def test_slo_intra_node(self):
"""
Description: Verify security logging for inter-VN intra-Node traffic
Steps:
1. create 2 VNs and connect them using policy
2. launch 1 VM in each VN on same compute node
3. set session export rate to 0
4. start icmp/tcp/udp traffic and verify the session logs in agent log
as well as in syslog
Pass criteria:
step 4 should pass
"""
self._create_resources(test_type='intra-node', session_export_rate=0)
policy_obj = self.policy_fixture.policy_obj
project_name = self.project.project_name
sg_fq_name = '%s:%s:default' % (self.connections.domain_name,
project_name)
sg_id = get_secgrp_id_from_name(self.connections, sg_fq_name)
sg_obj = self.vnc_h._vnc.security_group_read(id=sg_id)
parent_obj = self.vnc_h.project_read(
fq_name=[self.connections.domain_name, project_name])
slo_rate = 1
slo_fixture = self.create_slo(parent_obj, rate=slo_rate, sg_obj=sg_obj,
vn_policy_obj=policy_obj)
for vn in self.vn_fixtures:
self.add_slo_to_vn(slo_fixture, vn)
#For intra node traffic there is no tunnel so underlay_proto would be zero
underlay_proto = 0
proto_list = [1, 17, 6]
self.enable_logging_on_compute(self.client_fixture.vm_node_ip,
log_type=AGENT_LOG, session_type='slo')
#Clear local ips after agent restart
self.client_fixture.clear_local_ips()
self.server_fixture.clear_local_ips()
#Verify Session logs in agent logs for SLO
for proto in proto_list:
self.start_traffic_validate_slo(self.client_fixture,
self.server_fixture, self.policy_fixture, proto=proto,
underlay_proto=underlay_proto, slo_rate=slo_rate)
self.logger.info("SLO: Expected Session logs found in agent log for "
"protocol %s" % (self.proto))
#
#SLO logged session verification in syslog
self.enable_logging_on_compute(self.client_fixture.vm_node_ip,
log_type=SYS_LOG, session_type='slo')
#Clear local ips after agent restart
self.client_fixture.clear_local_ips()
self.server_fixture.clear_local_ips()
#Verify Session logs in syslog
for proto in proto_list:
self.start_traffic_validate_slo_in_syslog(self.client_fixture,
self.server_fixture, self.policy_fixture, proto=proto,
underlay_proto=underlay_proto)
self.logger.info("Expected Session logs found in syslog for "
"protocol %s" % (self.proto))
def create_sg_test_resources(self):
"""Config common resources."""
self.logger.info("Configuring setup for security group tests.")
vn_s = {"vn1": "20.1.1.0/24", "vn2": ["10.1.1.0/24"]}
self.multi_vn_fixture = self.useFixture(
MultipleVNFixture(
connections=self.connections,
inputs=self.inputs,
subnet_count=2,
vn_name_net=vn_s,
project_name=self.inputs.project_name,
)
)
vns = self.multi_vn_fixture.get_all_fixture_obj()
(self.vn1_name, self.vn1_fix) = self.multi_vn_fixture._vn_fixtures[0]
(self.vn2_name, self.vn2_fix) = self.multi_vn_fixture._vn_fixtures[1]
self.logger.info("Configure security groups required for test.")
self.config_sec_groups()
self.multi_vm_fixture = self.useFixture(
MultipleVMFixture(
project_name=self.inputs.project_name,
connections=self.connections,
vm_count_per_vn=3,
vn_objs=vns,
image_name="ubuntu-traffic",
flavor="contrail_flavor_small",
)
)
vms = self.multi_vm_fixture.get_all_fixture()
(self.vm1_name, self.vm1_fix) = vms[0]
(self.vm2_name, self.vm2_fix) = vms[1]
(self.vm3_name, self.vm3_fix) = vms[2]
(self.vm4_name, self.vm4_fix) = vms[3]
(self.vm5_name, self.vm5_fix) = vms[4]
(self.vm6_name, self.vm6_fix) = vms[5]
self.logger.info("Adding the sec groups to the VM's")
self.vm1_fix.add_security_group(secgrp=self.sg1_name)
self.vm1_fix.add_security_group(secgrp=self.sg2_name)
self.vm2_fix.add_security_group(secgrp=self.sg2_name)
self.vm4_fix.add_security_group(secgrp=self.sg1_name)
self.vm4_fix.add_security_group(secgrp=self.sg2_name)
self.vm5_fix.add_security_group(secgrp=self.sg1_name)
self.logger.info("Remove the default sec group form the VM's")
default_secgrp_id = get_secgrp_id_from_name(
self.connections, ":".join([self.inputs.domain_name, self.inputs.project_name, "default"])
)
self.vm1_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm2_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm4_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm5_fix.remove_security_group(secgrp=default_secgrp_id)
self.logger.info("Verifying setup of security group tests.")
self.verify_sg_test_resources()
self.logger.info("Finished configuring setup for security group tests.")
def add_sg_to_vms(self, vm_fix_list, sg_id=None):
default_sg_id = get_secgrp_id_from_name(
self.connections, ':'.join(
[self.inputs.domain_name, self.inputs.project_name,
'default']))
sg_id = sg_id or default_sg_id
for vm in vm_fix_list:
vm.add_security_group(secgrp=sg_id)
def add_sg_to_vms(self, vm_fix_list, sg_id=None):
default_sg_id = get_secgrp_id_from_name(
self.connections,
':'.join([self.inputs.domain_name,
self.inputs.project_name,
'default']))
sg_id = sg_id or default_sg_id
for vm in vm_fix_list:
vm.add_security_group(secgrp=sg_id)
def create_sg_test_resources(self):
"""Config common resources."""
self.logger.info("Configuring setup for security group tests.")
vn_s = {'vn1': '20.1.1.0/24', 'vn2': ['10.1.1.0/24']}
self.multi_vn_fixture = self.useFixture(
MultipleVNFixture(connections=self.connections,
inputs=self.inputs,
subnet_count=2,
vn_name_net=vn_s,
project_name=self.inputs.project_name))
vns = self.multi_vn_fixture.get_all_fixture_obj()
(self.vn1_name, self.vn1_fix) = self.multi_vn_fixture._vn_fixtures[0]
(self.vn2_name, self.vn2_fix) = self.multi_vn_fixture._vn_fixtures[1]
self.logger.info("Configure security groups required for test.")
self.config_sec_groups()
self.multi_vm_fixture = self.useFixture(
MultipleVMFixture(project_name=self.inputs.project_name,
connections=self.connections,
vm_count_per_vn=3,
vn_objs=vns,
image_name='ubuntu-traffic',
flavor='contrail_flavor_small'))
vms = self.multi_vm_fixture.get_all_fixture()
(self.vm1_name, self.vm1_fix) = vms[0]
(self.vm2_name, self.vm2_fix) = vms[1]
(self.vm3_name, self.vm3_fix) = vms[2]
(self.vm4_name, self.vm4_fix) = vms[3]
(self.vm5_name, self.vm5_fix) = vms[4]
(self.vm6_name, self.vm6_fix) = vms[5]
self.logger.info("Adding the sec groups to the VM's")
self.vm1_fix.add_security_group(secgrp=self.sg1_name)
self.vm1_fix.add_security_group(secgrp=self.sg2_name)
self.vm2_fix.add_security_group(secgrp=self.sg2_name)
self.vm4_fix.add_security_group(secgrp=self.sg1_name)
self.vm4_fix.add_security_group(secgrp=self.sg2_name)
self.vm5_fix.add_security_group(secgrp=self.sg1_name)
self.logger.info("Remove the default sec group form the VM's")
default_secgrp_id = get_secgrp_id_from_name(
self.connections, ':'.join(
[self.inputs.domain_name, self.inputs.project_name,
'default']))
self.vm1_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm2_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm4_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm5_fix.remove_security_group(secgrp=default_secgrp_id)
self.logger.info("Verifying setup of security group tests.")
self.verify_sg_test_resources()
self.logger.info(
"Finished configuring setup for security group tests.")
def test_slo_on_vmi(self):
"""
Description: Verify SLO on vmi
Steps:
1. create 2 VNs and connect them using network and firewall policy
2. launch 1 VM in each VN on diff compute node
3. set session export rate to 0 and attach SLO to dest vmi only
4. start udp traffic and verify the session logs in agent log on dest node
and no logs in src node
Pass criteria:
step 4 should pass
"""
self._create_resources(test_type='inter-node', session_export_rate=0)
policy_obj = self.policy_fixture.policy_obj
project_name = self.project.project_name
sg_fq_name = '%s:%s:default' % (self.connections.domain_name,
project_name)
sg_id = get_secgrp_id_from_name(self.connections, sg_fq_name)
sg_obj = self.vnc_h._vnc.security_group_read(id=sg_id)
parent_obj = self.vnc_h.project_read(
fq_name=[self.connections.domain_name, project_name])
slo_rate = 1
slo_fixture = self.create_slo(parent_obj, rate=slo_rate, sg_obj=sg_obj,
vn_policy_obj=policy_obj)
server_vmi_id = self.server_fixture.get_vmi_ids().values()[0]
self.add_slo_to_vmi(slo_fixture, server_vmi_id)
#create firewall rule and policy
slo_rate_obj = SloRateType(rate=slo_rate)
slo_dict = {'slo_obj': slo_fixture.obj, 'rate_obj':slo_rate_obj}
fw_objs_dict = self.config_tag_firewall_policy(self.vn_fixtures, slo=slo_dict)
underlay_proto = UNDERLAY_PROTO[
self.connections.read_vrouter_config_encap()[0]]
proto_list = [17]
self.enable_logging_on_compute(self.client_fixture.vm_node_ip,
log_type=AGENT_LOG, session_type='slo')
self.enable_logging_on_compute(self.server_fixture.vm_node_ip,
log_type=AGENT_LOG, session_type='slo')
#Clear local ips after agent restart
self.client_fixture.clear_local_ips()
self.server_fixture.clear_local_ips()
#Verify Session logs in agent logs for SLO
for proto in proto_list:
self.start_traffic_validate_slo_fw(self.client_fixture,
self.server_fixture, self.policy_fixture, proto=proto,
underlay_proto=underlay_proto, slo_rate=slo_rate, sg_uuid=sg_id,
fw_objs_dict=fw_objs_dict, exp_clnt_session_count=0)
self.logger.info("SLO: Expected Session logs found in agent log for "
"protocol %s" % (self.proto))
def _test_slo_with_fw(self, exp_srv_session_count=None,
exp_clnt_session_count=None, create_resources=True, slo_fixture=None,
fw_objs_dict=None):
if create_resources:
self._create_resources(test_type='inter-node', session_export_rate=0)
policy_obj = self.policy_fixture.policy_obj
project_name = self.project.project_name
sg_fq_name = '%s:%s:default' % (self.connections.domain_name,
project_name)
sg_id = get_secgrp_id_from_name(self.connections, sg_fq_name)
sg_obj = self.vnc_h._vnc.security_group_read(id=sg_id)
parent_obj = self.vnc_h.project_read(
fq_name=[self.connections.domain_name, project_name])
slo_rate = 1
if slo_fixture is None:
slo_fixture = self.create_slo(parent_obj, rate=slo_rate)
for vn in self.vn_fixtures:
self.add_slo_to_vn(slo_fixture, vn)
if fw_objs_dict is None:
#create firewall rule and policy
slo_rate_obj = SloRateType(rate=slo_rate)
slo_dict = {'slo_obj': slo_fixture.obj, 'rate_obj':slo_rate_obj}
fw_objs_dict = self.config_tag_firewall_policy(self.vn_fixtures, slo=slo_dict)
underlay_proto = UNDERLAY_PROTO[
self.connections.read_vrouter_config_encap()[0]]
proto_list = [17]
self.enable_logging_on_compute(self.client_fixture.vm_node_ip,
log_type=AGENT_LOG, session_type='slo')
self.enable_logging_on_compute(self.server_fixture.vm_node_ip,
log_type=AGENT_LOG, session_type='slo')
#Clear local ips after agent restart
self.client_fixture.clear_local_ips()
self.server_fixture.clear_local_ips()
#Verify Session logs in agent logs for SLO
for proto in proto_list:
self.start_traffic_validate_slo_fw(self.client_fixture,
self.server_fixture, self.policy_fixture, proto=proto,
underlay_proto=underlay_proto, slo_rate=slo_rate, sg_uuid=sg_id,
fw_objs_dict=fw_objs_dict,
exp_srv_session_count=exp_srv_session_count,
exp_clnt_session_count=exp_clnt_session_count)
self.logger.info("SLO: Expected Session logs found in agent log for "
"protocol %s" % (self.proto))
return {'sg_obj':sg_obj, 'slo_fix':slo_fixture, 'fw_objs':fw_objs_dict}
def test_disable_policy_sg_inter_vn(self):
"""
Description: Verify disabling policy for inter VN,inter/intra node traffic with SG
Steps:
1. launch 2 VNs and launch 3 VMs in it.
2. disable policy only on destination VMs and add/remove SG and start traffic
Pass criteria:
1. traffic should go through and flow should not be created
"""
compute_hosts = self.orch.get_hosts()
if len(compute_hosts) < 2:
raise self.skipTest("Skipping test case,\
this test needs atleast 2 compute nodes")
vn_fixtures = self.create_vns(count=2, rt_number='10000')
self.verify_vns(vn_fixtures)
vn1_fixture = vn_fixtures[0]
vn2_fixture = vn_fixtures[1]
#Launch 1 VM in first VN and 2 VMs in another VN
image = 'ubuntu-traffic'
src_vm_fixture = self.create_vms(vn_fixture=vn1_fixture,
count=1,
node_name=compute_hosts[0],
image_name=image)[0]
dst_vm_fixture1 = self.create_vms(vn_fixture=vn2_fixture,
count=1,
node_name=compute_hosts[0],
image_name=image)[0]
dst_vm_fixture2 = self.create_vms(vn_fixture=vn2_fixture,
count=1,
node_name=compute_hosts[1],
image_name=image)[0]
self.verify_vms([src_vm_fixture, dst_vm_fixture1, dst_vm_fixture2])
self.disable_policy_for_vms([dst_vm_fixture1, dst_vm_fixture2])
default_sg_id = get_secgrp_id_from_name(
self.connections, ':'.join([
self.connections.domain_name, self.inputs.project_name,
'default'
]))
rule = [{
'direction':
'<>',
'protocol':
'udp',
'dst_addresses': [{
'subnet': {
'ip_prefix': '10.1.1.0',
'ip_prefix_len': 24
}
}],
'dst_ports': [{
'start_port': 0,
'end_port': -1
}],
'src_ports': [{
'start_port': 0,
'end_port': -1
}],
'src_addresses': [{
'security_group': 'local'
}],
}]
sg_fixture = self.create_sg(entries=rule)
self.verify_sg(sg_fixture)
proto = 'udp'
#For Inter node traffic test, use src_vm_fixture and dst_vm_fixture2
#For Intra node, use src_vm_fixture and dst_vm_fixture1
for vm in [dst_vm_fixture1, dst_vm_fixture2]:
if (vm == dst_vm_fixture1):
#Intra Node
ff_exp = 1
rf_exp = 1
else:
#Inter Node
ff_exp = 0
rf_exp = 0
#1. receiver VMI SG with allow rule, use default SG
self.send_traffic_verify_flow_dst_compute(src_vm_fixture,
vm,
proto,
ff_exp=ff_exp,
rf_exp=rf_exp)
#2. receiver VMI SG with only egress rule
self.remove_sg_from_vms([vm], sg_id=default_sg_id)
self.add_sg_to_vms([vm], sg_id=sg_fixture.secgrp_id)
self.send_traffic_verify_flow_dst_compute(src_vm_fixture,
vm,
proto,
ff_exp=ff_exp,
rf_exp=rf_exp)
#3. receiver VMI SG without any rule
sg_fixture.delete_all_rules()
self.send_traffic_verify_flow_dst_compute(src_vm_fixture,
vm,
proto,
ff_exp=ff_exp,
rf_exp=rf_exp)
#4. receiver VMI without SG
self.remove_sg_from_vms([vm], sg_id=sg_fixture.secgrp_id)
self.send_traffic_verify_flow_dst_compute(src_vm_fixture,
vm,
proto,
ff_exp=ff_exp,
rf_exp=rf_exp)
def create_sg_test_resources(self):
"""Config common resources."""
self.logger.info("Configuring setup for security group tests.")
self.vn1_subnets = get_random_cidrs(self.inputs.get_af())
self.vn2_subnets = get_random_cidrs(self.inputs.get_af())
self.vn1_prefix = self.vn1_subnets[0].split('/')[0]
self.vn1_prefix_len = int(self.vn1_subnets[0].split('/')[1])
self.vn2_prefix = self.vn2_subnets[0].split('/')[0]
self.vn2_prefix_len = int(self.vn2_subnets[0].split('/')[1])
vn_s = {'vn1': self.vn1_subnets[0], 'vn2': self.vn2_subnets}
self.multi_vn_fixture = self.useFixture(
MultipleVNFixture(connections=self.connections,
inputs=self.inputs,
subnet_count=2,
vn_name_net=vn_s,
project_name=self.inputs.project_name))
vns = self.multi_vn_fixture.get_all_fixture_obj()
(self.vn1_name, self.vn1_fix) = self.multi_vn_fixture._vn_fixtures[0]
(self.vn2_name, self.vn2_fix) = self.multi_vn_fixture._vn_fixtures[1]
self.logger.info("Configure security groups required for test.")
self.config_sec_groups()
self.logger.debug("Verify the configured VN's.")
assert self.multi_vn_fixture.verify_on_setup()
self.multi_vm_fixture = self.useFixture(
MultipleVMFixture(project_name=self.inputs.project_name,
connections=self.connections,
vm_count_per_vn=3,
vn_objs=vns,
image_name='ubuntu-traffic',
flavor='contrail_flavor_small'))
vms = self.multi_vm_fixture.get_all_fixture()
(self.vm1_name, self.vm1_fix) = vms[0]
(self.vm2_name, self.vm2_fix) = vms[1]
(self.vm3_name, self.vm3_fix) = vms[2]
(self.vm4_name, self.vm4_fix) = vms[3]
(self.vm5_name, self.vm5_fix) = vms[4]
(self.vm6_name, self.vm6_fix) = vms[5]
self.logger.info("Adding the sec groups to the VM's")
self.vm1_fix.add_security_group(secgrp=self.sg1_name)
self.vm1_fix.add_security_group(secgrp=self.sg2_name)
self.vm2_fix.add_security_group(secgrp=self.sg2_name)
self.vm4_fix.add_security_group(secgrp=self.sg1_name)
self.vm4_fix.add_security_group(secgrp=self.sg2_name)
self.vm5_fix.add_security_group(secgrp=self.sg1_name)
self.logger.info("Remove the default sec group form the VM's")
default_secgrp_id = get_secgrp_id_from_name(
self.connections, ':'.join([
self.connections.domain_name, self.inputs.project_name,
'default'
]))
self.vm1_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm2_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm4_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm5_fix.remove_security_group(secgrp=default_secgrp_id)
self.logger.info("Verifying setup of security group tests.")
self.verify_sg_test_resources()
self.set_tcp_port_use_optimizations([
self.vm1_fix, self.vm2_fix, self.vm3_fix, self.vm4_fix,
self.vm5_fix, self.vm6_fix
])
self.logger.info(
"Finished configuring setup for security group tests.")
def test_slo_rate(self):
"""
Description: Verify security logging rate for inter/intra node traffic
Steps:
1. create 2 VNs and connect them using policy
2. launch 1 VM in each VN on diff compute node
3. set session export rate to 0 and SLO rate to 5
4. send 10 ping packets and verify the no. of session logs in agent log
Pass criteria:
No. of session logs should be 1 for session creation and 1 for teardown
"""
self._create_resources(test_type='intra-node', session_export_rate=0)
policy_obj = self.policy_fixture.policy_obj
project_name = self.project.project_name
sg_fq_name = '%s:%s:default' % (self.connections.domain_name,
project_name)
sg_id = get_secgrp_id_from_name(self.connections, sg_fq_name)
sg_obj = self.vnc_h._vnc.security_group_read(id=sg_id)
parent_obj = self.vnc_h.project_read(
fq_name=[self.connections.domain_name, project_name])
slo_rate = 5
slo_fixture = self.create_slo(parent_obj,
rate=slo_rate,
vn_policy_obj=policy_obj)
for vn in self.vn_fixtures:
self.add_slo_to_vn(slo_fixture, vn)
underlay_proto = 0
proto = 1
self.enable_logging_on_compute(self.client_fixture.vm_node_ip,
log_type=AGENT_LOG)
#Clear local ips after agent restart
self.client_fixture.clear_local_ips()
self.server_fixture.clear_local_ips()
#Verify Session logs in agent logs for SLO
self.start_traffic_validate_slo(self.client_fixture,
self.server_fixture,
self.policy_fixture,
proto=proto,
underlay_proto=underlay_proto,
slo_rate=slo_rate,
exp_session_count=2)
self.logger.info("SLO: Expected Session logs found in agent log for "
"protocol %s" % (self.proto))
##
#Verify SLO rate for inter node icmp traffic
compute_hosts = self.orch.get_hosts()
if not (len(compute_hosts) < 2):
client_node_ip = self.client_fixture.vm_node_ip
server2_node_name = compute_hosts[1] if self.inputs.compute_info[
compute_hosts[1]] != client_node_ip else compute_hosts[0]
server2_fixture = self.create_vms(vn_fixture=self.vn2_fixture,
count=1,
node_name=server2_node_name,
image_name='ubuntu-traffic')[0]
self.verify_vms([server2_fixture])
self.enable_logging_on_compute(server2_fixture.vm_node_ip,
log_type=AGENT_LOG)
#Clear local ips after agent restart
server2_fixture.clear_local_ips()
underlay_proto = UNDERLAY_PROTO[
self.connections.read_vrouter_config_encap()[0]]
#Verify Session logs in agent logs for SLO
self.start_traffic_validate_slo(self.client_fixture,
server2_fixture,
self.policy_fixture,
proto=proto,
underlay_proto=underlay_proto,
slo_rate=slo_rate,
sg_uuid=sg_id,
exp_session_count=2)
self.logger.info(
"SLO: Expected Session logs found in agent log for "
"protocol %s" % (self.proto))
def test_disable_policy_sg_inter_vn(self):
"""
Description: Verify disabling policy for inter VN,inter/intra node traffic with SG
Steps:
1. launch 2 VNs and launch 3 VMs in it.
2. disable policy only on destination VMs and add/remove SG and start traffic
Pass criteria:
1. traffic should go through and flow should not be created
"""
compute_hosts = self.orch.get_hosts()
if len(compute_hosts) < 2:
raise self.skipTest("Skipping test case,\
this test needs atleast 2 compute nodes")
vn_fixtures = self.create_vns(count=2, rt_number='10000')
self.verify_vns(vn_fixtures)
vn1_fixture = vn_fixtures[0]
vn2_fixture = vn_fixtures[1]
#Launch 1 VM in first VN and 2 VMs in another VN
image = 'ubuntu-traffic'
src_vm_fixture = self.create_vms(vn_fixture= vn1_fixture,count=1,
node_name=compute_hosts[0], image_name=image)[0]
dst_vm_fixture1 = self.create_vms(vn_fixture= vn2_fixture,count=1,
node_name=compute_hosts[0], image_name=image)[0]
dst_vm_fixture2 = self.create_vms(vn_fixture= vn2_fixture,count=1,
node_name=compute_hosts[1], image_name=image)[0]
self.verify_vms([src_vm_fixture, dst_vm_fixture1, dst_vm_fixture2])
self.disable_policy_for_vms([dst_vm_fixture1, dst_vm_fixture2])
default_sg_id = get_secgrp_id_from_name(
self.connections,
':'.join([self.inputs.domain_name,
self.inputs.project_name,
'default']))
rule = [{'direction': '<>',
'protocol': 'udp',
'dst_addresses': [{'subnet': {'ip_prefix': '10.1.1.0', 'ip_prefix_len': 24}}],
'dst_ports': [{'start_port': 0, 'end_port': -1}],
'src_ports': [{'start_port': 0, 'end_port': -1}],
'src_addresses': [{'security_group': 'local'}],
}]
sg_fixture = self.create_sg(entries=rule)
self.verify_sg(sg_fixture)
proto = 'udp'
#For Inter node traffic test, use src_vm_fixture and dst_vm_fixture2
#For Intra node, use src_vm_fixture and dst_vm_fixture1
for vm in [dst_vm_fixture1, dst_vm_fixture2]:
if (vm == dst_vm_fixture1):
#Intra Node
ff_exp = 1
rf_exp = 1
else:
#Inter Node
ff_exp = 0
rf_exp = 0
#1. receiver VMI SG with allow rule, use default SG
self.send_traffic_verify_flow_dst_compute(src_vm_fixture,
vm, proto, ff_exp=ff_exp, rf_exp=rf_exp)
#2. receiver VMI SG with only egress rule
self.remove_sg_from_vms([vm], sg_id=default_sg_id)
self.add_sg_to_vms([vm], sg_id=sg_fixture.secgrp_id)
self.send_traffic_verify_flow_dst_compute(src_vm_fixture,
vm, proto, ff_exp=ff_exp, rf_exp=rf_exp)
#3. receiver VMI SG without any rule
sg_fixture.delete_all_rules()
self.send_traffic_verify_flow_dst_compute(src_vm_fixture,
vm, proto, ff_exp=ff_exp, rf_exp=rf_exp)
#4. receiver VMI without SG
self.remove_sg_from_vms([vm], sg_id=sg_fixture.secgrp_id)
self.send_traffic_verify_flow_dst_compute(src_vm_fixture,
vm, proto, ff_exp=ff_exp, rf_exp=rf_exp)
def create_sg_test_resources(self):
"""Config common resources."""
self.logger.info("Configuring setup for security group tests.")
self.vn1_subnets = get_random_cidrs(self.inputs.get_af())
self.vn2_subnets = get_random_cidrs(self.inputs.get_af())
self.vn1_prefix = self.vn1_subnets[0].split('/')[0]
self.vn1_prefix_len = int(self.vn1_subnets[0].split('/')[1])
self.vn2_prefix = self.vn2_subnets[0].split('/')[0]
self.vn2_prefix_len = int(self.vn2_subnets[0].split('/')[1])
vn_s = {'vn1': self.vn1_subnets[0], 'vn2': self.vn2_subnets}
self.multi_vn_fixture = self.useFixture(MultipleVNFixture(
connections=self.connections, inputs=self.inputs, subnet_count=2,
vn_name_net=vn_s, project_name=self.inputs.project_name))
vns = self.multi_vn_fixture.get_all_fixture_obj()
(self.vn1_name, self.vn1_fix) = self.multi_vn_fixture._vn_fixtures[0]
(self.vn2_name, self.vn2_fix) = self.multi_vn_fixture._vn_fixtures[1]
self.logger.info("Configure security groups required for test.")
self.config_sec_groups()
self.logger.debug("Verify the configured VN's.")
assert self.multi_vn_fixture.verify_on_setup()
self.multi_vm_fixture = self.useFixture(MultipleVMFixture(
project_name=self.inputs.project_name, connections=self.connections,
vm_count_per_vn=3, vn_objs=vns, image_name='ubuntu-traffic',
flavor='contrail_flavor_small'))
vms = self.multi_vm_fixture.get_all_fixture()
(self.vm1_name, self.vm1_fix) = vms[0]
(self.vm2_name, self.vm2_fix) = vms[1]
(self.vm3_name, self.vm3_fix) = vms[2]
(self.vm4_name, self.vm4_fix) = vms[3]
(self.vm5_name, self.vm5_fix) = vms[4]
(self.vm6_name, self.vm6_fix) = vms[5]
self.logger.info("Adding the sec groups to the VM's")
self.vm1_fix.add_security_group(secgrp=self.sg1_name)
self.vm1_fix.add_security_group(secgrp=self.sg2_name)
self.vm2_fix.add_security_group(secgrp=self.sg2_name)
self.vm4_fix.add_security_group(secgrp=self.sg1_name)
self.vm4_fix.add_security_group(secgrp=self.sg2_name)
self.vm5_fix.add_security_group(secgrp=self.sg1_name)
self.logger.info("Remove the default sec group form the VM's")
default_secgrp_id = get_secgrp_id_from_name(
self.connections,
':'.join([self.connections.domain_name,
self.inputs.project_name,
'default']))
self.vm1_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm2_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm4_fix.remove_security_group(secgrp=default_secgrp_id)
self.vm5_fix.remove_security_group(secgrp=default_secgrp_id)
self.logger.info("Verifying setup of security group tests.")
self.verify_sg_test_resources()
self.set_tcp_port_use_optimizations([self.vm1_fix, self.vm2_fix,
self.vm3_fix, self.vm4_fix, self.vm5_fix, self.vm6_fix])
self.logger.info(
"Finished configuring setup for security group tests.")
def test_slo_rate(self):
"""
Description: Verify security logging rate for inter/intra node traffic
Steps:
1. create 2 VNs and connect them using policy
2. launch 1 VM in each VN on diff compute node
3. set session export rate to 0 and SLO rate to 5
4. send 10 ping packets and verify the no. of session logs in agent log
Pass criteria:
No. of session logs should be 1 for session creation and 1 for teardown
"""
self._create_resources(test_type='intra-node', session_export_rate=0)
policy_obj = self.policy_fixture.policy_obj
project_name = self.project.project_name
sg_fq_name = '%s:%s:default' % (self.connections.domain_name,
project_name)
sg_id = get_secgrp_id_from_name(self.connections, sg_fq_name)
sg_obj = self.vnc_h._vnc.security_group_read(id=sg_id)
parent_obj = self.vnc_h.project_read(
fq_name=[self.connections.domain_name, project_name])
slo_rate = 5
slo_fixture = self.create_slo(parent_obj, rate=slo_rate,
vn_policy_obj=policy_obj)
for vn in self.vn_fixtures:
self.add_slo_to_vn(slo_fixture, vn)
underlay_proto = 0
proto = 1
self.enable_logging_on_compute(self.client_fixture.vm_node_ip,
log_type=AGENT_LOG, session_type='slo')
#Clear local ips after agent restart
self.client_fixture.clear_local_ips()
self.server_fixture.clear_local_ips()
#Verify Session logs in agent logs for SLO
self.start_traffic_validate_slo(self.client_fixture,
self.server_fixture, self.policy_fixture, proto=proto,
underlay_proto=underlay_proto, slo_rate=slo_rate,
exp_session_count=2)
self.logger.info("SLO: Expected Session logs found in agent log for "
"protocol %s" % (self.proto))
##
#Verify SLO rate for inter node icmp traffic
compute_hosts = self.orch.get_hosts()
if not (len(compute_hosts) < 2):
client_node_ip = self.client_fixture.vm_node_ip
server2_node_name = compute_hosts[1] if self.inputs.compute_info[
compute_hosts[1]] != client_node_ip else compute_hosts[0]
server2_fixture = self.create_vms(vn_fixture=self.vn2_fixture,
count=1, node_name=server2_node_name, image_name='ubuntu-traffic')[0]
self.verify_vms([server2_fixture])
self.enable_logging_on_compute(server2_fixture.vm_node_ip,
log_type=AGENT_LOG, session_type='slo')
#Clear local ips after agent restart
server2_fixture.clear_local_ips()
underlay_proto = UNDERLAY_PROTO[
self.connections.read_vrouter_config_encap()[0]]
#Verify Session logs in agent logs for SLO
self.start_traffic_validate_slo(self.client_fixture,
server2_fixture, self.policy_fixture, proto=proto,
underlay_proto=underlay_proto, slo_rate=slo_rate, sg_uuid=sg_id,
exp_session_count=2)
self.logger.info("SLO: Expected Session logs found in agent log for "
"protocol %s" % (self.proto))
