def setUpClass(cls):
super(TestQosPolicyBase, cls).setUpClass()
rules = [{
'direction': '<>',
'protocol': 'udp',
'dest_network': cls.vn1_fixture.vn_name,
'source_network': cls.vn2_fixture.vn_name,
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}, {
'direction': '<>',
'protocol': 'tcp',
'dest_network': cls.vn1_fixture.vn_name,
'source_network': cls.vn2_fixture.vn_name,
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
cls.policy_fixture = PolicyFixture(policy_name='policyTestQos',
rules_list=rules,
inputs=cls.inputs,
connections=cls.connections)
cls.policy_fixture.setUp()
cls.vn1_policy_fixture = VN_Policy_Fixture(
connections=cls.connections,
vn_name=cls.vn1_fixture.vn_name,
policy_obj={cls.vn1_fixture.vn_name :\
[cls.policy_fixture.policy_obj]},
vn_obj={cls.vn1_fixture.vn_name : cls.vn1_fixture},
vn_policys=['policyTestQos'],
project_name=cls.project.project_name)
cls.vn1_policy_fixture.setUp()
cls.vn2_policy_fixture = VN_Policy_Fixture(
connections=cls.connections,
vn_name=cls.vn2_fixture.vn_name,
policy_obj={cls.vn2_fixture.vn_name : \
[cls.policy_fixture.policy_obj]},
vn_obj={cls.vn2_fixture.vn_name : cls.vn2_fixture},
vn_policys=['policyTestQos'],
project_name=cls.project.project_name)
cls.vn2_policy_fixture.setUp()
def test_config_add_change_while_control_nodes_go_down(self):
"""Tests related to configuration add, change, and delete while switching from normal mode
to headless and back i.e. control nodes go down and come online."""
if len(self.inputs.compute_ips) < 2:
raise unittest.SkipTest("This test needs atleast 2 compute nodes.")
else:
self.logger.info(
"Required resources are in place to run the test.")
result = True
topology_class_name = None
self.compute_fixture_dict = {}
for each_compute in self.inputs.compute_ips:
self.compute_fixture_dict[each_compute] = self.useFixture(
ComputeNodeFixture(connections=self.connections,
node_ip=each_compute,
username=self.inputs.username,
password=self.inputs.password))
mode = self.compute_fixture_dict[
each_compute].get_agent_headless_mode()
if mode is False:
self.compute_fixture_dict[
each_compute].set_agent_headless_mode()
#
# Get config for test from topology
result = True
msg = []
if not topology_class_name:
topology_class_name = test_headless_vrouter_topo.sdn_headless_vrouter_topo
self.logger.info("Scenario for the test used is: %s" %
(topology_class_name))
#
# Create a list of compute node IP's and pass it to topo if you want to pin
# a vm to a particular node
topo_obj = topology_class_name(
compute_node_list=self.inputs.compute_ips)
#
# Test setup: Configure policy, VN, & VM
# return {'result':result, 'msg': err_msg, 'data': [self.topo, config_topo]}
# Returned topo is of following format:
# config_topo= {'policy': policy_fixt, 'vn': vn_fixture, 'vm': vm_fixture}
topo = {}
topo_objs = {}
config_topo = {}
setup_obj = self.useFixture(
sdnTopoSetupFixture(self.connections, topo_obj))
out = setup_obj.sdn_topo_setup()
self.assertEqual(out['result'], True, out['msg'])
if out['result']:
topo_objs, config_topo, vm_fip_info = out['data']
# Start Test
proj = config_topo.keys()
vms = config_topo[proj[0]]['vm'].keys()
src_vm = config_topo[proj[0]]['vm'][vms[0]]
dest_vm = config_topo[proj[0]]['vm'][vms[1]]
flow_cache_timeout = 180
# Setup Traffic.
stream = Stream(protocol="ip",
proto="icmp",
src=src_vm.vm_ip,
dst=dest_vm.vm_ip)
profile = ContinuousProfile(stream=stream, count=0, capfilter="icmp")
tx_vm_node_ip = src_vm.vm_node_ip
rx_vm_node_ip = dest_vm.vm_node_ip
tx_local_host = Host(tx_vm_node_ip, self.inputs.username,
self.inputs.password)
rx_local_host = Host(rx_vm_node_ip, self.inputs.username,
self.inputs.password)
send_host = Host(src_vm.local_ip, src_vm.vm_username,
src_vm.vm_password)
recv_host = Host(dest_vm.local_ip, dest_vm.vm_username,
dest_vm.vm_password)
sender = Sender("icmp", profile, tx_local_host, send_host,
self.inputs.logger)
receiver = Receiver("icmp", profile, rx_local_host, recv_host,
self.inputs.logger)
receiver.start()
sender.start()
self.logger.info("Waiting for 5 sec for traffic to be setup ...")
time.sleep(5)
#self.start_ping(src_vm, dest_vm)
flow_index_list = headless_vr_utils.get_flow_index_list(
self, src_vm, dest_vm)
headless_vr_utils.stop_all_control_services(self)
self.addCleanup(self.inputs.start_service,
'contrail-control',
self.inputs.bgp_ips,
container='control')
time.sleep(10)
headless_vr_utils.check_through_tcpdump(self, dest_vm, src_vm)
flow_index_list2 = headless_vr_utils.get_flow_index_list(
self, src_vm, dest_vm)
if set(flow_index_list) == set(flow_index_list2):
self.logger.info("Flow indexes have not changed.")
else:
self.logger.error(
"Flow indexes have changed. Test Failed, Exiting")
return False
receiver.stop()
sender.stop()
project1_instance = config_topo['project1']['project']['project1']
project1_instance.get_project_connections()
vnet2_instance = config_topo['project1']['vn']['vnet2']
# add VM to existing VN
VM22_fixture = self.useFixture(
VMFixture(
connections=project1_instance.project_connections['juniper'],
vn_obj=vnet2_instance.obj,
vm_name='VM22',
project_name=project1_instance.project_name))
# create new IPAM
ipam3_obj = self.useFixture(
IPAMFixture(project_obj=project1_instance, name='ipam3'))
ipam4_obj = self.useFixture(
IPAMFixture(project_obj=project1_instance, name='ipam4'))
# create new VN
VN3_fixture = self.useFixture(
VNFixture(
project_name=project1_instance.project_name,
connections=project1_instance.project_connections['juniper'],
vn_name='VN3',
inputs=project1_instance.inputs,
subnets=['10.3.1.0/24'],
ipam_fq_name=ipam3_obj.fq_name))
VN4_fixture = self.useFixture(
VNFixture(
project_name=project1_instance.project_name,
connections=project1_instance.project_connections['juniper'],
vn_name='VN4',
inputs=project1_instance.inputs,
subnets=['10.4.1.0/24'],
ipam_fq_name=ipam4_obj.fq_name))
# create policy
policy_name = 'policy34'
rules = []
rules = [{
'direction': '<>',
'protocol': 'icmp',
'dest_network': VN4_fixture.vn_fq_name,
'source_network': VN3_fixture.vn_fq_name,
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}, {
'direction': '<>',
'protocol': 'icmp',
'dest_network': VN3_fixture.vn_fq_name,
'source_network': VN4_fixture.vn_fq_name,
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
policy34_fixture = self.useFixture(
PolicyFixture(
policy_name=policy_name,
rules_list=rules,
inputs=project1_instance.inputs,
connections=project1_instance.project_connections['juniper'],
project_fixture=project1_instance))
# create VN to policy mapping in a dict of policy list.
vn_policys = {
VN3_fixture.vn_name: [policy_name],
VN4_fixture.vn_name: [policy_name]
}
# create a policy object list of policies to be attached to a vm
policy_obj_dict = {}
policy_obj_dict[VN3_fixture.vn_name] = [policy34_fixture.policy_obj]
policy_obj_dict[VN4_fixture.vn_name] = [policy34_fixture.policy_obj]
# vn fixture dictionary.
vn_obj_dict = {}
vn_obj_dict[VN3_fixture.vn_name] = VN3_fixture
vn_obj_dict[VN4_fixture.vn_name] = VN4_fixture
# attach policy to VN
VN3_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=project1_instance.project_connections['juniper'],
vn_name=VN3_fixture.vn_name,
policy_obj=policy_obj_dict,
vn_obj=vn_obj_dict,
vn_policys=vn_policys[VN3_fixture.vn_name],
project_name=project1_instance.project_name))
VN4_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=project1_instance.project_connections['juniper'],
vn_name=VN4_fixture.vn_name,
policy_obj=policy_obj_dict,
vn_obj=vn_obj_dict,
vn_policys=vn_policys[VN4_fixture.vn_name],
project_name=project1_instance.project_name))
# add VM to new VN
VM31_fixture = self.useFixture(
VMFixture(
connections=project1_instance.project_connections['juniper'],
vn_obj=VN3_fixture.obj,
vm_name='VM31',
project_name=project1_instance.project_name))
VM41_fixture = self.useFixture(
VMFixture(
connections=project1_instance.project_connections['juniper'],
vn_obj=VN4_fixture.obj,
vm_name='VM41',
project_name=project1_instance.project_name))
# verification routines.
test_flag = 0
if ((VN3_fixture.verify_vn_in_api_server())
and (VN3_fixture.verify_vn_not_in_agent())
and (VN3_fixture.verify_vn_policy_in_api_server()['result'])):
self.logger.info(
"Verification of VN3 PASSED while control nodes down.")
else:
self.logger.error(
"Verification of VN3 FAILED while control nodes down.")
test_flag = 1
if ((VN4_fixture.verify_vn_in_api_server())
and (VN4_fixture.verify_vn_not_in_agent())
and (VN4_fixture.verify_vn_policy_in_api_server()['result'])):
self.logger.info(
"Verification of VN4 PASSED while control nodes down.")
else:
self.logger.error(
"Verification of VN4 FAILED while control nodes down.")
test_flag = 1
if ((VM22_fixture.verify_vm_launched())
and (VM22_fixture.verify_vm_in_api_server())):
self.logger.info(
"Verification of VM22 PASSED while control nodes down.")
else:
self.logger.error(
"Verification of VM22 FAILED while control nodes down.")
test_flag = 1
if ((VM31_fixture.verify_vm_launched())
and (VM31_fixture.verify_vm_in_api_server())):
self.logger.info(
"Verification of VM31 PASSED while control nodes down.")
else:
self.logger.error(
"Verification of VM31 FAILED while control nodes down.")
test_flag = 1
if ((VM41_fixture.verify_vm_launched())
and (VM41_fixture.verify_vm_in_api_server())):
self.logger.info(
"Verification of VM41 PASSED while control nodes down.")
else:
self.logger.error(
"Verification of VM41 FAILED while control nodes down.")
test_flag = 1
# start all control services.
headless_vr_utils.start_all_control_services(self)
# if something went wrong in the controller down state bail out here.
if test_flag == 1:
self.logger.error(
"Verifications and Test failed while the controllers were down in \
headless state of agent. Check earlier error logs"
)
return False
# wait for 3 to 5 sec for configuration sync from control nodes to the
# agents.
time.sleep(5)
# wait till VM's are up.
VM22_fixture.wait_till_vm_is_up()
VM31_fixture.wait_till_vm_is_up()
VM41_fixture.wait_till_vm_is_up()
# verify vm config gets downloaded to the agents.
if ((VM22_fixture.verify_vm_in_agent())
and (VM31_fixture.verify_vm_in_agent())
and (VM41_fixture.verify_vm_in_agent())):
self.logger.info("VM verification on the agent PASSED")
else:
self.logger.error("VM verification on the agent FAILED")
return False
# check ping success between the two VM's
assert config_topo['project1']['vm']['VM11'].ping_with_certainty(
VM22_fixture.vm_ip, expectation=True)
assert VM31_fixture.ping_with_certainty(VM41_fixture.vm_ip,
expectation=True)
assert VM41_fixture.ping_with_certainty(VM31_fixture.vm_ip,
expectation=True)
# verification routines.
if ((VN3_fixture.verify_on_setup()) and (VN4_fixture.verify_on_setup())
and (VM22_fixture.verify_on_setup())
and (VM31_fixture.verify_on_setup())
and (VM41_fixture.verify_on_setup())):
self.logger.info(
"All verifications passed after controllers came up in headless agent mode"
)
else:
self.logger.error(
"Verifications FAILED after controllers came up in headless agent mode"
)
return False
return True
def setUpClass(cls):
super(TestQosSVCBase, cls).setUpClass()
if_list = [['left', False, False], ['right', False, False]]
cls.st_fixture = SvcTemplateFixture(connections=cls.connections,
inputs=cls.inputs,
domain_name=cls.inputs.domain_name,
st_name="service_template",
svc_img_name='ubuntu-in-net',
svc_type='firewall',
if_list=if_list,
svc_mode='in-network',
svc_scaling=False,
flavor='contrail_flavor_2cpu',
ordered_interfaces=True,
availability_zone_enable=True)
cls.st_fixture.setUp()
cls.si_fixture = SvcInstanceFixture(
connections=cls.connections,
inputs=cls.inputs,
domain_name=cls.inputs.domain_name,
project_name=cls.inputs.project_name,
si_name="service_instance",
svc_template=cls.st_fixture.st_obj,
if_list=if_list,
left_vn_name=cls.vn1_fixture.vn_fq_name,
right_vn_name=cls.vn2_fixture.vn_fq_name,
do_verify=True,
max_inst=1,
static_route=['None', 'None', 'None'],
availability_zone="nova:" + cls.inputs.compute_names[0])
cls.si_fixture.setUp()
cls.si_fixture.verify_on_setup()
cls.action_list = [":".join(cls.si_fixture.si_fq_name)]
rules = [{
'direction': '<>',
'protocol': 'any',
'dest_network': cls.vn2_fixture.vn_name,
'source_network': cls.vn1_fixture.vn_name,
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any',
'action_list': {
'apply_service': cls.action_list
}
}]
cls.policy_fixture = PolicyFixture(policy_name='policyTestQos',
rules_list=rules,
inputs=cls.inputs,
connections=cls.connections)
cls.policy_fixture.setUp()
cls.vn1_policy_fixture = VN_Policy_Fixture(
connections=cls.connections,
vn_name=cls.vn1_fixture.vn_name,
policy_obj={cls.vn1_fixture.vn_name :\
[cls.policy_fixture.policy_obj]},
vn_obj={cls.vn1_fixture.vn_name : cls.vn1_fixture},
vn_policys=['policyTestQos'],
project_name=cls.project.project_name)
cls.vn1_policy_fixture.setUp()
cls.vn2_policy_fixture = VN_Policy_Fixture(
connections=cls.connections,
vn_name=cls.vn2_fixture.vn_name,
policy_obj={cls.vn2_fixture.vn_name : \
[cls.policy_fixture.policy_obj]},
vn_obj={cls.vn2_fixture.vn_name : cls.vn2_fixture},
vn_policys=['policyTestQos'],
project_name=cls.project.project_name)
cls.vn2_policy_fixture.setUp()
def test_multicast_policy(self):
'''
VM1 ,VM2 and VM3 in different compute nodes.
Add multicast policy to block multicast traffic.On applying policy multicast traffic should be discarded.
On removing policy multicast traffic should be allowed.
'''
result = True
vxlan = random.randrange(400, 405)
vm_fixtures = self.configure_evpn_topology(vxlan)
vm_fixtures['vrf'] = vm_fixtures['vm1']
bms_fixture = vm_fixtures['bms']
vn1_fixture = vm_fixtures['vn1']
interface = bms_fixture.get_mvi_interface()
bms_fixture.config_mroute(interface, '225.1.1.1', '255.255.255.255')
bms_fixture.config_mroute(interface, '225.1.1.2', '255.255.255.255')
#1 Add multicast policy to block multicast traffic.On applying policy multicast traffic should be discarded
#############################################################################################################
name = 'policy1'
pol1 = [{'action': 'deny', 'source': '0.0.0.0', 'group': '225.1.1.1'}]
pol2 = [{'action': 'pass', 'source': '0.0.0.0', 'group': '225.1.1.2'}]
policy_obj = self.useFixture(
MulticastPolicyFixture(name=name,
policy=pol1,
connections=self.connections))
self.logger.info('!!!!!!!!!!!!!!!!!!!!! uuid is %s ' %
(policy_obj.uuid))
name2 = 'policy2'
policy_obj2 = self.useFixture(
MulticastPolicyFixture(name=name2,
policy=pol2,
connections=self.connections))
self.logger.info('!!!!!!!!!!!!!!!!!!!!! uuid is %s ' %
(policy_obj2.uuid))
# attach policy to VN
VN1_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=self.connections,
vn_name=vn1_fixture.vn_name,
policy_obj={vn1_fixture.vn_name : \
[policy_obj,policy_obj2]},
vn_obj={vn1_fixture.vn_name : vn1_fixture},
vn_policys=['policy1','policy2'],
project_name=self.project.project_name,options='contrail',type='multicast'))
self.logger.info(
'#1 Send igmp join from different groups , VM should get traffic only form subscribed groups'
)
igmp = {
'type': 22, # IGMPv3 Report
'numgrp': 1, # Number of group records
'gaddr': '225.1.1.1' # Multicast group address
}
self.send_igmp_reportv2(vm_fixtures['vm1'], igmp)
self.send_igmp_reportv2(vm_fixtures['vm2'], igmp)
self.send_igmp_reportv2(vm_fixtures['vm3'], igmp)
time.sleep(5)
traffic = {
'stream1': {
'src': ['bms'], # Multicast source
'rcvrs': [], # Multicast receivers
'non_rcvrs': ['vm1', 'vm2', 'vm3'], # Non Multicast receivers
'maddr': '225.1.1.1', # Multicast group address
'mnet': '225.1.1.1/32', # Multicast group address
'source': bms_fixture.bms_ip, # Multicast group address
'pcount': 10, # Num of packets
'count': 1 # Num of packets
}
}
result = result & self.send_verify_mcast_traffic(
vm_fixtures, traffic, igmp, vxlan, False)
if result:
self.logger.info('Multicast entry removed after timeout')
else:
self.logger.info('Multicast entry seen after timeout')
assert result, "Error Multicast entry seen after timeout"
igmp = {
'type': 22, # IGMPv3 Report
'numgrp': 1, # Number of group records
'gaddr': '225.1.1.2' # Multicast group address
}
traffic = {
'stream1': {
'src': ['bms'], # Multicast source
'rcvrs': ['vm1', 'vm2', 'vm3'], # Multicast receivers
'non_rcvrs': [], # Non Multicast receivers
'maddr': '225.1.1.2', # Multicast group address
'mnet': '225.1.1.2/32', # Multicast group address
'source': bms_fixture.bms_ip, # Multicast group address
'pcount': 10, # Num of packets
'count': 1 # Num of packets
}
}
# Send and verify IGMP reports and multicast traffic
result = result & self.send_verify_mcastv2(vm_fixtures, traffic, igmp,
vxlan)
#2 On removing policy multicast traffic should be allowed.
#######################################################################################
self.logger.info('#2 Detach policy from VN--------------.')
VN1_policy_fixture.detach_Policy_VN()
time.sleep(60)
igmp = {
'type': 22, # IGMPv3 Report
'numgrp': 1, # Number of group records
'gaddr': '225.1.1.1' # Multicast group address
}
traffic = {
'stream1': {
'src': ['bms'], # Multicast source
'rcvrs': ['vm1', 'vm2', 'vm3'], # Multicast receivers
'non_rcvrs': [], # Non Multicast receivers
'maddr': '225.1.1.1', # Multicast group address
'mnet': '225.1.1.1/32', # Multicast group address
'source': bms_fixture.bms_ip, # Multicast group address
'pcount': 10, # Num of packets
'count': 1 # Num of packets
}
}
# Send and verify IGMP reports and multicast traffic
result = result & self.send_verify_mcastv2(vm_fixtures, traffic, igmp,
vxlan)
return result
def _create_resources(self,
test_type='intra-node',
no_of_client=1,
no_of_server=1,
session_export_rate=-1):
'''
test_type: can be intra-node or inter-node
'''
compute_hosts = self.orch.get_hosts()
if (len(compute_hosts) < 2) and (test_type == 'inter-node'):
raise self.skipTest("Skipping test case,\
this test needs atleast 2 compute nodes")
self.setup_flow_export_rate(session_export_rate)
node_name1 = compute_hosts[0]
node_ip1 = self.inputs.compute_info[node_name1]
node_name2 = compute_hosts[0]
node_ip2 = self.inputs.compute_info[node_name2]
if test_type == 'inter-node':
node_name2 = compute_hosts[1]
node_ip2 = self.inputs.compute_info[node_name2]
self.vn_fixtures = self.create_vns(count=2)
self.verify_vns(self.vn_fixtures)
self.vn1_fixture = self.vn_fixtures[0]
self.vn2_fixture = self.vn_fixtures[1]
self.client_fixtures = self.create_vms(vn_fixture=self.vn1_fixture,
count=no_of_client,
node_name=node_name1,
image_name='ubuntu-traffic')
self.server_fixtures = self.create_vms(vn_fixture=self.vn2_fixture,
count=no_of_server,
node_name=node_name2,
image_name='ubuntu-traffic')
self.client_fixture = self.client_fixtures[0]
self.server_fixture = self.server_fixtures[0]
policy_name = 'policy1'
policy_rules = [{
'direction': '<>',
'simple_action': 'pass',
'protocol': 'any',
'source_network': self.vn1_fixture.vn_name,
'dest_network': self.vn2_fixture.vn_name,
}]
self.policy_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=policy_rules,
inputs=self.inputs,
connections=self.connections,
api=True))
vn1_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=self.connections,
vn_name=self.vn1_fixture.vn_name,
policy_obj={self.vn1_fixture.vn_name : \
[self.policy_fixture.policy_obj]},
vn_obj={self.vn1_fixture.vn_name : self.vn1_fixture},
vn_policys=[policy_name],
project_name=self.project.project_name))
vn2_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=self.connections,
vn_name=self.vn2_fixture.vn_name,
policy_obj={self.vn2_fixture.vn_name : \
[self.policy_fixture.policy_obj]},
vn_obj={self.vn2_fixture.vn_name : self.vn2_fixture},
vn_policys=[policy_name],
project_name=self.project.project_name))
self.verify_vms(self.client_fixtures + self.server_fixtures)
def test_policy_cidr_src_cidr_dst_any(self):
"""Test cases to test policy CIDR"""
"""Policy Rule :- source = CIDR, destination = ANY."""
"""Policy Rule :- source = ANY, destination = CIDR."""
result = True
# create Ipam and VN
self.setup_ipam_vn()
VN1_subnet = self.VN1_fixture.get_cidrs()[0]
VN2_subnet = self.VN2_fixture.get_cidrs()[0]
# create policy
policy_name = 'policy12'
rules = []
rules = [{
'direction': '<>',
'protocol': 'icmp',
'dest_network': 'any',
'source_subnet': VN1_subnet,
'dst_ports': 'any',
'simple_action': 'deny',
'src_ports': 'any'
}, {
'direction': '<>',
'protocol': 'any',
'dest_network': 'VN2',
'source_network': 'VN1',
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
policy12_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=rules,
inputs=self.inputs,
connections=self.connections))
policy_name = 'policy21'
rules = []
rules = [{
'direction': '<>',
'protocol': 'icmp',
'dest_subnet': VN1_subnet,
'source_network': 'any',
'dst_ports': 'any',
'simple_action': 'deny',
'src_ports': 'any'
}, {
'direction': '<>',
'protocol': 'any',
'dest_network': 'VN1',
'source_network': 'VN2',
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
policy21_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=rules,
inputs=self.inputs,
connections=self.connections))
# attach policy to VN
VN1_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=self.connections,
vn_name=self.VN1_fixture.vn_name,
policy_obj={
self.VN1_fixture.vn_name: [policy12_fixture.policy_obj]
},
vn_obj={self.VN1_fixture.vn_name: self.VN1_fixture},
vn_policys=['policy12'],
project_name=self.project.project_name))
VN2_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=self.connections,
vn_name=self.VN2_fixture.vn_name,
policy_obj={
self.VN2_fixture.vn_name: [policy21_fixture.policy_obj]
},
vn_obj={self.VN2_fixture.vn_name: self.VN2_fixture},
vn_policys=['policy21'],
project_name=self.project.project_name))
# create VM
self.setup_vm()
ret1 = self.VM11_fixture.ping_with_certainty(self.VM21_fixture.vm_ip, \
expectation=False)
ret2 = self.VM21_fixture.ping_with_certainty(self.VM11_fixture.vm_ip, \
expectation=False)
if ((ret1 == True) and (ret2 == True)):
cmd = "flow -l | grep %s -A1 | grep %s -A1 " % (
self.VM11_fixture.vm_ip, self.VM21_fixture.vm_ip)
cmd = cmd + "| grep 'Action:D(Policy)' | wc -l"
flow_record = self.inputs.run_cmd_on_server(
self.VM11_fixture.vm_node_ip, cmd, self.inputs.host_data[
self.VM11_fixture.vm_node_ip]['username'],
self.inputs.host_data[
self.VM11_fixture.vm_node_ip]['password'])
if flow_record > 0:
self.logger.info("Found %s matching flows" % flow_record)
self.logger.info("Test with src as CIDR and dst as ANY PASSED")
else:
result = False
self.logger.error(
"Test with src as CIDR and dst as ANY FAILED")
else:
result = False
self.logger.error("Test with src as CIDR and dst as ANY FAILED")
return result
def test_policy_inheritance_src_vn_dst_pol(self):
"""Test cases to test policy inheritance"""
"""Policy Rule :- source = VN, destination = policy."""
result = True
# create Ipam and VN
self.setup_ipam_vn()
# create policy
policy_name = 'policy12'
rules = []
rules = [{
'direction': '<>',
'protocol': 'icmp',
'dest_network': 'VN2',
'source_network': 'VN1',
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
policy12_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=rules,
inputs=self.inputs,
connections=self.connections))
policy_name = 'policy21'
rules = []
rules = [{
'direction': '<>',
'protocol': 'icmp',
'dest_policy': 'policy13',
'source_network': 'VN2',
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
policy21_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=rules,
inputs=self.inputs,
connections=self.connections))
policy_name = 'policy13'
rules = []
rules = [{
'direction': '<>',
'protocol': 'any',
'dest_network': 'VN3',
'source_network': 'VN1',
'dst_ports': 'any',
'simple_action': 'deny',
'src_ports': 'any'
}]
policy13_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=rules,
inputs=self.inputs,
connections=self.connections))
# attach policy to VN
VN1_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=self.connections,
vn_name=self.VN1_fixture.vn_name,
policy_obj={self.VN1_fixture.vn_name : \
[policy12_fixture.policy_obj, \
policy13_fixture.policy_obj]},
vn_obj={self.VN1_fixture.vn_name : self.VN1_fixture},
vn_policys=['policy12','policy13'],
project_name=self.project.project_name))
VN2_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=self.connections,
vn_name=self.VN2_fixture.vn_name,
policy_obj={
self.VN2_fixture.vn_name: [policy21_fixture.policy_obj]
},
vn_obj={self.VN2_fixture.vn_name: self.VN2_fixture},
vn_policys=['policy21'],
project_name=self.project.project_name))
# create VM
self.setup_vm()
ret = self.VM11_fixture.ping_with_certainty(self.VM21_fixture.vm_ip, \
expectation=True)
if ret == True:
self.logger.info("Test with src as VN and dst as policy PASSED")
else:
result = False
self.logger.error("Test with src as VN and dst as policy FAILED")
return result
def test_policy_cidr_src_cidr_dst_cidr(self):
"""Test cases to test policy CIDR"""
"""Policy1 Rule :- source = CIDR-VM11, destination = CIDR-VM12."""
"""Policy2 Rule :- source = CIDR-VM11, destination = CIDR-VM21."""
result = True
# create Ipam and VN
self.setup_ipam_vn()
VN1_subnet = self.VN1_fixture.get_cidrs()[0]
VN2_subnet = self.VN2_fixture.get_cidrs()[0]
VN3_subnet = self.VN3_fixture.get_cidrs()[0]
# create VM
self.setup_vm()
self.VM12_fixture = self.useFixture(
VMFixture(connections=self.connections,
vn_obj=self.VN1_fixture.obj,
vm_name='VM12',
project_name=self.project.project_name))
self.VM12_fixture.wait_till_vm_is_up()
#Check initial connectivity without policies in place.
ret = self.VM11_fixture.ping_with_certainty(self.VM12_fixture.vm_ip, \
expectation=True)
if ret == True:
self.logger.info("ICMP traffic is allowed between VMs in same VN")
else:
result = False
self.logger.error(
"ICMP traffic is not allowed between VMs in same VN, which is wrong"
)
ret = self.VM11_fixture.ping_with_certainty(self.VM21_fixture.vm_ip, \
expectation=False)
if ret == True:
self.logger.info(
"ICMP traffic is not allowed between VMs accross VNs")
else:
result = False
self.logger.error(
"ICMP traffic is allowed between VMs accross VNs, which is wrong"
)
if result == False:
return result
#get the VM IP Addresses with 32 bit mask in cidr format.
vm11_ip = self.VM11_fixture.vm_ip + '/32'
vm12_ip = self.VM12_fixture.vm_ip + '/32'
vm21_ip = self.VM21_fixture.vm_ip + '/32'
# create policy
policy_name = 'policy1112'
rules = []
rules = [{
'direction': '<>',
'protocol': 'icmp',
'dest_subnet': vm12_ip,
'source_subnet': vm11_ip,
'dst_ports': 'any',
'simple_action': 'deny',
'src_ports': 'any'
}, {
'direction': '<>',
'protocol': 'any',
'dest_network': 'VN1',
'source_network': 'VN1',
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
policy1112_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=rules,
inputs=self.inputs,
connections=self.connections))
policy_name = 'policy1211'
rules = []
rules = [{
'direction': '<>',
'protocol': 'icmp',
'dest_subnet': vm11_ip,
'source_subnet': vm12_ip,
'dst_ports': 'any',
'simple_action': 'deny',
'src_ports': 'any'
}, {
'direction': '<>',
'protocol': 'any',
'dest_network': 'VN1',
'source_network': 'VN1',
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
policy1211_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=rules,
inputs=self.inputs,
connections=self.connections))
policy_name = 'policy1121'
rules = []
rules = [{
'direction': '<>',
'protocol': 'icmp',
'dest_subnet': vm21_ip,
'source_subnet': vm11_ip,
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}, {
'direction': '<>',
'protocol': 'any',
'dest_network': 'VN2',
'source_network': 'VN1',
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
policy1121_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=rules,
inputs=self.inputs,
connections=self.connections))
policy_name = 'policy2111'
rules = []
rules = [{
'direction': '<>',
'protocol': 'icmp',
'dest_subnet': vm11_ip,
'source_subnet': vm21_ip,
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}, {
'direction': '<>',
'protocol': 'any',
'dest_network': 'VN1',
'source_network': 'VN2',
'dst_ports': 'any',
'simple_action': 'pass',
'src_ports': 'any'
}]
policy2111_fixture = self.useFixture(
PolicyFixture(policy_name=policy_name,
rules_list=rules,
inputs=self.inputs,
connections=self.connections))
# attach policy to VN
VN1_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=self.connections,
vn_name=self.VN1_fixture.vn_name,
policy_obj={self.VN1_fixture.vn_name : \
[policy1112_fixture.policy_obj, \
policy1211_fixture.policy_obj, \
policy1121_fixture.policy_obj]},
vn_obj={self.VN1_fixture.vn_name : self.VN1_fixture},
vn_policys=['policy1112','policy1211','policy1121'],
project_name=self.project.project_name))
VN2_policy_fixture = self.useFixture(
VN_Policy_Fixture(
connections=self.connections,
vn_name=self.VN2_fixture.vn_name,
policy_obj={self.VN2_fixture.vn_name : \
[policy2111_fixture.policy_obj]},
vn_obj={self.VN2_fixture.vn_name : self.VN2_fixture},
vn_policys=['policy2111'],
project_name=self.project.project_name))
#Test traffic with the policies having cidr as src and dst,
#attached to the respective networks.
ret = self.VM11_fixture.ping_with_certainty(self.VM12_fixture.vm_ip, \
expectation=False)
if ret == True:
cmd = "flow -l | grep %s -A1 | grep %s -A1 " % (
self.VM11_fixture.vm_ip, self.VM12_fixture.vm_ip)
cmd = cmd + "| grep 'Action:D(Policy)' | wc -l"
flow_record = self.inputs.run_cmd_on_server(
self.VM11_fixture.vm_node_ip, cmd, self.inputs.host_data[
self.VM11_fixture.vm_node_ip]['username'],
self.inputs.host_data[
self.VM11_fixture.vm_node_ip]['password'])
if flow_record > 0:
self.logger.info(
"ICMP traffic is not allowed between VM11 and VM12, by policy1112 and policy1211."
)
self.logger.info("Above test Passed.")
else:
result = False
self.logger.error(
"ICMP traffic is not allowed between VM11 and VM12, by policy1112 and policy1211."
)
self.logger.error("Above test Failed.")
else:
result = False
self.logger.error(
"ICMP traffic is not allowed between VM11 and VM12, by policy1112 and policy1211."
)
self.logger.error("Above test Failed.")
ret = False
flow_record = 0
ret = self.VM11_fixture.ping_with_certainty(self.VM21_fixture.vm_ip, \
expectation=True)
if ret == True:
cmd = "flow -l | grep %s -A1 | grep %s -A1 " % (
self.VM11_fixture.vm_ip, self.VM21_fixture.vm_ip)
cmd = cmd + "| grep 'Action:F' | wc -l"
flow_record = self.inputs.run_cmd_on_server(
self.VM11_fixture.vm_node_ip, cmd, self.inputs.host_data[
self.VM11_fixture.vm_node_ip]['username'],
self.inputs.host_data[
self.VM11_fixture.vm_node_ip]['password'])
if flow_record > 0:
self.logger.info(
"ICMP traffic is allowed between VM11 and VM21, by policy1121 and policy2111."
)
self.logger.info("Above test Passed.")
else:
result = False
self.logger.error(
"ICMP traffic is allowed between VM11 and VM21, by policy1121 and policy2111."
)
self.logger.error("Above test Failed.")
else:
result = False
self.logger.error(
"ICMP traffic is allowed between VM11 and VM21, by policy1121 and policy2111."
)
self.logger.error("Above test Failed.")
if result == False:
return result
return result
