def create_EgressFirewallRule(self, network, rule): self.debug("Adding an Egress Firewall rule to allow/deny outgoing traffic from Guest VMs - %s" % rule) return EgressFireWallRule.create(self.api_client, networkid=network.id, protocol=rule["protocol"], cidrlist=rule["cidrlist"], startport=rule["startport"], endport=rule["endport"] )
def deploy_isolatednetwork_egresses(self, isolatednetwork_data, network): self.logger.debug('>>> ISOLATED NETWORK EGRESS RULE => Creating...') for egress_data in isolatednetwork_data['egressrules']: egress = EgressFireWallRule.create(self.api_client, network=network, data=egress_data['data']) self.logger.debug( '>>> ISOLATED NETWORK EGRESS RULE => ID: %s => Start Port: %s ' '=> End Port: %s => CIDR: %s => Protocol: %s => State: %s ' '=> Network: %s', egress.id, egress.startport, egress.endport, egress.cidrlist, egress.protocol, egress.state, egress.networkid)
def deploy_isolatednetwork_egresses(self, isolatednetwork_data, network): self.logger.debug('>>> ISOLATED NETWORK EGRESS RULE => Creating...') for egress_data in isolatednetwork_data['egressrules']: egress = EgressFireWallRule.create( self.api_client, network=network, data=egress_data['data'] ) self.logger.debug('>>> ISOLATED NETWORK EGRESS RULE => ID: %s => Start Port: %s ' '=> End Port: %s => CIDR: %s => Protocol: %s => State: %s ' '=> Network: %s', egress.id, egress.startport, egress.endport, egress.cidrlist, egress.protocol, egress.state, egress.networkid)
def test_01_RVR_Network_FW_PF_SSH_default_routes_egress_true(self): """ Test redundant router internals """ self.logger.debug( "Starting test_01_RVR_Network_FW_PF_SSH_default_routes_egress_true..." ) network_offering_egress_true = get_default_redundant_isolated_network_offering_with_egress( self.apiclient) self.logger.debug("Creating network with network offering: %s" % network_offering_egress_true.id) network = Network.create( self.apiclient, self.services["network"], accountid=self.account.name, domainid=self.account.domainid, networkofferingid=network_offering_egress_true.id, zoneid=self.zone.id) self.logger.debug("Created network with ID: %s" % network.id) networks = Network.list(self.apiclient, id=network.id, listall=True) self.assertEqual( isinstance(networks, list), True, "List networks should return a valid response for created network") self.logger.debug("Deploying VM in account: %s" % self.account.name) virtual_machine = VirtualMachine.create( self.apiclient, self.services["virtual_machine"], templateid=self.template.id, accountid=self.account.name, domainid=self.account.domainid, serviceofferingid=self.service_offering.id, networkids=[str(network.id)]) self.logger.debug("Deployed VM in network: %s" % network.id) self.cleanup.insert(0, network) self.cleanup.insert(0, virtual_machine) vms = VirtualMachine.list(self.apiclient, id=virtual_machine.id, listall=True) self.assertEqual(isinstance(vms, list), True, "List Vms should return a valid list") vm = vms[0] self.assertEqual(vm.state, "Running", "VM should be in running state after deployment") self.logger.debug("Listing routers for network: %s" % network.name) routers = Router.list(self.apiclient, networkid=network.id, listall=True) self.assertEqual( isinstance(routers, list), True, "list router should return Master and backup routers") self.assertEqual( len(routers), 2, "Length of the list router should be 2 (Backup & master)") public_ips = list_public_ip(self.apiclient, account=self.account.name, domainid=self.account.domainid, zoneid=self.zone.id) public_ip = public_ips[0] self.assertEqual( isinstance(public_ips, list), True, "Check for list public IPs response return valid data") self.logger.debug("Creating Firewall rule for VM ID: %s" % virtual_machine.id) FireWallRule.create( self.apiclient, ipaddressid=public_ip.id, protocol=self.services["natrule_ssh"]["protocol"], cidrlist=['0.0.0.0/0'], startport=self.services["natrule_ssh"]["publicport"], endport=self.services["natrule_ssh"]["publicport"]) self.logger.debug("Creating NAT rule for VM ID: %s" % virtual_machine.id) nat_rule = NATRule.create(self.apiclient, virtual_machine, self.services["natrule_ssh"], public_ip.id) # Test SSH after closing port 22 expected = 1 ssh_command = "ping -c 3 8.8.8.8" check_string = "3 packets received" result = self.check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual( result, expected, "Ping to outside world from VM should be successful!") expected = 1 ssh_command = self.HTTP_COMMAND check_string = self.HTTP_CHECK_STRING result = self.check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual(result, expected, self.HTTP_ASSERT_SUCCESS_MESSAGE) EgressFireWallRule.create( self.apiclient, networkid=network.id, protocol=self.services["egress_443"]["protocol"], startport=self.services["egress_443"]["startport"], endport=self.services["egress_443"]["endport"], cidrlist=self.services["egress_443"]["cidrlist"]) expected = 0 result = self.check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual(result, expected, self.HTTP_ASSERT_FAILURE_MESSAGE) return
def test_01_isolate_network_FW_PF_default_routes_egress_true(self): """ Test redundant router internals """ self.logger.debug( "Starting test_01_isolate_network_FW_PF_default_routes_egress_true..." ) network_offering_egress_true = get_default_isolated_network_offering_with_egress( self.apiclient) self.logger.debug("Creating Network with Network Offering ID %s" % network_offering_egress_true.id) network = Network.create( self.apiclient, self.services["network"], accountid=self.account.name, domainid=self.account.domainid, networkofferingid=network_offering_egress_true.id, zoneid=self.zone.id) self.logger.debug("Deploying Virtual Machine on Network %s" % network.id) virtual_machine = VirtualMachine.create( self.apiclient, self.services["virtual_machine"], templateid=self.template.id, accountid=self.account.name, domainid=self.domain.id, serviceofferingid=self.service_offering.id, networkids=[str(network.id)]) self.logger.debug("Deployed VM in network: %s" % network.id) self.cleanup.insert(0, network) self.cleanup.insert(0, virtual_machine) self.logger.debug( "Starting test_isolate_network_FW_PF_default_routes...") routers = list_routers(self.apiclient, account=self.account.name, domainid=self.account.domainid) self.assertEqual(isinstance(routers, list), True, "Check for list routers response return valid data") self.assertNotEqual(len(routers), 0, "Check list router response") router = routers[0] self.assertEqual(router.state, 'Running', "Check list router response for router state") public_ips = list_public_ip(self.apiclient, account=self.account.name, domainid=self.account.domainid, zoneid=self.zone.id) self.assertEqual( isinstance(public_ips, list), True, "Check for list public IPs response return valid data") public_ip = public_ips[0] self.logger.debug("Creating Firewall rule for VM ID: %s" % virtual_machine.id) FireWallRule.create( self.apiclient, ipaddressid=public_ip.id, protocol=self.services["natrule_ssh"]["protocol"], cidrlist=['0.0.0.0/0'], startport=self.services["natrule_ssh"]["publicport"], endport=self.services["natrule_ssh"]["publicport"]) self.logger.debug("Creating NAT rule for VM ID: %s" % virtual_machine.id) # Create NAT rule nat_rule = NATRule.create(self.apiclient, virtual_machine, self.services["natrule_ssh"], public_ip.id) nat_rules = list_nat_rules(self.apiclient, id=nat_rule.id) self.assertEqual( isinstance(nat_rules, list), True, "Check for list NAT rules response return valid data") self.assertEqual(nat_rules[0].state, 'Active', "Check list port forwarding rules") # Test SSH after closing port 22 expected = 1 ssh_command = "ping -c 3 8.8.8.8" check_string = "3 packets received" result = self.check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual( result, expected, "Ping to outside world from VM should be successful!") expected = 1 ssh_command = self.HTTP_COMMAND check_string = self.HTTP_CHECK_STRING result = self.check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual(result, expected, self.HTTP_ASSERT_SUCCESS_MESSAGE) EgressFireWallRule.create( self.apiclient, networkid=network.id, protocol=self.services["egress_443"]["protocol"], startport=self.services["egress_443"]["startport"], endport=self.services["egress_443"]["endport"], cidrlist=self.services["egress_443"]["cidrlist"]) expected = 0 result = self.check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual(result, expected, self.HTTP_ASSERT_FAILURE_MESSAGE) return
def setUpClass(cls): cls.testClient = super(TestVMPasswordEnabled, cls).getClsTestClient() cls.api_client = cls.testClient.getApiClient() cls.services = Services().services # Get Zone, Domain and templates domain = get_domain(cls.api_client) zone = get_zone(cls.api_client, cls.testClient.getZoneForTests()) cls.services['mode'] = zone.networktype template = get_template( cls.api_client, zone.id, cls.services["ostype"] ) # Set Zones and disk offerings cls.services["small"]["zoneid"] = zone.id cls.services["small"]["template"] = template.id # Create VMs, NAT Rules etc cls.account = Account.create( cls.api_client, cls.services["account"], domainid=domain.id ) cls.small_offering = ServiceOffering.create( cls.api_client, cls.services["service_offerings"]["small"] ) cls.virtual_machine = VirtualMachine.create( cls.api_client, cls.services["small"], accountid=cls.account.name, domainid=cls.account.domainid, serviceofferingid=cls.small_offering.id, mode=cls.services["mode"] ) networkid = cls.virtual_machine.nic[0].networkid cls.hypervisor = cls.testClient.getHypervisorInfo() # create egress rule to allow wget of my cloud-set-guest-password # script if zone.networktype.lower() == 'advanced': EgressFireWallRule.create( cls.api_client, networkid=networkid, protocol=cls.services["egress"]["protocol"], startport=cls.services["egress"]["startport"], endport=cls.services["egress"]["endport"], cidrlist=cls.services["egress"]["cidrlist"]) cls.virtual_machine.password = cls.services["small"]["password"] ssh = cls.virtual_machine.get_ssh_client() # below steps are required to get the new password from VR # (reset password) # http://cloudstack.org/dl/cloud-set-guest-password # Copy this file to /etc/init.d # chmod +x /etc/init.d/cloud-set-guest-password # chkconfig --add cloud-set-guest-password cmds = [ "cd /etc/init.d;wget http://people.apache.org/~tsp/cloud-set-guest-password", "chmod +x /etc/init.d/cloud-set-guest-password", "chkconfig --add cloud-set-guest-password", ] for c in cmds: ssh.execute(c) # Adding delay of 120 sec to avoid data loss due to timing issue time.sleep(120) # Stop virtual machine cls.virtual_machine.stop(cls.api_client) # Poll listVM to ensure VM is stopped properly timeout = cls.services["timeout"] while True: time.sleep(cls.services["sleep"]) # Ensure that VM is in stopped state list_vm_response = list_virtual_machines( cls.api_client, id=cls.virtual_machine.id ) if isinstance(list_vm_response, list): vm = list_vm_response[0] if vm.state == 'Stopped': break if timeout == 0: raise Exception( "Failed to stop VM (ID: %s) " % vm.id) timeout = timeout - 1 list_volume = list_volumes( cls.api_client, virtualmachineid=cls.virtual_machine.id, type='ROOT', listall=True ) if isinstance(list_volume, list): cls.volume = list_volume[0] else: raise Exception( "Exception: Unable to find root volume for VM: %s" % cls.virtual_machine.id) cls.services["template"]["ostype"] = cls.services["ostype"] cls.services["template"]["ispublic"] = True # Create templates for Edit, Delete & update permissions testcases cls.pw_enabled_template = Template.create( cls.api_client, cls.services["template"], cls.volume.id, ) # Delete the VM - No longer needed cls.virtual_machine.delete(cls.api_client, expunge=True) cls.services["small"]["template"] = cls.pw_enabled_template.id cls.vm = VirtualMachine.create( cls.api_client, cls.services["small"], accountid=cls.account.name, domainid=cls.account.domainid, serviceofferingid=cls.small_offering.id, mode=cls.services["mode"] ) cls._cleanup = [ cls.small_offering, cls.pw_enabled_template, cls.account ]
def test_02_isolate_network_FW_PF_default_routes_egress_false(self): """ Test redundant router internals """ self.logger.debug("Starting test_02_isolate_network_FW_PF_default_routes_egress_false...") self.logger.debug("Creating Network Offering with default egress FALSE") network_offering_egress_false = NetworkOffering.create(self.apiclient, self.services["network_offering_egress_false"], conservemode=True) network_offering_egress_false.update(self.apiclient, state='Enabled') self.logger.debug("Creating Network with Network Offering ID %s" % network_offering_egress_false.id) network = Network.create(self.apiclient, self.services["network"], accountid=self.account.name, domainid=self.account.domainid, networkofferingid=network_offering_egress_false.id, zoneid=self.zone.id) self.logger.debug("Deploying Virtual Machine on Network %s" % network.id) virtual_machine = VirtualMachine.create(self.apiclient, self.services["virtual_machine"], templateid=self.template.id, accountid=self.account.name, domainid=self.domain.id, serviceofferingid=self.service_offering.id, networkids=[str(network.id)]) self.logger.debug("Deployed VM in network: %s" % network.id) self.cleanup.insert(0, network_offering_egress_false) self.cleanup.insert(0, network) self.cleanup.insert(0, virtual_machine) self.logger.debug("Starting test_isolate_network_FW_PF_default_routes...") routers = list_routers( self.apiclient, account=self.account.name, domainid=self.account.domainid ) self.assertEqual( isinstance(routers, list), True, "Check for list routers response return valid data" ) self.assertNotEqual( len(routers), 0, "Check list router response" ) router = routers[0] self.assertEqual( router.state, 'Running', "Check list router response for router state" ) public_ips = list_publicIP( self.apiclient, account=self.account.name, domainid=self.account.domainid, zoneid=self.zone.id ) self.assertEqual( isinstance(public_ips, list), True, "Check for list public IPs response return valid data" ) public_ip = public_ips[0] self.logger.debug("Creating Firewall rule for VM ID: %s" % virtual_machine.id) FireWallRule.create( self.apiclient, ipaddressid=public_ip.id, protocol=self.services["natrule"]["protocol"], cidrlist=['0.0.0.0/0'], startport=self.services["natrule"]["publicport"], endport=self.services["natrule"]["publicport"] ) self.logger.debug("Creating NAT rule for VM ID: %s" % virtual_machine.id) # Create NAT rule nat_rule = NATRule.create( self.apiclient, virtual_machine, self.services["natrule"], public_ip.id ) nat_rules = list_nat_rules( self.apiclient, id=nat_rule.id ) self.assertEqual( isinstance(nat_rules, list), True, "Check for list NAT rules response return valid data" ) self.assertEqual( nat_rules[0].state, 'Active', "Check list port forwarding rules" ) expected = 0 ssh_command = "ping -c 3 8.8.8.8" check_string = " 0% packet loss" result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual( result, expected, "Ping to outside world from VM should NOT be successful" ) expected = 0 ssh_command = "wget -t 1 -T 1 www.google.com" check_string = "HTTP request sent, awaiting response... 200 OK" result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual( result, expected, "Attempt to retrieve google.com index page should NOT be successful" ) EgressFireWallRule.create( self.apiclient, networkid=network.id, protocol=self.services["egress_80"]["protocol"], startport=self.services["egress_80"]["startport"], endport=self.services["egress_80"]["endport"], cidrlist=self.services["egress_80"]["cidrlist"] ) expected = 1 ssh_command = "wget -t 1 -T 5 www.google.com" check_string = "HTTP request sent, awaiting response... 200 OK" result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual( result, expected, "Attempt to retrieve google.com index page should be successful once rule is added!" ) return
def test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false(self): """ Test redundant router internals """ self.logger.debug("Starting test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false...") self.logger.debug("Creating Network Offering with default egress FALSE") network_offering_egress_false = NetworkOffering.create( self.apiclient, self.services["nw_off_persistent_RVR_egress_false"], conservemode=True ) network_offering_egress_false.update(self.api_client, state='Enabled') self.logger.debug("Creating network with network offering: %s" % network_offering_egress_false.id) network = Network.create( self.apiclient, self.services["network"], accountid=self.account.name, domainid=self.account.domainid, networkofferingid=network_offering_egress_false.id, zoneid=self.zone.id ) self.logger.debug("Created network with ID: %s" % network.id) networks = Network.list( self.apiclient, id=network.id, listall=True ) self.assertEqual( isinstance(networks, list), True, "List networks should return a valid response for created network" ) nw_response = networks[0] self.logger.debug("Deploying VM in account: %s" % self.account.name) virtual_machine = VirtualMachine.create( self.apiclient, self.services["virtual_machine"], templateid=self.template.id, accountid=self.account.name, domainid=self.account.domainid, serviceofferingid=self.service_offering.id, networkids=[str(network.id)] ) self.logger.debug("Deployed VM in network: %s" % network.id) self.cleanup.insert(0, network_offering_egress_false) self.cleanup.insert(0, network) self.cleanup.insert(0, virtual_machine) vms = VirtualMachine.list( self.apiclient, id=virtual_machine.id, listall=True ) self.assertEqual( isinstance(vms, list), True, "List Vms should return a valid list" ) vm = vms[0] self.assertEqual( vm.state, "Running", "VM should be in running state after deployment" ) self.logger.debug("Listing routers for network: %s" % network.name) routers = Router.list( self.apiclient, networkid=network.id, listall=True ) self.assertEqual( isinstance(routers, list), True, "list router should return Master and backup routers" ) self.assertEqual( len(routers), 2, "Length of the list router should be 2 (Backup & master)" ) public_ips = list_publicIP( self.apiclient, account=self.account.name, domainid=self.account.domainid, zoneid=self.zone.id ) self.assertEqual( isinstance(public_ips, list), True, "Check for list public IPs response return valid data" ) public_ip = public_ips[0] self.logger.debug("Creating Firewall rule for VM ID: %s" % virtual_machine.id) FireWallRule.create( self.apiclient, ipaddressid=public_ip.id, protocol=self.services["natrule"]["protocol"], cidrlist=['0.0.0.0/0'], startport=self.services["natrule"]["publicport"], endport=self.services["natrule"]["publicport"] ) self.logger.debug("Creating NAT rule for VM ID: %s" % virtual_machine.id) nat_rule = NATRule.create( self.apiclient, virtual_machine, self.services["natrule"], public_ip.id ) expected = 0 ssh_command = "ping -c 3 8.8.8.8" check_string = " 0% packet loss" result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual( result, expected, "Ping to outside world from VM should NOT be successful" ) expected = 0 ssh_command = "wget -t 1 -T 1 www.google.com" check_string = "HTTP request sent, awaiting response... 200 OK" result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual( result, expected, "Attempt to retrieve google.com index page should NOT be successful" ) EgressFireWallRule.create( self.apiclient, networkid=network.id, protocol=self.services["egress_80"]["protocol"], startport=self.services["egress_80"]["startport"], endport=self.services["egress_80"]["endport"], cidrlist=self.services["egress_80"]["cidrlist"] ) EgressFireWallRule.create( self.apiclient, networkid=network.id, protocol=self.services["egress_53"]["protocol"], startport=self.services["egress_53"]["startport"], endport=self.services["egress_53"]["endport"], cidrlist=self.services["egress_53"]["cidrlist"] ) expected = 1 ssh_command = "wget -t 1 -T 5 www.google.com" check_string = "HTTP request sent, awaiting response... 200 OK" result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self) self.assertEqual( result, expected, "Attempt to retrieve google.com index page should be successful once rule is added!" ) return
def setUpClass(cls): cls.testClient = super(TestVMPasswordEnabled, cls).getClsTestClient() cls.api_client = cls.testClient.getApiClient() cls.services = Services().services # Get Zone, Domain and templates domain = get_domain(cls.api_client) zone = get_zone(cls.api_client, cls.testClient.getZoneForTests()) cls.services['mode'] = zone.networktype template = get_template(cls.api_client, zone.id, cls.services["ostype"]) # Set Zones and disk offerings cls.services["small"]["zoneid"] = zone.id cls.services["small"]["template"] = template.id # Create VMs, NAT Rules etc cls.account = Account.create(cls.api_client, cls.services["account"], domainid=domain.id) cls.small_offering = ServiceOffering.create( cls.api_client, cls.services["service_offerings"]["small"]) cls.virtual_machine = VirtualMachine.create( cls.api_client, cls.services["small"], accountid=cls.account.name, domainid=cls.account.domainid, serviceofferingid=cls.small_offering.id, mode=cls.services["mode"]) networkid = cls.virtual_machine.nic[0].networkid cls.hypervisor = cls.testClient.getHypervisorInfo() if cls.hypervisor.lower() in ['lxc']: raise unittest.SkipTest( "template creation is not supported on %s" % cls.hypervisor) # create egress rule to allow wget of my cloud-set-guest-password # script if zone.networktype.lower() == 'advanced': EgressFireWallRule.create( cls.api_client, networkid=networkid, protocol=cls.services["egress"]["protocol"], startport=cls.services["egress"]["startport"], endport=cls.services["egress"]["endport"], cidrlist=cls.services["egress"]["cidrlist"]) cls.virtual_machine.password = cls.services["small"]["password"] ssh = cls.virtual_machine.get_ssh_client() # below steps are required to get the new password from VR # (reset password) # http://cloudstack.org/dl/cloud-set-guest-password # Copy this file to /etc/init.d # chmod +x /etc/init.d/cloud-set-guest-password # chkconfig --add cloud-set-guest-password cmds = [ "cd /etc/init.d;wget http://people.apache.org/~tsp/cloud-set-guest-password", "chmod +x /etc/init.d/cloud-set-guest-password", "chkconfig --add cloud-set-guest-password", ] for c in cmds: ssh.execute(c) # Adding delay of 120 sec to avoid data loss due to timing issue time.sleep(120) # Stop virtual machine cls.virtual_machine.stop(cls.api_client) # Poll listVM to ensure VM is stopped properly timeout = cls.services["timeout"] while True: time.sleep(cls.services["sleep"]) # Ensure that VM is in stopped state list_vm_response = list_virtual_machines(cls.api_client, id=cls.virtual_machine.id) if isinstance(list_vm_response, list): vm = list_vm_response[0] if vm.state == 'Stopped': break if timeout == 0: raise Exception("Failed to stop VM (ID: %s) " % vm.id) timeout = timeout - 1 list_volume = list_volumes(cls.api_client, virtualmachineid=cls.virtual_machine.id, type='ROOT', listall=True) if isinstance(list_volume, list): cls.volume = list_volume[0] else: raise Exception( "Exception: Unable to find root volume for VM: %s" % cls.virtual_machine.id) cls.services["template"]["ostype"] = cls.services["ostype"] cls.services["template"]["ispublic"] = True # Create templates for Edit, Delete & update permissions testcases cls.pw_enabled_template = Template.create( cls.api_client, cls.services["template"], cls.volume.id, ) # Delete the VM - No longer needed cls.virtual_machine.delete(cls.api_client, expunge=True) cls.services["small"]["template"] = cls.pw_enabled_template.id cls.vm = VirtualMachine.create(cls.api_client, cls.services["small"], accountid=cls.account.name, domainid=cls.account.domainid, serviceofferingid=cls.small_offering.id, mode=cls.services["mode"]) cls._cleanup = [ cls.small_offering, cls.pw_enabled_template, cls.account ]