def check_eip_denied_tcp(self):
if not self.denied_vr_ip:
test_util.test_logger('No denied vm for eip testing. Skip EIP deined TCP checking')
return True
vip = self.test_obj.get_vip()
vip_ip = vip.ip
eip_obj = self.test_obj.get_eip()
eip = eip_obj.get_eip()
if not eip_obj.get_target_vm():
#eip is not attached yet. use vip's VR vm
l3_uuid = self.test_obj.get_vip().l3NetworkUuid
target_vm = test_lib.lib_find_vr_by_l3_uuid(l3_uuid)[0]
else:
target_vm = eip_obj.get_target_vm().vm
all_ports = port_header.all_ports
try:
test_lib.lib_check_ports_in_a_command(self.denied_vr, self.denied_vr_ip, vip_ip, [], all_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Unexpected Result: Catch failure when checking [vip:] %s EIP: %s for denied ip: %s from [vm:] %s. All ports should be denied." % \
(vip.uuid, eip.uuid, self.denied_vr_ip, self.denied_vr.uuid))
return False
test_util.test_logger("Expected Result: Network checking pass for [vip:] %s EIP: %s by denied ip: %s from [vm:] %s . " % \
(vip.uuid, eip.uuid, self.denied_vr_ip, self.denied_vr.uuid))
return True
def check_denied_pf(self, pf):
pf_rule = pf.get_port_forwarding()
test_result = True
all_ports = port_header.all_ports
#all pf with same vip should have same l3.
allowed_ports = []
denied_ports = all_ports
if not pf.get_target_vm():
#Pf is not attached, use vip's VR VM. This wont' impact testing result.
l3_uuid = self.test_obj.get_vip().l3NetworkUuid
target_vm = test_lib.lib_find_vr_by_l3_uuid(l3_uuid)[0]
vm_nic_uuid = None
else:
target_vm = pf.get_target_vm().vm
vm_nic_uuid = pf_rule.vmNicUuid
allowedCidr = pf_rule.allowedCidr
allowed_vr_ip = allowedCidr.split('/')[0]
allowed_vr_vm, denied_vr_vm = \
self.get_allowed_denied_vr_vm(allowed_vr_ip, vm_nic_uuid)
vipIp = self.test_obj.get_vip().ip
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, \
allowed_vr_ip, vipIp, allowed_ports, \
denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \
(self.test_obj.get_vip().uuid, allowed_vr_ip, \
allowed_vr_vm.uuid))
test_result = False
return test_result
def check_denied_pf(self, pf):
pf_rule = pf.get_port_forwarding()
test_result = True
all_ports = port_header.all_ports
#all pf with same vip should have same l3.
allowed_ports = []
denied_ports = all_ports
if not pf.get_target_vm():
#Pf is not attached, use vip's VR VM. This wont' impact testing result.
l3_uuid = self.test_obj.get_vip().l3NetworkUuid
target_vm = test_lib.lib_find_vr_by_l3_uuid(l3_uuid)[0]
vm_nic_uuid = None
else:
target_vm = pf.get_target_vm().vm
vm_nic_uuid = pf_rule.vmNicUuid
allowedCidr = pf_rule.allowedCidr
allowed_vr_ip = allowedCidr.split('/')[0]
allowed_vr_vm, denied_vr_vm = \
self.get_allowed_denied_vr_vm(allowed_vr_ip, vm_nic_uuid)
vipIp = self.test_obj.get_vip().ip
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, \
allowed_vr_ip, vipIp, allowed_ports, \
denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \
(self.test_obj.get_vip().uuid, allowed_vr_ip, \
allowed_vr_vm.uuid))
test_result = False
return test_result
def test():
flavor = case_flavor[os.environ.get('CASE_FLAVOR')]
test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc")
for vpc_name in vpc_name_list:
vr_list.append(test_stub.create_vpc_vrouter(vpc_name))
for vr, l3_list in izip(vr_list, vpc_l3_list):
test_stub.attach_l3_to_vpc_vr(vr, l3_list)
test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format(
flavor['vm1l3'], flavor['vm2l3']))
vm1, vm2 = [
test_stub.create_vm_with_random_offering(
vm_name='vpc_vm_{}'.format(name), l3_name=name)
for name in (flavor['vm1l3'], flavor['vm2l3'])
]
[test_obj_dict.add_vm(vm) for vm in (vm1, vm2)]
[vm.check() for vm in (vm1, vm2)]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr_list[0].inv)
vip_list = []
for vm in (vm1, vm2):
test_util.test_dsc("Create vip for vm {}".format(vm.get_vm().name))
vip = test_stub.create_vip('vip_{}'.format(vm.get_vm().name),
vr_pub_nic.l3NetworkUuid)
test_obj_dict.add_vip(vip)
vip_list.append(vip)
test_util.test_dsc("Create eip for vm {}".format(vm.get_vm().name))
eip = test_stub.create_eip('eip_{}'.format(vm.get_vm().name),
vip_uuid=vip.get_vip().uuid)
vip.attach_eip(eip)
eip.attach(vm.get_vm().vmNics[0].uuid, vm)
vip.check()
vm.check()
for vm in (vm1, vm2):
vm.check()
vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)]
vip1, vip2 = vip_list
test_util.test_dsc("test two vm EIP connectivity")
test_stub.run_command_in_vm(vm1_inv, 'iptables -F')
test_stub.run_command_in_vm(vm2_inv, 'iptables -F')
test_lib.lib_check_ping(vm1_inv, vip2.get_vip().ip)
test_lib.lib_check_ping(vm2_inv, vip1.get_vip().ip)
test_lib.lib_check_ports_in_a_command(vm1_inv,
vip1.get_vip().ip,
vip2.get_vip().ip, ["22"], [],
vm2_inv)
test_lib.lib_check_ports_in_a_command(vm2_inv,
vip2.get_vip().ip,
vip1.get_vip().ip, ["22"], [],
vm1_inv)
test_lib.lib_error_cleanup(test_obj_dict)
test_stub.remove_all_vpc_vrouter()
def check_tcp_between_vms(vm1, vm2, allowed_port_list, denied_port_list):
vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)]
test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip,
vm2_inv.vmNics[0].ip, allowed_port_list, denied_port_list, vm2_inv)
test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip,
vm1_inv.vmNics[0].ip, allowed_port_list, denied_port_list, vm1_inv)
def check_eip_denied_tcp(self):
if not self.denied_vr_ip:
test_util.test_logger('No denied vm for eip testing. Skip EIP deined TCP checking')
return True
vip = self.test_obj.get_vip()
vip_ip = vip.ip
eip_obj = self.test_obj.get_eip()
eip = eip_obj.get_eip()
if not eip_obj.get_target_vm():
#eip is not attached yet. use vip's VR vm
l3_uuid = self.test_obj.get_vip().l3NetworkUuid
target_vm = test_lib.lib_find_vr_by_l3_uuid(l3_uuid)[0]
else:
target_vm = eip_obj.get_target_vm().vm
all_ports = port_header.all_ports
try:
test_lib.lib_check_ports_in_a_command(self.denied_vr, self.denied_vr_ip, vip_ip, [], all_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Unexpected Result: Catch failure when checking [vip:] %s EIP: %s for denied ip: %s from [vm:] %s. All ports should be denied." % \
(vip.uuid, eip.uuid, self.denied_vr_ip, self.denied_vr.uuid))
return False
test_util.test_logger("Expected Result: Network checking pass for [vip:] %s EIP: %s by denied ip: %s from [vm:] %s . " % \
(vip.uuid, eip.uuid, self.denied_vr_ip, self.denied_vr.uuid))
return True
def check_tcp_between_vms(vm1, vm2, allowed_port_list, denied_port_list):
vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)]
test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip,
vm2_inv.vmNics[0].ip, allowed_port_list, denied_port_list, vm2_inv)
test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip,
vm1_inv.vmNics[0].ip, allowed_port_list, denied_port_list, vm1_inv)
def test():
flavor = case_flavor[os.environ.get('CASE_FLAVOR')]
test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc")
for vpc_name in vpc_name_list:
vr_list.append(test_stub.create_vpc_vrouter(vpc_name))
time.sleep(120) #waiting for vrouter boot up
for vr, l3_list in izip(vr_list, vpc_l3_list):
test_stub.attach_l3_to_vpc_vr(vr, l3_list)
test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format(flavor['vm1l3'], flavor['vm2l3']))
vm1, vm2 = [test_stub.create_vm_with_random_offering(vm_name='vpc_vm_{}'.format(name), l3_name=name) for name in (flavor['vm1l3'], flavor['vm2l3'])]
[test_obj_dict.add_vm(vm) for vm in (vm1,vm2)]
[vm.check() for vm in (vm1,vm2)]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr_list[0].inv)
vip_list = []
for vm in (vm1, vm2):
test_util.test_dsc("Create vip for vm {}".format(vm.get_vm().name))
vip = test_stub.create_vip('vip_{}'.format(vm.get_vm().name), vr_pub_nic.l3NetworkUuid)
test_obj_dict.add_vip(vip)
vip_list.append(vip)
test_util.test_dsc("Create eip for vm {}".format(vm.get_vm().name))
eip = test_stub.create_eip('eip_{}'.format(vm.get_vm().name), vip_uuid=vip.get_vip().uuid)
vip.attach_eip(eip)
eip.attach(vm.get_vm().vmNics[0].uuid, vm)
time.sleep(10) #waiting for eip attach to vm
vip.check()
vm.check()
for vm in (vm1, vm2):
vm.check()
vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)]
vip1, vip2 = vip_list
test_util.test_dsc("test two vm EIP connectivity")
test_stub.run_command_in_vm(vm1_inv, 'iptables -F')
test_stub.run_command_in_vm(vm2_inv, 'iptables -F')
test_lib.lib_check_ping(vm1_inv, vip2.get_vip().ip)
test_lib.lib_check_ping(vm2_inv, vip1.get_vip().ip)
test_lib.lib_check_ports_in_a_command(vm1_inv, vip1.get_vip().ip,
vip2.get_vip().ip, ["22"], [], vm2_inv)
test_lib.lib_check_ports_in_a_command(vm2_inv, vip2.get_vip().ip,
vip1.get_vip().ip, ["22"], [], vm1_inv)
def check_eip_allowed_tcp(self):
if not self.allowed_vr_ip:
test_util.test_logger('No allowed vm for eip testing. Skip EIP allowed TCP checking')
return True
vip = self.test_obj.get_vip()
vip_ip = vip.ip
eip = self.test_obj.get_eip().get_eip()
target_vm = self.test_obj.get_eip().get_target_vm().vm
try:
test_lib.lib_check_ports_in_a_command(self.allowed_vr, self.allowed_vr_ip, vip_ip, self.allowed_ports, self.denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Unexpected Result: Catch failure when checking [vip:] %s EIP: %s for allowed ip: %s from [vm:] %s . " % \
(vip.uuid, eip.uuid, self.allowed_vr_ip, self.allowed_vr.uuid))
return False
test_util.test_logger("Expected Result: Network checking pass for [vip:] %s EIP: %s by allowed ip: %s from [vm:] %s . " % \
(vip.uuid, eip.uuid, self.allowed_vr_ip, self.allowed_vr.uuid))
return True
def check_eip_allowed_tcp(self):
if not self.allowed_vr_ip:
test_util.test_logger('No allowed vm for eip testing. Skip EIP allowed TCP checking')
return True
vip = self.test_obj.get_vip()
vip_ip = vip.ip
eip = self.test_obj.get_eip().get_eip()
target_vm = self.test_obj.get_eip().get_target_vm().vm
try:
test_lib.lib_check_ports_in_a_command(self.allowed_vr, self.allowed_vr_ip, vip_ip, self.allowed_ports, self.denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Unexpected Result: Catch failure when checking [vip:] %s EIP: %s for allowed ip: %s from [vm:] %s . " % \
(vip.uuid, eip.uuid, self.allowed_vr_ip, self.allowed_vr.uuid))
return False
test_util.test_logger("Expected Result: Network checking pass for [vip:] %s EIP: %s by allowed ip: %s from [vm:] %s . " % \
(vip.uuid, eip.uuid, self.allowed_vr_ip, self.allowed_vr.uuid))
return True
def check(self):
'''
check will assume target vm only have 1 port forwarding VR.
So all vms PF rules are assigned to 1 VM nic.
'''
super(zstack_kvm_pf_tcp_checker, self).check()
test_result = True
target_vm = self.test_obj.get_target_vm().vm
pf_rule = self.test_obj.get_port_forwarding()
vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
all_ports = port_header.all_ports
#only open ports when VM is running.
if self.test_obj.get_target_vm().state == vm_header.RUNNING:
test_lib.lib_open_vm_listen_ports(target_vm, all_ports,
vm_nic.l3NetworkUuid)
#consolidate rules for TCP/UDP/ICMP with different AllowedCidr
rule_port = port_header.get_port_rule(pf_rule.vipPortStart,
pf_rule.vipPortEnd)
#check SG ingress limitation. Since SG rule will not consider vip as
#allowedCidr, if there is ingress limitation, the ingress PF connection
#will be blocked.
sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule)
allowedCidr = pf_rule.allowedCidr
allowed_vr_ip = allowedCidr.split('/')[0]
allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
l3_uuid = vr_nic.l3NetworkUuid
allowed_vr_uuid_list = [allowed_vr_vm.uuid]
#target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm)
for pf_vr in pf_vm_vrs:
allowed_vr_uuid_list.append(pf_vr.uuid)
denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid,
allowed_vr_uuid_list)
denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)
vip_uuid = pf_rule.vipUuid
cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid)
vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip
if sg_tcp_ingress_flag:
test_util.test_logger(
'SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s'
% target_vm.uuid)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm,
allowed_vr_ip, vipIp, [],
all_ports, target_vm)
except:
test_util.test_logger(
"Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. "
% (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
allowed_ports = port_header.get_ports(rule_port)
denied_ports = list_ops.list_minus(all_ports, allowed_ports)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm,
allowed_vr_ip, vipIp,
allowed_ports,
denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger(
"Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s "
% (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
test_util.test_logger(
"Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s "
% (pf_rule.uuid, target_vm.uuid))
try:
test_lib.lib_check_ports_in_a_command(denied_vr_vm,
denied_vr_ip, vipIp, [],
all_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger(
"Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s"
% (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
test_util.test_logger(
"Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. "
% (pf_rule.uuid, target_vm.uuid))
test_util.test_logger(
'Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s'
% (target_vm.uuid, vm_nic.uuid))
return self.judge(test_result)
def check(self):
super(pf_checker, self).check()
test_result = True
try:
test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid)
except:
test_util.test_logger('Check Result: [vip:] %s is not exist' % self.test_obj.get_vip().uuid)
self.test_obj.update()
return self.judge(False)
if not self.test_obj.get_pf_list():
test_util.test_logger('Check Result: [vip:] %s is not attached to any pf.' % self.test_obj.get_vip().uuid)
self.test_obj.update()
return self.judge(False)
vip = self.test_obj.get_vip()
vipIp = vip.ip
all_ports = port_header.all_ports
pf_running_list = self.test_obj.get_pf_list_for_running_vm()
pf_tcp_list, pf_udp_list = self.separate_tcp_udp_list(pf_running_list)
pf_tcp_dict = self.gen_tcp_dict_by_allowed_cidr(pf_tcp_list)
pf_stopped_list = self.test_obj.get_pf_list_for_stopped_vm()
pf_detached_list = self.test_obj.get_detached_pf_list()
vip_l3 = self.test_obj.get_vip().l3NetworkUuid
if not pf_running_list:
# all ports should be denied, since no living vm.
for pf in pf_stopped_list:
test_result = self.check_denied_pf(pf)
if test_result != self.exp_result:
return self.judge(test_result)
for pf in pf_detached_list:
test_result = self.check_denied_pf(pf)
if test_result != self.exp_result:
return self.judge(test_result)
else:
#open TCP ports for living vms
for pf in pf_tcp_list:
target_vm = pf.get_target_vm().vm
vm_l3 = test_lib.lib_get_nic_by_uuid(pf.get_port_forwarding().vmNicUuid).l3NetworkUuid
test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_l3)
#calc allowed ports, per allowed_cidr
for allowed_vr_ip, pf_dict_list in pf_tcp_dict.iteritems():
allowed_ports = []
denied_ports = all_ports
#find all pf rules on running vm. These rules are supposed to be connectable, unless they are blocked by target vm's sg.
allowed_ports, denied_ports = \
self.count_pf_allowed_denied_ports(
pf_dict_list,
allowed_ports,
denied_ports)
#although the target_vm might be different, but the denied_vr_vm should be same.
target_vm_nic_uuid = pf_dict_list[0].get_port_forwarding().vmNicUuid
allowed_vr_vm, denied_vr_vm = \
self.get_allowed_denied_vr_vm(allowed_vr_ip, target_vm_nic_uuid)
denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \
(vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger("Checking pass for [vip:] %s Port Forwardings TCP rules for allowed Cidr: %s from [vm:] %s " % \
(vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid))
#check denied vr access.
allowed_ports = []
denied_ports = all_ports
#the denied vr might be in other pf rule.
if denied_vr_ip in pf_tcp_dict.keys():
allowed_ports, denied_ports = \
self.count_pf_allowed_denied_ports(
pf_tcp_dict[denied_vr_ip],
allowed_ports,
denied_ports)
try:
test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCPs for not allowed Cidr from [vm:] %s" % (vip.uuid, allowed_vr_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (vip.uuid, allowed_vr_vm.uuid))
if test_result != self.exp_result:
return self.judge(test_result)
#check pf_udp rule existance.
for pf in pf_udp_list:
test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables(pf.get_port_forwarding())
test_util.test_logger('Check result: [Port Forwarding] %s finishes UDP rule existance testing' % pf.get_port_forwarding().uuid)
return self.judge(test_result)
test_util.test_logger('Check result: [Port Forwarding] finishes [vip:] %s TCP testing.' % vip.uuid)
return self.judge(test_result)
def test():
test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc")
for vpc_name in vpc_name_list:
vr_list.append(test_stub.create_vpc_vrouter(vpc_name))
for vr, l3_list in izip(vr_list, vpc_l3_list):
test_stub.attach_l3_to_vpc_vr(vr, l3_list)
vr1, vr2 = vr_list
test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format(VLAN1_NAME, VXLAN1_NAME))
vm1 = test_stub.create_vm_with_random_offering(vm_name='vpc_vm_{}'.format(VLAN1_NAME), l3_name=VLAN1_NAME)
test_obj_dict.add_vm(vm1)
vm1.check()
vm2 = test_stub.create_vm_with_random_offering(vm_name='vpc_vm_{}'.format(VXLAN1_NAME), l3_name=VXLAN1_NAME)
test_obj_dict.add_vm(vm2)
vm2.check()
cond = res_ops.gen_query_conditions('name', '=', os.environ.get(SECOND_PUB))
second_pub_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0]
test_util.test_dsc("Create vroute route for vpc1")
cond = res_ops.gen_query_conditions('name', '=', os.environ.get(VXLAN1_NAME))
vpc2_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0]
vpc2_l3_cdir = vpc2_l3.ipRanges[0].networkCidr
vpc2_second_pub_ip = [nic.ip for nic in vr2.inv.vmNics if nic.l3NetworkUuid == second_pub_l3.uuid][0]
route_table1 = net_ops.create_vrouter_route_table('vpc1')
route_entry1 = net_ops.add_vrouter_route_entry(route_table1.uuid, vpc2_l3_cdir, vpc2_second_pub_ip)
net_ops.attach_vrouter_route_table_to_vrouter(route_table1.uuid, vr1.inv.uuid)
test_util.test_dsc("Create vroute route for vpc2")
cond = res_ops.gen_query_conditions('name', '=', os.environ.get(VLAN1_NAME))
vpc1_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0]
vpc1_l3_cdir = vpc1_l3.ipRanges[0].networkCidr
vpc1_second_pub_ip = [nic.ip for nic in vr1.inv.vmNics if nic.l3NetworkUuid == second_pub_l3.uuid][0]
route_table2 = net_ops.create_vrouter_route_table('vpc2')
route_entry1 = net_ops.add_vrouter_route_entry(route_table2.uuid, vpc1_l3_cdir, vpc1_second_pub_ip)
net_ops.attach_vrouter_route_table_to_vrouter(route_table2.uuid, vr2.inv.uuid)
vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)]
test_lib.lib_check_ping(vm1_inv, vm2_inv.vmNics[0].ip)
test_lib.lib_check_ping(vm2_inv, vm1_inv.vmNics[0].ip)
test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip,
vm2_inv.vmNics[0].ip, ["22"], [], vm2_inv)
test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip,
vm1_inv.vmNics[0].ip, ["22"], [], vm1_inv)
net_ops.detach_vrouter_route_table_from_vrouter(route_table1.uuid, vr1.inv.uuid)
net_ops.detach_vrouter_route_table_from_vrouter(route_table2.uuid, vr2.inv.uuid)
with test_lib.expected_failure('Check two vm pingable', Exception):
test_lib.lib_check_ping(vm1_inv, vm2_inv.vmNics[0].ip)
with test_lib.expected_failure('Check two vm pingable', Exception):
test_lib.lib_check_ping(vm2_inv, vm1_inv.vmNics[0].ip)
test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip,
vm2_inv.vmNics[0].ip, [], ["22"], vm2_inv)
test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip,
vm1_inv.vmNics[0].ip, [], ["22"], vm1_inv)
test_lib.lib_error_cleanup(test_obj_dict)
test_stub.remove_all_vpc_vrouter()
def test():
test_util.test_dsc('Create test vm with EIP and check.')
vm1 = test_stub.create_vlan_vm(os.environ.get('l3VlanNetworkName1'))
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_vlan_vm(os.environ.get('l3VlanNetworkName1'))
test_obj_dict.add_vm(vm2)
l3_name = os.environ.get('l3VlanNetworkName1')
vr1_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr1_l3_uuid)
temp_vm1 = None
if not vrs:
#create temp_vm1 for getting vlan1's vr for test pf_vm portforwarding
temp_vm1 = test_stub.create_vlan_vm()
test_obj_dict.add_vm(temp_vm1)
vr1 = test_lib.lib_find_vr_by_vm(temp_vm1.vm)[0]
else:
vr1 = vrs[0]
if vr1.applianceVmType == "vrouter":
test_util.test_skip("vrouter VR does not support single VM multiple EIP")
l3_name = os.environ.get('l3NoVlanNetworkName1')
vr2_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr2_l3_uuid)
temp_vm2 = None
if not vrs:
#create temp_vm2 for getting novlan's vr for test pf_vm portforwarding
temp_vm2 = test_stub.create_user_vlan_vm()
test_obj_dict.add_vm(temp_vm2)
vr2 = test_lib.lib_find_vr_by_vm(temp_vm2.vm)[0]
else:
vr2 = vrs[0]
if vr1.applianceVmType == "vrouter":
test_util.test_skip("vrouter VR does not support single VM multiple EIP")
#we do not need temp_vm1 and temp_vm2, since we just use their VRs.
if temp_vm1:
temp_vm1.destroy()
test_obj_dict.rm_vm(temp_vm1)
if temp_vm2:
temp_vm2.destroy()
test_obj_dict.rm_vm(temp_vm2)
vm_nic1 = vm1.vm.vmNics[0]
vm_nic1_uuid = vm_nic1.uuid
vm_nic2 = vm2.vm.vmNics[0]
vm_nic2_uuid = vm_nic2.uuid
pri_l3_uuid = vm_nic1.l3NetworkUuid
vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr)
l3_uuid = vr_pub_nic.l3NetworkUuid
vip1 = test_stub.create_vip('create_vip 1', l3_uuid)
test_obj_dict.add_vip(vip1)
eip1 = test_stub.create_eip('create eip 1', vip_uuid=vip1.get_vip().uuid, \
vnic_uuid=vm_nic1_uuid, vm_obj=vm1)
vip1.attach_eip(eip1)
vip2 = test_stub.create_vip('create_vip 2', l3_uuid)
test_obj_dict.add_vip(vip2)
eip2 = test_stub.create_eip('create eip 2', vip_uuid=vip2.get_vip().uuid, \
vnic_uuid=vm_nic2_uuid, vm_obj=vm2)
vip2.attach_eip(eip2)
vm1.check()
vip1.check()
vm2.check()
vip2.check()
test_lib.lib_check_ports_in_a_command(vm1.get_vm(), vip1.get_vip().ip, \
vip2.get_vip().ip, test_stub.target_ports, [], vm2.get_vm())
test_lib.lib_check_ports_in_a_command(vm2.get_vm(), vip2.get_vip().ip, \
vip1.get_vip().ip, test_stub.target_ports, [], vm1.get_vm())
vm1.destroy()
test_obj_dict.rm_vm(vm1)
test_lib.lib_check_ports_in_a_command(vm2.get_vm(), vip2.get_vip().ip, \
vip1.get_vip().ip, [], test_stub.target_ports, vm1.get_vm())
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vip1.delete()
test_obj_dict.rm_vip(vip1)
vip2.delete()
test_obj_dict.rm_vip(vip2)
test_util.test_pass('Test 2 EIPs for 2 VMs Success')
def check(self):
'''
check will assume target vm only have 1 port forwarding VR.
So all vms PF rules are assigned to 1 VM nic.
'''
super(zstack_vcenter_pf_tcp_checker, self).check()
test_result = True
target_vm = self.test_obj.get_target_vm().vm
pf_rule = self.test_obj.get_port_forwarding()
vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
all_ports = port_header.all_ports
#only open ports when VM is running.
if self.test_obj.get_target_vm().state == vm_header.RUNNING:
test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid)
#consolidate rules for TCP/UDP/ICMP with different AllowedCidr
rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd)
#check SG ingress limitation. Since SG rule will not consider vip as
#allowedCidr, if there is ingress limitation, the ingress PF connection
#will be blocked.
sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule)
allowedCidr = pf_rule.allowedCidr
allowed_vr_ip = allowedCidr.split('/')[0]
allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
l3_uuid = vr_nic.l3NetworkUuid
allowed_vr_uuid_list = [allowed_vr_vm.uuid]
#target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm)
for pf_vr in pf_vm_vrs:
allowed_vr_uuid_list.append(pf_vr.uuid)
denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list)
denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)
vip_uuid = pf_rule.vipUuid
cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid)
vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip
if sg_tcp_ingress_flag:
test_util.test_logger('SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, [], all_ports, target_vm)
except:
test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. " % (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
allowed_ports = port_header.get_ports(rule_port)
denied_ports = list_ops.list_minus(all_ports, allowed_ports)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid))
try:
test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, [], all_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s" % (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (pf_rule.uuid, target_vm.uuid))
test_util.test_logger('Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s' % (target_vm.uuid, vm_nic.uuid))
return self.judge(test_result)
def check(self):
super(pf_checker, self).check()
test_result = True
try:
test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid)
except:
test_util.test_logger('Check Result: [vip:] %s is not exist' % self.test_obj.get_vip().uuid)
self.test_obj.update()
return self.judge(False)
if not self.test_obj.get_pf_list():
test_util.test_logger('Check Result: [vip:] %s is not attached to any pf.' % self.test_obj.get_vip().uuid)
self.test_obj.update()
return self.judge(False)
vip = self.test_obj.get_vip()
vipIp = vip.ip
all_ports = port_header.all_ports
pf_running_list = self.test_obj.get_pf_list_for_running_vm()
pf_tcp_list, pf_udp_list = self.separate_tcp_udp_list(pf_running_list)
pf_tcp_dict = self.gen_tcp_dict_by_allowed_cidr(pf_tcp_list)
pf_stopped_list = self.test_obj.get_pf_list_for_stopped_vm()
pf_detached_list = self.test_obj.get_detached_pf_list()
vip_l3 = self.test_obj.get_vip().l3NetworkUuid
if not pf_running_list:
# all ports should be denied, since no living vm.
for pf in pf_stopped_list:
test_result = self.check_denied_pf(pf)
if test_result != self.exp_result:
return self.judge(test_result)
for pf in pf_detached_list:
test_result = self.check_denied_pf(pf)
if test_result != self.exp_result:
return self.judge(test_result)
else:
#open TCP ports for living vms
for pf in pf_tcp_list:
target_vm = pf.get_target_vm().vm
vm_l3 = test_lib.lib_get_nic_by_uuid(pf.get_port_forwarding().vmNicUuid).l3NetworkUuid
test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_l3)
#calc allowed ports, per allowed_cidr
for allowed_vr_ip, pf_dict_list in pf_tcp_dict.iteritems():
allowed_ports = []
denied_ports = all_ports
#find all pf rules on running vm. These rules are supposed to be connectable, unless they are blocked by target vm's sg.
allowed_ports, denied_ports = \
self.count_pf_allowed_denied_ports(
pf_dict_list,
allowed_ports,
denied_ports)
#although the target_vm might be different, but the denied_vr_vm should be same.
target_vm_nic_uuid = pf_dict_list[0].get_port_forwarding().vmNicUuid
allowed_vr_vm, denied_vr_vm = \
self.get_allowed_denied_vr_vm(allowed_vr_ip, target_vm_nic_uuid)
denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \
(vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger("Checking pass for [vip:] %s Port Forwardings TCP rules for allowed Cidr: %s from [vm:] %s " % \
(vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid))
#check denied vr access.
allowed_ports = []
denied_ports = all_ports
#the denied vr might be in other pf rule.
if denied_vr_ip in pf_tcp_dict.keys():
allowed_ports, denied_ports = \
self.count_pf_allowed_denied_ports(
pf_tcp_dict[denied_vr_ip],
allowed_ports,
denied_ports)
try:
test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCPs for not allowed Cidr from [vm:] %s" % (vip.uuid, allowed_vr_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (vip.uuid, allowed_vr_vm.uuid))
if test_result != self.exp_result:
return self.judge(test_result)
#check pf_udp rule existance.
for pf in pf_udp_list:
test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables(pf.get_port_forwarding())
test_util.test_logger('Check result: [Port Forwarding] %s finishes UDP rule existance testing' % pf.get_port_forwarding().uuid)
return self.judge(test_result)
test_util.test_logger('Check result: [Port Forwarding] finishes [vip:] %s TCP testing.' % vip.uuid)
return self.judge(test_result)
def test():
test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc")
for vpc_name in vpc_name_list:
vr_list.append(test_stub.create_vpc_vrouter(vpc_name))
for vr, l3_list in izip(vr_list, vpc_l3_list):
test_stub.attach_l3_to_vpc_vr(vr, l3_list)
vr1, vr2 = vr_list
test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format(
VLAN1_NAME, VXLAN1_NAME))
vm1 = test_stub.create_vm_with_random_offering(
vm_name='vpc_vm_{}'.format(VLAN1_NAME), l3_name=VLAN1_NAME)
test_obj_dict.add_vm(vm1)
vm1.check()
vm2 = test_stub.create_vm_with_random_offering(
vm_name='vpc_vm_{}'.format(VXLAN1_NAME), l3_name=VXLAN1_NAME)
test_obj_dict.add_vm(vm2)
vm2.check()
cond = res_ops.gen_query_conditions('name', '=',
os.environ.get(SECOND_PUB))
second_pub_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0]
test_util.test_dsc("Create vroute route for vpc1")
cond = res_ops.gen_query_conditions('name', '=',
os.environ.get(VXLAN1_NAME))
vpc2_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0]
vpc2_l3_cdir = vpc2_l3.ipRanges[0].networkCidr
vpc2_second_pub_ip = [
nic.ip for nic in vr2.inv.vmNics
if nic.l3NetworkUuid == second_pub_l3.uuid
][0]
route_table1 = net_ops.create_vrouter_route_table('vpc1')
route_entry1 = net_ops.add_vrouter_route_entry(route_table1.uuid,
vpc2_l3_cdir,
vpc2_second_pub_ip)
net_ops.attach_vrouter_route_table_to_vrouter(route_table1.uuid,
vr1.inv.uuid)
test_util.test_dsc("Create vroute route for vpc2")
cond = res_ops.gen_query_conditions('name', '=',
os.environ.get(VLAN1_NAME))
vpc1_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0]
vpc1_l3_cdir = vpc1_l3.ipRanges[0].networkCidr
vpc1_second_pub_ip = [
nic.ip for nic in vr1.inv.vmNics
if nic.l3NetworkUuid == second_pub_l3.uuid
][0]
route_table2 = net_ops.create_vrouter_route_table('vpc2')
route_entry1 = net_ops.add_vrouter_route_entry(route_table2.uuid,
vpc1_l3_cdir,
vpc1_second_pub_ip)
net_ops.attach_vrouter_route_table_to_vrouter(route_table2.uuid,
vr2.inv.uuid)
vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)]
test_lib.lib_check_ping(vm1_inv, vm2_inv.vmNics[0].ip)
test_lib.lib_check_ping(vm2_inv, vm1_inv.vmNics[0].ip)
test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip,
vm2_inv.vmNics[0].ip, ["22"], [],
vm2_inv)
test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip,
vm1_inv.vmNics[0].ip, ["22"], [],
vm1_inv)
net_ops.detach_vrouter_route_table_from_vrouter(route_table1.uuid,
vr1.inv.uuid)
net_ops.detach_vrouter_route_table_from_vrouter(route_table2.uuid,
vr2.inv.uuid)
with test_lib.expected_failure('Check two vm pingable', Exception):
test_lib.lib_check_ping(vm1_inv, vm2_inv.vmNics[0].ip)
with test_lib.expected_failure('Check two vm pingable', Exception):
test_lib.lib_check_ping(vm2_inv, vm1_inv.vmNics[0].ip)
test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip,
vm2_inv.vmNics[0].ip, [], ["22"],
vm2_inv)
test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip,
vm1_inv.vmNics[0].ip, [], ["22"],
vm1_inv)
test_lib.lib_error_cleanup(test_obj_dict)
test_stub.remove_all_vpc_vrouter()
