params_key)): params_dict = {} params_dict['name'] = params[params_key[i]] params_dict['value'] = params['parameter_value_%s' % i] filter_param_list.append(params_dict) filterref_dict = {} filterref_dict['name'] = filter_name filterref_dict['parameters'] = filter_param_list # backup vm xml vmxml_backup = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) libvirtd = utils_libvirtd.Libvirtd() device_name = None try: rule = params.get("rule") if rule: # Create new filter xml filterxml = utlv.create_nwfilter_xml(params) # Define filter xml virsh.nwfilter_define(filterxml.xml, debug=True) # Update first vm interface with filter vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] vmxml.del_device(iface_xml) new_iface = interface.Interface('network') new_iface.xml = iface_xml.xml new_filterref = new_iface.new_filterref(**filterref_dict) new_iface.filterref = new_filterref logging.debug("new interface xml is: %s" % new_iface) vmxml.add_device(new_iface) vmxml.sync() if mount_noexec_tmp: device_name = utlv.setup_or_cleanup_iscsi(is_setup=True) utlv.mkfs(device_name, 'ext4') cmd = "mount %s /tmp -o noexec,nosuid" % device_name utils.run(cmd) if ipset_command: try: os_dep.command("ipset") except ValueError: ret = utils.run("yum install ipset -y") if ret.exit_status: raise error.TestNAError("Can't install ipset on host") utils.run(ipset_command) # Run command try: vm.start() if not mount_noexec_tmp: vm.wait_for_serial_login(username=username, password=password) vmxml = libvirt_xml.VMXML.new_from_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] iface_target = iface_xml.target['dev'] logging.debug("iface target dev name is %s", iface_target) # Check iptables or ebtables on host if check_cmd: if "DEVNAME" in check_cmd: check_cmd = check_cmd.replace("DEVNAME", iface_target) ret = utils_misc.wait_for(lambda: not utils.system(check_cmd, ignore_status=True), timeout=30) if not ret: raise error.TestFail("Rum command '%s' failed" % check_cmd) out = utils.system_output(check_cmd, ignore_status=False) if expect_match and not re.search(expect_match, out): raise error.TestFail("'%s' not found in output: %s" % (expect_match, out)) except virt_vm.VMStartError, e: # Starting VM failed. if not status_error: raise error.TestFail("Test failed in positive case.\n error:" " %s\n%s" % (e, bug_url)) if kill_libvirtd: cmd = "kill -SIGTERM `pidof libvirtd`" utils.run(cmd) ret = utils_misc.wait_for(lambda: not libvirtd.is_running(), timeout=30) if not ret: raise error.TestFail("Failed to kill libvirtd. %s" % bug_url)
def run(test, params, env): """ Test update filter rules when domain is running. 1) Prepare parameters. 2) Add filter to domain interface. 3) Start domain. 4) Update filter rule and check 5) Cleanup """ # Prepare parameters filter_name = params.get("filter_name", "testcase") check_cmd = params.get("check_cmd") expect_match = params.get("expect_match") check_vm_cmd = params.get("check_vm_cmd") vm_expect_match = params.get("vm_expect_match") vm_name = params.get("main_vm") vm = env.get_vm(vm_name) filterref_dict = {} filterref_dict['name'] = filter_name # backup vm xml vmxml_backup = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) new_filter = libvirt_xml.NwfilterXML() filter_backup = new_filter.new_from_filter_dumpxml(filter_name) try: # Update first vm interface with filter vmxml = libvirt_xml.VMXML.new_from_inactive_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] vmxml.del_device(iface_xml) new_iface = interface.Interface('network') new_iface.xml = iface_xml.xml new_filterref = new_iface.new_filterref(**filterref_dict) new_iface.filterref = new_filterref logging.debug("new interface xml is: %s" % new_iface) vmxml.add_device(new_iface) vmxml.sync() # Start vm vm.start() session = vm.wait_for_login() vmxml = libvirt_xml.VMXML.new_from_dumpxml(vm_name) iface_xml = vmxml.get_devices('interface')[0] iface_target = iface_xml.target['dev'] logging.debug("iface target dev name is %s", iface_target) # Update filter rule by nwfilter-define filterxml = utlv.create_nwfilter_xml(params) # Define filter xml virsh.nwfilter_define(filterxml.xml, debug=True) # Check ebtables on host after filter update if "DEVNAME" in check_cmd: check_cmd = check_cmd.replace("DEVNAME", iface_target) ret = utils_misc.wait_for( lambda: not utils.system(check_cmd, ignore_status=True), timeout=30) if not ret: raise error.TestFail("Rum command '%s' failed" % check_cmd) out = utils.system_output(check_cmd, ignore_status=False) if expect_match and not re.search(expect_match, out): raise error.TestFail("'%s' not found in output: %s" % (expect_match, out)) # Check in vm if check_vm_cmd: output = session.cmd_output(check_vm_cmd) logging.debug("cmd output: %s", output) if vm_expect_match and not re.search(vm_expect_match, output): raise error.TestFail("'%s' not found in output: %s" % (vm_expect_match, output)) finally: # Clean env if vm.is_alive(): vm.destroy(gracefully=False) # Recover xml of vm. vmxml_backup.sync() # Restore created filter virsh.nwfilter_undefine(filter_name, debug=True) virsh.nwfilter_define(filter_backup.xml, debug=True)
def run(test, params, env): """ Test command: virsh nwfilter-define. 1) Prepare parameters. 2) Set options of virsh define. 3) Run define command. 4) Check result. 5) Clean env """ # Prepare parameters filter_name = params.get("filter_name", "testcase") filter_uuid = params.get("filter_uuid", "11111111-b071-6127-b4ec-111111111111") exist_filter = params.get("exist_filter", "no-mac-spoofing") filter_xml = params.get("filter_create_xml_file") options_ref = params.get("options_ref", "") status_error = params.get("status_error", "no") boundary_test_skip = "yes" == params.get("boundary_test_skip") new_uuid = "yes" == params.get("new_uuid", 'no') bug_url = params.get("bug_url") # libvirt acl polkit related params uri = params.get("virsh_uri") unprivileged_user = params.get('unprivileged_user') if unprivileged_user: if unprivileged_user.count('EXAMPLE'): unprivileged_user = '******' if not libvirt_version.version_compare(1, 1, 1): if params.get('setup_libvirt_polkit') == 'yes': raise error.TestNAError("API acl test not supported in current" " libvirt version.") if exist_filter == filter_name and new_uuid: # Since commit 46a811d, update filter with new uuid will fail. if libvirt_version.version_compare(1, 2, 7): status_error = 'yes' else: status_error = 'no' try: if filter_xml == "invalid-filter-xml": tmp_xml = xml_utils.TempXMLFile() tmp_xml.write('"<filter><<<BAD>>><\'XML</name\>' '!@#$%^&*)>(}>}{CORRUPTE|>!</filter>') tmp_xml.flush() filter_xml = tmp_xml.name logging.info("Test invalid xml is: %s" % filter_xml) elif filter_xml: # Create filter xml new_filter = libvirt_xml.NwfilterXML() filterxml_backup = new_filter.new_from_filter_dumpxml(exist_filter) # Backup xml if only update exist filter if exist_filter == filter_name and not new_uuid: filter_uuid = filterxml_backup.uuid params['filter_uuid'] = filter_uuid filterxml = utlv.create_nwfilter_xml(params) filterxml.xmltreefile.write(filter_xml) # Run command cmd_result = virsh.nwfilter_define(filter_xml, options=options_ref, unprivileged_user=unprivileged_user, uri=uri, ignore_status=True, debug=True) status = cmd_result.exit_status # Check result chk_result = check_list(filter_uuid, filter_name) xml_path = "%s/%s.xml" % (NWFILTER_ETC_DIR, filter_name) if status_error == "yes": if status == 0: if boundary_test_skip: raise error.TestNAError("Boundary check commit 4f20943 not" " in this libvirt build yet.") else: err_msg = "Run successfully with wrong command." if bug_url: err_msg += " Check more info in %s" % bug_url raise error.TestFail(err_msg) elif status_error == "no": if status: err_msg = "Run failed with right command." if bug_url: err_msg += " Check more info in %s" % bug_url raise error.TestFail(err_msg) if not chk_result: raise error.TestFail("Can't find filter in nwfilter-list" + " output") if not os.path.exists(xml_path): raise error.TestFail("Can't find filter xml under %s" % NWFILTER_ETC_DIR) logging.info("Dump the xml after define:") virsh.nwfilter_dumpxml(filter_name, ignore_status=True, debug=True) finally: # Clean env if exist_filter == filter_name: logging.info("Restore exist filter: %s" % exist_filter) virsh.nwfilter_undefine(filter_name, ignore_status=True) virsh.nwfilter_define(filterxml_backup.xml, ignore_status=True) else: if chk_result: virsh.nwfilter_undefine(filter_name, ignore_status=True) if os.path.exists(filter_xml): os.remove(filter_xml)