def deallocate_ips_by_vif(self, context, tenant_id, net_id, vif_ref): """Deallocate all fixed IPs associated with the specified virtual interface. """ admin_context = context.elevated() fixed_ips = db.fixed_ips_by_virtual_interface(admin_context, vif_ref['id']) # NOTE(s0mik): Sets fixed-ip to deallocated, but leaves the entry # associated with the instance-id. This prevents us from handing it # out again immediately, as allocating it to a new instance before # a DHCP lease has timed-out is bad. Instead, the fixed-ip will # be disassociated with the instance-id by a call to one of two # methods inherited from FlatManager: # - if DHCP is in use, a lease expiring in dnsmasq triggers # a call to release_fixed_ip in the network manager. # - otherwise, _disassociate_stale_fixed_ips is called periodically # to disassociate all fixed ips that are unallocated # but still associated with an instance-id. for fixed_ip in fixed_ips: db.fixed_ip_update(admin_context, fixed_ip['address'], {'allocated': False, 'virtual_interface_id': None}) if len(fixed_ips) == 0: LOG.error(_('No fixed IPs to deallocate for vif %s') % vif_ref['id'])
def test_instance_dns(self): fixedip = '192.168.0.101' self.mox.StubOutWithMock(db, 'network_get') self.mox.StubOutWithMock(db, 'network_update') self.mox.StubOutWithMock(db, 'fixed_ip_associate_pool') self.mox.StubOutWithMock(db, 'instance_get') self.mox.StubOutWithMock( db, 'virtual_interface_get_by_instance_and_network') self.mox.StubOutWithMock(db, 'fixed_ip_update') db.fixed_ip_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) db.virtual_interface_get_by_instance_and_network( mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({'id': 0}) db.instance_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn( {'security_groups': [{ 'id': 0 }]}) db.instance_get(self.context, 1).AndReturn({'display_name': HOST}) db.fixed_ip_associate_pool(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn(fixedip) db.network_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn(networks[0]) db.network_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) self.mox.ReplayAll() self.network.add_fixed_ip_to_instance(self.context, 1, HOST, networks[0]['id']) addresses = self.network.instance_dns_manager.get_entries_by_name(HOST) self.assertEqual(len(addresses), 1) self.assertEqual(addresses[0], fixedip)
def test_add_fixed_ip_instance_without_vpn_requested_networks(self): self.mox.StubOutWithMock(db, 'network_get') self.mox.StubOutWithMock(db, 'network_update') self.mox.StubOutWithMock(db, 'fixed_ip_associate_pool') self.mox.StubOutWithMock(db, 'instance_get') self.mox.StubOutWithMock( db, 'virtual_interface_get_by_instance_and_network') self.mox.StubOutWithMock(db, 'fixed_ip_update') db.fixed_ip_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) db.virtual_interface_get_by_instance_and_network( mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({'id': 0}) db.instance_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn( {'security_groups': [{ 'id': 0 }]}) db.instance_get(self.context, 1).AndReturn({'display_name': HOST}) db.fixed_ip_associate_pool(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn('192.168.0.101') db.network_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn(networks[0]) db.network_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) self.mox.ReplayAll() self.network.add_fixed_ip_to_instance(self.context, 1, HOST, networks[0]['id'])
def test_instance_dns(self): fixedip = '192.168.0.101' self.mox.StubOutWithMock(db, 'network_get') self.mox.StubOutWithMock(db, 'network_update') self.mox.StubOutWithMock(db, 'fixed_ip_associate_pool') self.mox.StubOutWithMock(db, 'instance_get') self.mox.StubOutWithMock(db, 'virtual_interface_get_by_instance_and_network') self.mox.StubOutWithMock(db, 'fixed_ip_update') db.fixed_ip_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) db.virtual_interface_get_by_instance_and_network(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({'id': 0}) db.instance_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({'security_groups': [{'id': 0}]}) db.instance_get(self.context, 1).AndReturn({'display_name': HOST}) db.fixed_ip_associate_pool(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn(fixedip) db.network_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn(networks[0]) db.network_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) self.mox.ReplayAll() self.network.add_fixed_ip_to_instance(self.context, 1, HOST, networks[0]['id']) addresses = self.network.instance_dns_manager.get_entries_by_name(HOST) self.assertEqual(len(addresses), 1) self.assertEqual(addresses[0], fixedip)
def save(self, context): updates = self.obj_get_changes() if 'address' in updates: raise exception.ObjectActionError(action='save', reason='address is not mutable') db.fixed_ip_update(context, str(self.address), updates) self.obj_reset_changes()
def test_add_fixed_ip_instance_without_vpn_requested_networks(self): self.mox.StubOutWithMock(db, 'network_get') self.mox.StubOutWithMock(db, 'fixed_ip_associate_pool') self.mox.StubOutWithMock(db, 'instance_get') self.mox.StubOutWithMock(db, 'virtual_interface_get_by_instance_and_network') self.mox.StubOutWithMock(db, 'fixed_ip_update') db.fixed_ip_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) db.virtual_interface_get_by_instance_and_network(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({'id': 0}) db.instance_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({'security_groups': [{'id': 0}]}) db.fixed_ip_associate_pool(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn('192.168.0.101') db.network_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn(networks[0]) self.mox.ReplayAll() self.network.add_fixed_ip_to_instance(self.context, 1, HOST, networks[0]['id'])
def deallocate_ips_by_vif(self, context, tenant_id, net_id, vif_ref): """Deallocate all fixed IPs associated with the specified virtual interface. """ admin_context = context.elevated() fixed_ips = db.fixed_ips_by_virtual_interface(admin_context, vif_ref['id']) # NOTE(s0mik): Sets fixed-ip to deallocated, but leaves the entry # associated with the instance-id. This prevents us from handing it # out again immediately, as allocating it to a new instance before # a DHCP lease has timed-out is bad. Instead, the fixed-ip will # be disassociated with the instance-id by a call to one of two # methods inherited from FlatManager: # - if DHCP is in use, a lease expiring in dnsmasq triggers # a call to release_fixed_ip in the network manager. # - otherwise, _disassociate_stale_fixed_ips is called periodically # to disassociate all fixed ips that are unallocated # but still associated with an instance-id. for fixed_ip in fixed_ips: db.fixed_ip_update(admin_context, fixed_ip['address'], { 'allocated': False, 'virtual_interface_id': None }) if len(fixed_ips) == 0: LOG.error( _('No fixed IPs to deallocate for vif %s') % vif_ref['id'])
def test_unreserve(self): db.fixed_ip_update(context.get_admin_context(), '10.0.0.100', {'reserved': True}) self.commands.unreserve('10.0.0.100') address = db.fixed_ip_get_by_address(context.get_admin_context(), '10.0.0.100') self.assertEqual(address['reserved'], False)
def delete(self, context): """ PF9 function :param context: :return: """ db.fixed_ip_update(context, str(self.address), dict(deleted=True)) self.deleted = True self.obj_reset_changes(['deleted'])
def allocate_fixed_ip(self, context, tenant_id, quantum_net_id, vif_rec): """Allocates a single fixed IPv4 address for a virtual interface.""" admin_context = context.elevated() network = db.network_get_by_uuid(admin_context, quantum_net_id) if network['cidr']: address = db.fixed_ip_associate_pool(admin_context, network['id'], vif_rec['instance_id']) values = {'allocated': True, 'virtual_interface_id': vif_rec['id']} db.fixed_ip_update(admin_context, address, values)
def _set_reserved(self, context, address, reserved): try: fixed_ip = db.fixed_ip_get_by_address(context, address) db.fixed_ip_update(context, fixed_ip["address"], {"reserved": reserved}) except exception.FixedIpNotFoundForAddress: msg = _("Fixed IP %s not found") % address raise webob.exc.HTTPNotFound(explanation=msg) return webob.exc.HTTPAccepted()
def allocate_fixed_ips(self, context, tenant_id, quantum_net_id, network_tenant_id, vif_rec): """Allocates a single fixed IPv4 address for a virtual interface.""" admin_context = context.elevated() network = db.network_get_by_uuid(admin_context, quantum_net_id) address = None if network["cidr"]: address = db.fixed_ip_associate_pool(admin_context, network["id"], vif_rec["instance_id"]) values = {"allocated": True, "virtual_interface_id": vif_rec["id"]} db.fixed_ip_update(admin_context, address, values) return [address]
def _set_reserved(self, context, address, reserved): try: fixed_ip = db.fixed_ip_get_by_address(context, address) db.fixed_ip_update(context, fixed_ip['address'], {'reserved': reserved}) except (exception.FixedIpNotFoundForAddress, exception.FixedIpInvalid): msg = _("Fixed IP %s not found") % address raise webob.exc.HTTPNotFound(explanation=msg) return webob.exc.HTTPAccepted()
def deallocate_ips_by_vif(self, context, tenant_id, net_id, vif_ref): """Deallocate all fixed IPs associated with the specified virtual interface. """ admin_context = context.elevated() fixed_ips = db.fixed_ips_by_virtual_interface(admin_context, vif_ref["id"]) for fixed_ip in fixed_ips: db.fixed_ip_update(admin_context, fixed_ip["address"], {"allocated": False, "virtual_interface_id": None}) if len(fixed_ips) == 0: LOG.error(_("No fixed IPs to deallocate for vif %s" % vif_ref["id"]))
def _set_reserved(self, address, reserved): ctxt = context.get_admin_context() try: fixed_ip = db.fixed_ip_get_by_address(ctxt, address) if fixed_ip is None: raise exception.NotFound("Could not find address") db.fixed_ip_update(ctxt, fixed_ip["address"], {"reserved": reserved}) except exception.NotFound as ex: print _("error: %s") % ex return 2
def _set_reserved(self, address, reserved): ctxt = context.get_admin_context() try: fixed_ip = db.fixed_ip_get_by_address(ctxt, address) if fixed_ip is None: raise exception.NotFound('Could not find address') db.fixed_ip_update(ctxt, fixed_ip['address'], {'reserved': reserved}) except exception.NotFound as ex: print _("error: %s") % ex return(2)
def _set_reserved(self, address, reserved): ctxt = context.get_admin_context() try: fixed_ip = db.fixed_ip_get_by_address(ctxt, address) if fixed_ip is None: raise exception.NotFound('Could not find address') db.fixed_ip_update(ctxt, fixed_ip['address'], {'reserved': reserved}) except exception.NotFound as ex: print(_("error: %s") % ex) return(2)
def deallocate_ips_by_vif(self, context, tenant_id, net_id, vif_ref): """Deallocate all fixed IPs associated with the specified virtual interface. """ admin_context = context.elevated() fixed_ips = db.fixed_ips_by_virtual_interface(admin_context, vif_ref['id']) for fixed_ip in fixed_ips: db.fixed_ip_update(admin_context, fixed_ip['address'], {'allocated': False, 'virtual_interface_id': None}) if len(fixed_ips) == 0: LOG.error(_('No fixed IPs to deallocate for vif %s'), vif_ref['id'])
def test_network_delete_safe(self): ctxt = context.get_admin_context() values = {"host": "localhost", "project_id": "project1"} network = db.network_create_safe(ctxt, values) db_network = db.network_get(ctxt, network.id) values = {"network_id": network["id"], "address": "fake1"} address1 = db.fixed_ip_create(ctxt, values) values = {"network_id": network["id"], "address": "fake2", "allocated": True} address2 = db.fixed_ip_create(ctxt, values) self.assertRaises(exception.NetworkInUse, db.network_delete_safe, ctxt, network["id"]) db.fixed_ip_update(ctxt, address2, {"allocated": False}) network = db.network_delete_safe(ctxt, network["id"]) ctxt = ctxt.elevated(read_deleted="yes") fixed_ip = db.fixed_ip_get_by_address(ctxt, address1) self.assertTrue(fixed_ip["deleted"])
def deallocate_ips_by_vif(self, context, tenant_id, net_id, vif_ref): """Deallocate all fixed IPs associated with the specified virtual interface. """ try: admin_context = context.elevated() fixed_ips = db.fixed_ip_get_by_virtual_interface(admin_context, vif_ref['id']) for fixed_ip in fixed_ips: db.fixed_ip_update(admin_context, fixed_ip['address'], {'allocated': False, 'virtual_interface_id': None}) except exception.FixedIpNotFoundForInstance: LOG.error(_('No fixed IPs to deallocate for vif %s' % vif_ref['id']))
def test_vpn_allocate_fixed_ip(self): self.mox.StubOutWithMock(db, "fixed_ip_associate") self.mox.StubOutWithMock(db, "fixed_ip_update") self.mox.StubOutWithMock(db, "virtual_interface_get_by_instance_and_network") db.fixed_ip_associate(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg(), reserved=True).AndReturn("192.168.0.1") db.fixed_ip_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) db.virtual_interface_get_by_instance_and_network(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn( {"id": 0} ) self.mox.ReplayAll() network = dict(networks[0]) network["vpn_private_address"] = "192.168.0.2" self.network.allocate_fixed_ip(None, 0, network, vpn=True)
def deallocate_ips_by_vif(self, context, tenant_id, net_id, vif_ref): """Deallocate all fixed IPs associated with the specified virtual interface. """ admin_context = context.elevated() fixed_ips = db.fixed_ips_by_virtual_interface(admin_context, vif_ref['id']) for fixed_ip in fixed_ips: db.fixed_ip_update(admin_context, fixed_ip['address'], { 'allocated': False, 'virtual_interface_id': None }) if len(fixed_ips) == 0: LOG.error( _('No fixed IPs to deallocate for vif %s' % vif_ref['id']))
def deallocate_ips_by_vif(self, context, tenant_id, net_id, vif_ref): """Deallocate all fixed IPs associated with the specified virtual interface. """ try: admin_context = context.elevated() fixed_ips = db.fixed_ip_get_by_virtual_interface( admin_context, vif_ref['id']) for fixed_ip in fixed_ips: db.fixed_ip_update(admin_context, fixed_ip['address'], { 'allocated': False, 'virtual_interface_id': None }) except exception.FixedIpNotFoundForInstance: LOG.error( _('No fixed IPs to deallocate for vif %s' % vif_ref['id']))
def deallocate_ips_by_vif(self, context, tenant_id, net_id, vif_ref): """Deallocate all fixed IPs associated with the specified virtual interface. """ admin_context = context.elevated() fixed_ips = db.fixed_ips_by_virtual_interface(admin_context, vif_ref['id']) # NOTE(s0mik): Sets fixed-ip to deallocated, but leaves the entry # associated with the instance-id. This prevents us from handing it # out again immediately, as allocating it to a new instance before # a DHCP lease has timed-out is bad. Instead, the fixed-ip will # be disassociated with the instance-id by a call to one of two # methods inherited from FlatManager: # - if DHCP is in use, a lease expiring in dnsmasq triggers # a call to release_fixed_ip in the network manager, or it will # be timed out periodically if the lease fails. # - otherwise, we release the ip immediately read_deleted_context = admin_context.elevated(read_deleted='yes') for fixed_ip in fixed_ips: fixed_id = fixed_ip['id'] floating_ips = self.net_manager.db.floating_ip_get_by_fixed_ip_id( admin_context, fixed_id) # disassociate floating ips related to fixed_ip for floating_ip in floating_ips: address = floating_ip['address'] manager.FloatingIP.disassociate_floating_ip( self.net_manager, read_deleted_context, address, affect_auto_assigned=True) # deallocate if auto_assigned if floating_ip['auto_assigned']: manager.FloatingIP.deallocate_floating_ip( read_deleted_context, address, affect_auto_assigned=True) db.fixed_ip_update(admin_context, fixed_ip['address'], { 'allocated': False, 'virtual_interface_id': None }) if not self.net_manager.DHCP: db.fixed_ip_disassociate(admin_context, fixed_ip['address']) if len(fixed_ips) == 0: LOG.error(_('No fixed IPs to deallocate for vif %s'), vif_ref['id'])
def deallocate_ips_by_vif(self, context, tenant_id, net_id, vif_ref): """Deallocate all fixed IPs associated with the specified virtual interface. """ admin_context = context.elevated() fixed_ips = db.fixed_ips_by_virtual_interface(admin_context, vif_ref['id']) # NOTE(s0mik): Sets fixed-ip to deallocated, but leaves the entry # associated with the instance-id. This prevents us from handing it # out again immediately, as allocating it to a new instance before # a DHCP lease has timed-out is bad. Instead, the fixed-ip will # be disassociated with the instance-id by a call to one of two # methods inherited from FlatManager: # - if DHCP is in use, a lease expiring in dnsmasq triggers # a call to release_fixed_ip in the network manager, or it will # be timed out periodically if the lease fails. # - otherwise, we release the ip immediately read_deleted_context = admin_context.elevated(read_deleted='yes') for fixed_ip in fixed_ips: fixed_id = fixed_ip['id'] floating_ips = self.net_manager.db.floating_ip_get_by_fixed_ip_id( admin_context, fixed_id) # disassociate floating ips related to fixed_ip for floating_ip in floating_ips: address = floating_ip['address'] manager.FloatingIP.disassociate_floating_ip( self.net_manager, read_deleted_context, address, affect_auto_assigned=True) # deallocate if auto_assigned if floating_ip['auto_assigned']: manager.FloatingIP.deallocate_floating_ip( read_deleted_context, address, affect_auto_assigned=True) db.fixed_ip_update(admin_context, fixed_ip['address'], {'allocated': False, 'virtual_interface_id': None}) if not self.net_manager.DHCP: db.fixed_ip_disassociate(admin_context, fixed_ip['address']) if len(fixed_ips) == 0: LOG.error(_('No fixed IPs to deallocate for vif %s'), vif_ref['id'])
def test_add_fixed_ip_instance_without_vpn_requested_networks(self): self.mox.StubOutWithMock(db, "network_get") self.mox.StubOutWithMock(db, "fixed_ip_associate_pool") self.mox.StubOutWithMock(db, "instance_get") self.mox.StubOutWithMock(db, "virtual_interface_get_by_instance_and_network") self.mox.StubOutWithMock(db, "fixed_ip_update") db.fixed_ip_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) db.virtual_interface_get_by_instance_and_network(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn( {"id": 0} ) db.instance_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({"security_groups": [{"id": 0}]}) db.fixed_ip_associate_pool(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn("192.168.0.101") db.network_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn(networks[0]) self.mox.ReplayAll() self.network.add_fixed_ip_to_instance(self.context, 1, HOST, networks[0]["id"])
def test_allocate_fixed_ip(self): self.mox.StubOutWithMock(db, 'fixed_ip_associate_pool') self.mox.StubOutWithMock(db, 'fixed_ip_update') self.mox.StubOutWithMock( db, 'virtual_interface_get_by_instance_and_network') db.fixed_ip_associate_pool(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn('192.168.0.1') db.fixed_ip_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) db.virtual_interface_get_by_instance_and_network( mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({'id': 0}) self.mox.ReplayAll() network = dict(networks[0]) network['vpn_private_address'] = '192.168.0.2' self.network.allocate_fixed_ip(None, 0, network)
def test_allocate_fixed_ip(self): self.mox.StubOutWithMock(db, "fixed_ip_associate_pool") self.mox.StubOutWithMock(db, "fixed_ip_update") self.mox.StubOutWithMock(db, "virtual_interface_get_by_instance_and_network") self.mox.StubOutWithMock(db, "instance_get") db.instance_get(mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({"security_groups": [{"id": 0}]}) db.fixed_ip_associate_pool(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn("192.168.0.1") db.fixed_ip_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) db.virtual_interface_get_by_instance_and_network(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn( {"id": 0} ) self.mox.ReplayAll() network = dict(networks[0]) network["vpn_private_address"] = "192.168.0.2" self.network.allocate_fixed_ip(self.context, 0, network)
def test_network_delete_safe(self): ctxt = context.get_admin_context() values = {'host': 'localhost', 'project_id': 'project1'} network = db.network_create_safe(ctxt, values) db_network = db.network_get(ctxt, network.id) values = {'network_id': network['id'], 'address': 'fake1'} address1 = db.fixed_ip_create(ctxt, values) values = {'network_id': network['id'], 'address': 'fake2', 'allocated': True} address2 = db.fixed_ip_create(ctxt, values) self.assertRaises(exception.NetworkInUse, db.network_delete_safe, ctxt, network['id']) db.fixed_ip_update(ctxt, address2, {'allocated': False}) network = db.network_delete_safe(ctxt, network['id']) ctxt = ctxt.elevated(read_deleted='yes') fixed_ip = db.fixed_ip_get_by_address(ctxt, address1) self.assertTrue(fixed_ip['deleted'])
def test_allocate_fixed_ip(self): self.mox.StubOutWithMock(db, 'fixed_ip_associate_pool') self.mox.StubOutWithMock(db, 'fixed_ip_update') self.mox.StubOutWithMock(db, 'virtual_interface_get_by_instance_and_network') db.fixed_ip_associate_pool(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn('192.168.0.1') db.fixed_ip_update(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()) db.virtual_interface_get_by_instance_and_network(mox.IgnoreArg(), mox.IgnoreArg(), mox.IgnoreArg()).AndReturn({'id': 0}) self.mox.ReplayAll() network = dict(networks[0]) network['vpn_private_address'] = '192.168.0.2' self.network.allocate_fixed_ip(None, 0, network)
def test_network_delete_safe(self): ctxt = context.get_admin_context() values = {'host': 'localhost', 'project_id': 'project1'} network = db.network_create_safe(ctxt, values) db_network = db.network_get(ctxt, network.id) values = {'network_id': network['id'], 'address': 'fake1'} address1 = db.fixed_ip_create(ctxt, values) values = { 'network_id': network['id'], 'address': 'fake2', 'allocated': True } address2 = db.fixed_ip_create(ctxt, values) self.assertRaises(exception.NetworkInUse, db.network_delete_safe, ctxt, network['id']) db.fixed_ip_update(ctxt, address2, {'allocated': False}) network = db.network_delete_safe(ctxt, network['id']) ctxt = ctxt.elevated(read_deleted='yes') fixed_ip = db.fixed_ip_get_by_address(ctxt, address1) self.assertTrue(fixed_ip['deleted'])
def _check_xml_and_container(self, instance): user_context = context.RequestContext(project=self.project, user=self.user) instance_ref = db.instance_create(user_context, instance) host = self.network.get_network_host(user_context.elevated()) network_ref = db.project_get_network(context.get_admin_context(), self.project.id) fixed_ip = {'address': self.test_ip, 'network_id': network_ref['id']} ctxt = context.get_admin_context() fixed_ip_ref = db.fixed_ip_create(ctxt, fixed_ip) db.fixed_ip_update(ctxt, self.test_ip, {'allocated': True, 'instance_id': instance_ref['id']}) self.flags(libvirt_type='lxc') conn = libvirt_conn.LibvirtConnection(True) uri = conn.get_uri() self.assertEquals(uri, 'lxc:///') xml = conn.to_xml(instance_ref) tree = xml_to_tree(xml) check = [ (lambda t: t.find('.').get('type'), 'lxc'), (lambda t: t.find('./os/type').text, 'exe'), (lambda t: t.find('./devices/filesystem/target').get('dir'), '/')] for i, (check, expected_result) in enumerate(check): self.assertEqual(check(tree), expected_result, '%s failed common check %d' % (xml, i)) target = tree.find('./devices/filesystem/source').get('dir') self.assertTrue(len(target) > 0)
def _check_xml_and_container(self, instance): user_context = context.RequestContext(project=self.project, user=self.user) instance_ref = db.instance_create(user_context, instance) host = self.network.get_network_host(user_context.elevated()) network_ref = db.project_get_network(context.get_admin_context(), self.project.id) fixed_ip = {'address': self.test_ip, 'network_id': network_ref['id']} ctxt = context.get_admin_context() fixed_ip_ref = db.fixed_ip_create(ctxt, fixed_ip) db.fixed_ip_update(ctxt, self.test_ip, { 'allocated': True, 'instance_id': instance_ref['id'] }) self.flags(libvirt_type='lxc') conn = libvirt_conn.LibvirtConnection(True) uri = conn.get_uri() self.assertEquals(uri, 'lxc:///') xml = conn.to_xml(instance_ref) tree = xml_to_tree(xml) check = [(lambda t: t.find('.').get('type'), 'lxc'), (lambda t: t.find('./os/type').text, 'exe'), (lambda t: t.find('./devices/filesystem/target').get('dir'), '/')] for i, (check, expected_result) in enumerate(check): self.assertEqual(check(tree), expected_result, '%s failed common check %d' % (xml, i)) target = tree.find('./devices/filesystem/source').get('dir') self.assertTrue(len(target) > 0)
def test_creates_base_rule_first(self): # These come pre-defined by libvirt self.defined_filters = [ 'no-mac-spoofing', 'no-ip-spoofing', 'no-arp-spoofing', 'allow-dhcp-server' ] self.recursive_depends = {} for f in self.defined_filters: self.recursive_depends[f] = [] def _filterDefineXMLMock(xml): dom = xml_to_dom(xml) name = dom.firstChild.getAttribute('name') self.recursive_depends[name] = [] for f in dom.getElementsByTagName('filterref'): ref = f.getAttribute('filter') self.assertTrue( ref in self.defined_filters, ('%s referenced filter that does ' + 'not yet exist: %s') % (name, ref)) dependencies = [ref] + self.recursive_depends[ref] self.recursive_depends[name] += dependencies self.defined_filters.append(name) return True self.fake_libvirt_connection.nwfilterDefineXML = _filterDefineXMLMock instance_ref = db.instance_create(self.context, { 'user_id': 'fake', 'project_id': 'fake' }) inst_id = instance_ref['id'] ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, { 'allocated': True, 'instance_id': instance_ref['id'] }) def _ensure_all_called(): instance_filter = 'nova-instance-%s' % instance_ref['name'] secgroup_filter = 'nova-secgroup-%s' % self.security_group['id'] for required in [ secgroup_filter, 'allow-dhcp-server', 'no-arp-spoofing', 'no-ip-spoofing', 'no-mac-spoofing' ]: self.assertTrue( required in self.recursive_depends[instance_filter], "Instance's filter does not include %s" % required) self.security_group = self.setup_and_return_security_group() db.instance_add_security_group(self.context, inst_id, self.security_group.id) instance = db.instance_get(self.context, inst_id) self.fw.setup_basic_filtering(instance) self.fw.prepare_instance_filter(instance) self.fw.apply_instance_filter(instance) _ensure_all_called() self.teardown_security_group() db.instance_destroy(admin_ctxt, instance_ref['id'])
def test_creates_base_rule_first(self): # These come pre-defined by libvirt self.defined_filters = ["no-mac-spoofing", "no-ip-spoofing", "no-arp-spoofing", "allow-dhcp-server"] self.recursive_depends = {} for f in self.defined_filters: self.recursive_depends[f] = [] def _filterDefineXMLMock(xml): dom = xml_to_dom(xml) name = dom.firstChild.getAttribute("name") self.recursive_depends[name] = [] for f in dom.getElementsByTagName("filterref"): ref = f.getAttribute("filter") self.assertTrue( ref in self.defined_filters, ("%s referenced filter that does " + "not yet exist: %s") % (name, ref) ) dependencies = [ref] + self.recursive_depends[ref] self.recursive_depends[name] += dependencies self.defined_filters.append(name) return True self.fake_libvirt_connection.nwfilterDefineXML = _filterDefineXMLMock instance_ref = db.instance_create(self.context, {"user_id": "fake", "project_id": "fake"}) inst_id = instance_ref["id"] ip = "10.11.12.13" network_ref = db.project_get_network(self.context, "fake") fixed_ip = {"address": ip, "network_id": network_ref["id"]} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {"allocated": True, "instance_id": instance_ref["id"]}) def _ensure_all_called(): instance_filter = "nova-instance-%s" % instance_ref["name"] secgroup_filter = "nova-secgroup-%s" % self.security_group["id"] for required in [ secgroup_filter, "allow-dhcp-server", "no-arp-spoofing", "no-ip-spoofing", "no-mac-spoofing", ]: self.assertTrue( required in self.recursive_depends[instance_filter], "Instance's filter does not include %s" % required, ) self.security_group = self.setup_and_return_security_group() db.instance_add_security_group(self.context, inst_id, self.security_group.id) instance = db.instance_get(self.context, inst_id) self.fw.setup_basic_filtering(instance) self.fw.prepare_instance_filter(instance) self.fw.apply_instance_filter(instance) _ensure_all_called() self.teardown_security_group() db.instance_destroy(admin_ctxt, instance_ref["id"])
def _check_xml_and_uri(self, instance, expect_ramdisk, expect_kernel, rescue=False): user_context = context.RequestContext(project=self.project, user=self.user) instance_ref = db.instance_create(user_context, instance) host = self.network.get_network_host(user_context.elevated()) network_ref = db.project_get_network(context.get_admin_context(), self.project.id) fixed_ip = {"address": self.test_ip, "network_id": network_ref["id"]} ctxt = context.get_admin_context() fixed_ip_ref = db.fixed_ip_create(ctxt, fixed_ip) db.fixed_ip_update(ctxt, self.test_ip, {"allocated": True, "instance_id": instance_ref["id"]}) type_uri_map = { "qemu": ( "qemu:///system", [ (lambda t: t.find(".").get("type"), "qemu"), (lambda t: t.find("./os/type").text, "hvm"), (lambda t: t.find("./devices/emulator"), None), ], ), "kvm": ( "qemu:///system", [ (lambda t: t.find(".").get("type"), "kvm"), (lambda t: t.find("./os/type").text, "hvm"), (lambda t: t.find("./devices/emulator"), None), ], ), "uml": ( "uml:///system", [(lambda t: t.find(".").get("type"), "uml"), (lambda t: t.find("./os/type").text, "uml")], ), "xen": ( "xen:///", [(lambda t: t.find(".").get("type"), "xen"), (lambda t: t.find("./os/type").text, "linux")], ), } for hypervisor_type in ["qemu", "kvm", "xen"]: check_list = type_uri_map[hypervisor_type][1] if rescue: check = (lambda t: t.find("./os/kernel").text.split("/")[1], "kernel.rescue") check_list.append(check) check = (lambda t: t.find("./os/initrd").text.split("/")[1], "ramdisk.rescue") check_list.append(check) else: if expect_kernel: check = (lambda t: t.find("./os/kernel").text.split("/")[1], "kernel") else: check = (lambda t: t.find("./os/kernel"), None) check_list.append(check) if expect_ramdisk: check = (lambda t: t.find("./os/initrd").text.split("/")[1], "ramdisk") else: check = (lambda t: t.find("./os/initrd"), None) check_list.append(check) common_checks = [ (lambda t: t.find(".").tag, "domain"), (lambda t: t.find("./devices/interface/filterref/parameter").get("name"), "IP"), (lambda t: t.find("./devices/interface/filterref/parameter").get("value"), "10.11.12.13"), (lambda t: t.findall("./devices/interface/filterref/parameter")[1].get("name"), "DHCPSERVER"), (lambda t: t.findall("./devices/interface/filterref/parameter")[1].get("value"), "10.0.0.1"), (lambda t: t.find("./devices/serial/source").get("path").split("/")[1], "console.log"), (lambda t: t.find("./memory").text, "2097152"), ] if rescue: common_checks += [ (lambda t: t.findall("./devices/disk/source")[0].get("file").split("/")[1], "disk.rescue"), (lambda t: t.findall("./devices/disk/source")[1].get("file").split("/")[1], "disk"), ] else: common_checks += [(lambda t: t.findall("./devices/disk/source")[0].get("file").split("/")[1], "disk")] common_checks += [(lambda t: t.findall("./devices/disk/source")[1].get("file").split("/")[1], "disk.local")] for (libvirt_type, (expected_uri, checks)) in type_uri_map.iteritems(): FLAGS.libvirt_type = libvirt_type conn = libvirt_conn.LibvirtConnection(True) uri = conn.get_uri() self.assertEquals(uri, expected_uri) xml = conn.to_xml(instance_ref, rescue) tree = xml_to_tree(xml) for i, (check, expected_result) in enumerate(checks): self.assertEqual(check(tree), expected_result, "%s failed check %d" % (xml, i)) for i, (check, expected_result) in enumerate(common_checks): self.assertEqual(check(tree), expected_result, "%s failed common check %d" % (xml, i)) # This test is supposed to make sure we don't override a specifically # set uri # # Deliberately not just assigning this string to FLAGS.libvirt_uri and # checking against that later on. This way we make sure the # implementation doesn't fiddle around with the FLAGS. testuri = "something completely different" FLAGS.libvirt_uri = testuri for (libvirt_type, (expected_uri, checks)) in type_uri_map.iteritems(): FLAGS.libvirt_type = libvirt_type conn = libvirt_conn.LibvirtConnection(True) uri = conn.get_uri() self.assertEquals(uri, testuri) db.instance_destroy(user_context, instance_ref["id"])
def _check_xml_and_uri(self, instance, expect_ramdisk, expect_kernel, rescue=False): user_context = context.RequestContext(project=self.project, user=self.user) instance_ref = db.instance_create(user_context, instance) host = self.network.get_network_host(user_context.elevated()) network_ref = db.project_get_network(context.get_admin_context(), self.project.id) fixed_ip = {'address': self.test_ip, 'network_id': network_ref['id']} ctxt = context.get_admin_context() fixed_ip_ref = db.fixed_ip_create(ctxt, fixed_ip) db.fixed_ip_update(ctxt, self.test_ip, { 'allocated': True, 'instance_id': instance_ref['id'] }) type_uri_map = { 'qemu': ('qemu:///system', [(lambda t: t.find('.').get('type'), 'qemu'), (lambda t: t.find('./os/type').text, 'hvm'), (lambda t: t.find('./devices/emulator'), None)]), 'kvm': ('qemu:///system', [(lambda t: t.find('.').get('type'), 'kvm'), (lambda t: t.find('./os/type').text, 'hvm'), (lambda t: t.find('./devices/emulator'), None)]), 'uml': ('uml:///system', [(lambda t: t.find('.').get('type'), 'uml'), (lambda t: t.find('./os/type').text, 'uml')]), 'xen': ('xen:///', [(lambda t: t.find('.').get('type'), 'xen'), (lambda t: t.find('./os/type').text, 'linux')]), } for hypervisor_type in ['qemu', 'kvm', 'xen']: check_list = type_uri_map[hypervisor_type][1] if rescue: check = (lambda t: t.find('./os/kernel').text.split('/')[1], 'kernel.rescue') check_list.append(check) check = (lambda t: t.find('./os/initrd').text.split('/')[1], 'ramdisk.rescue') check_list.append(check) else: if expect_kernel: check = ( lambda t: t.find('./os/kernel').text.split('/')[1], 'kernel') else: check = (lambda t: t.find('./os/kernel'), None) check_list.append(check) if expect_ramdisk: check = ( lambda t: t.find('./os/initrd').text.split('/')[1], 'ramdisk') else: check = (lambda t: t.find('./os/initrd'), None) check_list.append(check) common_checks = [ (lambda t: t.find('.').tag, 'domain'), (lambda t: t.find('./devices/interface/filterref/parameter').get( 'name'), 'IP'), (lambda t: t.find('./devices/interface/filterref/parameter').get( 'value'), '10.11.12.13'), (lambda t: t.findall('./devices/interface/filterref/parameter')[1]. get('name'), 'DHCPSERVER'), (lambda t: t.findall('./devices/interface/filterref/parameter')[1]. get('value'), '10.0.0.1'), (lambda t: t.find('./devices/serial/source').get('path').split( '/')[1], 'console.log'), (lambda t: t.find('./memory').text, '2097152') ] if rescue: common_checks += [(lambda t: t.findall('./devices/disk/source')[0]. get('file').split('/')[1], 'disk.rescue'), (lambda t: t.findall('./devices/disk/source')[1]. get('file').split('/')[1], 'disk')] else: common_checks += [(lambda t: t.findall('./devices/disk/source')[0]. get('file').split('/')[1], 'disk')] common_checks += [(lambda t: t.findall('./devices/disk/source')[1]. get('file').split('/')[1], 'disk.local')] for (libvirt_type, (expected_uri, checks)) in type_uri_map.iteritems(): FLAGS.libvirt_type = libvirt_type conn = libvirt_conn.LibvirtConnection(True) uri = conn.get_uri() self.assertEquals(uri, expected_uri) xml = conn.to_xml(instance_ref, rescue) tree = xml_to_tree(xml) for i, (check, expected_result) in enumerate(checks): self.assertEqual(check(tree), expected_result, '%s failed check %d' % (xml, i)) for i, (check, expected_result) in enumerate(common_checks): self.assertEqual(check(tree), expected_result, '%s failed common check %d' % (xml, i)) # This test is supposed to make sure we don't # override a specifically set uri # # Deliberately not just assigning this string to FLAGS.libvirt_uri and # checking against that later on. This way we make sure the # implementation doesn't fiddle around with the FLAGS. testuri = 'something completely different' FLAGS.libvirt_uri = testuri for (libvirt_type, (expected_uri, checks)) in type_uri_map.iteritems(): FLAGS.libvirt_type = libvirt_type conn = libvirt_conn.LibvirtConnection(True) uri = conn.get_uri() self.assertEquals(uri, testuri) db.instance_destroy(user_context, instance_ref['id'])
def test_static_filters(self): instance_ref = db.instance_create( self.context, { 'user_id': 'fake', 'project_id': 'fake', 'mac_address': '56:12:12:12:12:12' }) ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, { 'allocated': True, 'instance_id': instance_ref['id'] }) secgroup = db.security_group_create( admin_ctxt, { 'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24' }) db.instance_add_security_group(admin_ctxt, instance_ref['id'], secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) # self.fw.add_instance(instance_ref) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('sudo', 'ip6tables-save', '-t', 'filter'): return '\n'.join(self.in6_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'filter'): return '\n'.join(self.in_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'nat'): return '\n'.join(self.in_nat_rules), None if cmd == ('sudo', 'iptables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ('sudo', 'ip6tables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' print cmd, kwargs from nova.network import linux_net linux_net.iptables_manager.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith('#'), self.in_filter_rules) for rule in in_rules: if not 'nova' in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-d 10.11.12.13 -j' in rule: instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -j ACCEPT') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -m icmp ' '--icmp-type 8 -j ACCEPT') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") regex = re.compile('-A .* -p tcp -s 192.168.10.0/24 -m multiport ' '--dports 80:81 -j ACCEPT') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['id'])
def test_creates_base_rule_first(self): # These come pre-defined by libvirt self.defined_filters = ['no-mac-spoofing', 'no-ip-spoofing', 'no-arp-spoofing', 'allow-dhcp-server'] self.recursive_depends = {} for f in self.defined_filters: self.recursive_depends[f] = [] def _filterDefineXMLMock(xml): dom = xml_to_dom(xml) name = dom.firstChild.getAttribute('name') self.recursive_depends[name] = [] for f in dom.getElementsByTagName('filterref'): ref = f.getAttribute('filter') self.assertTrue(ref in self.defined_filters, ('%s referenced filter that does ' + 'not yet exist: %s') % (name, ref)) dependencies = [ref] + self.recursive_depends[ref] self.recursive_depends[name] += dependencies self.defined_filters.append(name) return True self.fake_libvirt_connection.nwfilterDefineXML = _filterDefineXMLMock instance_ref = self._create_instance() inst_id = instance_ref['id'] ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {'allocated': True, 'instance_id': inst_id}) def _ensure_all_called(): instance_filter = 'nova-instance-%s-%s' % (instance_ref['name'], '00A0C914C829') secgroup_filter = 'nova-secgroup-%s' % self.security_group['id'] for required in [secgroup_filter, 'allow-dhcp-server', 'no-arp-spoofing', 'no-ip-spoofing', 'no-mac-spoofing']: self.assertTrue(required in self.recursive_depends[instance_filter], "Instance's filter does not include %s" % required) self.security_group = self.setup_and_return_security_group() db.instance_add_security_group(self.context, inst_id, self.security_group.id) instance = db.instance_get(self.context, inst_id) self.fw.setup_basic_filtering(instance) self.fw.prepare_instance_filter(instance) self.fw.apply_instance_filter(instance) _ensure_all_called() self.teardown_security_group() db.instance_destroy(admin_ctxt, instance_ref['id'])
def test_static_filters(self): instance_ref = self._create_instance_ref() ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {'allocated': True, 'instance_id': instance_ref['id']}) secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24'}) db.instance_add_security_group(admin_ctxt, instance_ref['id'], secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) # self.fw.add_instance(instance_ref) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('sudo', 'ip6tables-save', '-t', 'filter'): return '\n'.join(self.in6_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'filter'): return '\n'.join(self.in_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'nat'): return '\n'.join(self.in_nat_rules), None if cmd == ('sudo', 'iptables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ('sudo', 'ip6tables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' print cmd, kwargs from nova.network import linux_net linux_net.iptables_manager.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith('#'), self.in_filter_rules) for rule in in_rules: if not 'nova' in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-d 10.11.12.13 -j' in rule: instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -j ACCEPT') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -m icmp ' '--icmp-type 8 -j ACCEPT') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") regex = re.compile('-A .* -p tcp -s 192.168.10.0/24 -m multiport ' '--dports 80:81 -j ACCEPT') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['id'])
def _check_xml_and_uri(self, instance, expect_ramdisk, expect_kernel, rescue=False): user_context = context.RequestContext(project=self.project, user=self.user) instance_ref = db.instance_create(user_context, instance) host = self.network.get_network_host(user_context.elevated()) network_ref = db.project_get_network(context.get_admin_context(), self.project.id) fixed_ip = {'address': self.test_ip, 'network_id': network_ref['id']} ctxt = context.get_admin_context() fixed_ip_ref = db.fixed_ip_create(ctxt, fixed_ip) db.fixed_ip_update(ctxt, self.test_ip, {'allocated': True, 'instance_id': instance_ref['id']}) type_uri_map = {'qemu': ('qemu:///system', [(lambda t: t.find('.').get('type'), 'qemu'), (lambda t: t.find('./os/type').text, 'hvm'), (lambda t: t.find('./devices/emulator'), None)]), 'kvm': ('qemu:///system', [(lambda t: t.find('.').get('type'), 'kvm'), (lambda t: t.find('./os/type').text, 'hvm'), (lambda t: t.find('./devices/emulator'), None)]), 'uml': ('uml:///system', [(lambda t: t.find('.').get('type'), 'uml'), (lambda t: t.find('./os/type').text, 'uml')]), 'xen': ('xen:///', [(lambda t: t.find('.').get('type'), 'xen'), (lambda t: t.find('./os/type').text, 'linux')]), } for hypervisor_type in ['qemu', 'kvm', 'xen']: check_list = type_uri_map[hypervisor_type][1] if rescue: check = (lambda t: t.find('./os/kernel').text.split('/')[1], 'kernel.rescue') check_list.append(check) check = (lambda t: t.find('./os/initrd').text.split('/')[1], 'ramdisk.rescue') check_list.append(check) else: if expect_kernel: check = (lambda t: t.find('./os/kernel').text.split( '/')[1], 'kernel') else: check = (lambda t: t.find('./os/kernel'), None) check_list.append(check) if expect_ramdisk: check = (lambda t: t.find('./os/initrd').text.split( '/')[1], 'ramdisk') else: check = (lambda t: t.find('./os/initrd'), None) check_list.append(check) parameter = './devices/interface/filterref/parameter' common_checks = [ (lambda t: t.find('.').tag, 'domain'), (lambda t: t.find(parameter).get('name'), 'IP'), (lambda t: t.find(parameter).get('value'), '10.11.12.13'), (lambda t: t.findall(parameter)[1].get('name'), 'DHCPSERVER'), (lambda t: t.findall(parameter)[1].get('value'), '10.0.0.1'), (lambda t: t.find('./devices/serial/source').get( 'path').split('/')[1], 'console.log'), (lambda t: t.find('./memory').text, '2097152')] if rescue: common_checks += [ (lambda t: t.findall('./devices/disk/source')[0].get( 'file').split('/')[1], 'disk.rescue'), (lambda t: t.findall('./devices/disk/source')[1].get( 'file').split('/')[1], 'disk')] else: common_checks += [(lambda t: t.findall( './devices/disk/source')[0].get('file').split('/')[1], 'disk')] common_checks += [(lambda t: t.findall( './devices/disk/source')[1].get('file').split('/')[1], 'disk.local')] for (libvirt_type, (expected_uri, checks)) in type_uri_map.iteritems(): FLAGS.libvirt_type = libvirt_type conn = libvirt_conn.LibvirtConnection(True) uri = conn.get_uri() self.assertEquals(uri, expected_uri) xml = conn.to_xml(instance_ref, rescue) tree = xml_to_tree(xml) for i, (check, expected_result) in enumerate(checks): self.assertEqual(check(tree), expected_result, '%s failed check %d' % (xml, i)) for i, (check, expected_result) in enumerate(common_checks): self.assertEqual(check(tree), expected_result, '%s failed common check %d' % (xml, i)) # This test is supposed to make sure we don't # override a specifically set uri # # Deliberately not just assigning this string to FLAGS.libvirt_uri and # checking against that later on. This way we make sure the # implementation doesn't fiddle around with the FLAGS. testuri = 'something completely different' FLAGS.libvirt_uri = testuri for (libvirt_type, (expected_uri, checks)) in type_uri_map.iteritems(): FLAGS.libvirt_type = libvirt_type conn = libvirt_conn.LibvirtConnection(True) uri = conn.get_uri() self.assertEquals(uri, testuri) db.instance_destroy(user_context, instance_ref['id'])
def test_static_filters(self): instance_ref = db.instance_create( self.context, {"user_id": "fake", "project_id": "fake", "mac_address": "56:12:12:12:12:12"} ) ip = "10.11.12.13" network_ref = db.project_get_network(self.context, "fake") fixed_ip = {"address": ip, "network_id": network_ref["id"]} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {"allocated": True, "instance_id": instance_ref["id"]}) secgroup = db.security_group_create( admin_ctxt, {"user_id": "fake", "project_id": "fake", "name": "testgroup", "description": "test group"} ) db.security_group_rule_create( admin_ctxt, { "parent_group_id": secgroup["id"], "protocol": "icmp", "from_port": -1, "to_port": -1, "cidr": "192.168.11.0/24", }, ) db.security_group_rule_create( admin_ctxt, { "parent_group_id": secgroup["id"], "protocol": "icmp", "from_port": 8, "to_port": -1, "cidr": "192.168.11.0/24", }, ) db.security_group_rule_create( admin_ctxt, { "parent_group_id": secgroup["id"], "protocol": "tcp", "from_port": 80, "to_port": 81, "cidr": "192.168.10.0/24", }, ) db.instance_add_security_group(admin_ctxt, instance_ref["id"], secgroup["id"]) instance_ref = db.instance_get(admin_ctxt, instance_ref["id"]) # self.fw.add_instance(instance_ref) def fake_iptables_execute(cmd, process_input=None): if cmd == "sudo ip6tables-save -t filter": return "\n".join(self.in6_rules), None if cmd == "sudo iptables-save -t filter": return "\n".join(self.in_rules), None if cmd == "sudo iptables-restore": self.out_rules = process_input.split("\n") return "", "" if cmd == "sudo ip6tables-restore": self.out6_rules = process_input.split("\n") return "", "" self.fw.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith("#"), self.in_rules) for rule in in_rules: if not "nova" in rule: self.assertTrue(rule in self.out_rules, "Rule went missing: %s" % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if "-d 10.11.12.13 -j" in rule: instance_chain = rule.split(" ")[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if "-A %s -j" % instance_chain in rule: security_group_chain = rule.split(" ")[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") self.assertTrue( "-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT" % security_group_chain in self.out_rules, "ICMP acceptance rule wasn't added", ) self.assertTrue( "-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type " "8 -j ACCEPT" % security_group_chain in self.out_rules, "ICMP Echo Request acceptance rule wasn't added", ) self.assertTrue( "-A %s -p tcp -s 192.168.10.0/24 -m multiport " "--dports 80:81 -j ACCEPT" % security_group_chain in self.out_rules, "TCP port 80/81 acceptance rule wasn't added", ) db.instance_destroy(admin_ctxt, instance_ref["id"])
def test_static_filters(self): instance_ref = db.instance_create(self.context, {'user_id': 'fake', 'project_id': 'fake', 'mac_address': '56:12:12:12:12:12'}) ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {'allocated': True, 'instance_id': instance_ref['id']}) secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24'}) db.instance_add_security_group(admin_ctxt, instance_ref['id'], secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) # self.fw.add_instance(instance_ref) def fake_iptables_execute(cmd, process_input=None): if cmd == 'sudo ip6tables-save -t filter': return '\n'.join(self.in6_rules), None if cmd == 'sudo iptables-save -t filter': return '\n'.join(self.in_rules), None if cmd == 'sudo iptables-restore': self.out_rules = process_input.split('\n') return '', '' if cmd == 'sudo ip6tables-restore': self.out6_rules = process_input.split('\n') return '', '' self.fw.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) for rule in in_rules: if not 'nova' in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-d 10.11.12.13 -j' in rule: instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \ security_group_chain in self.out_rules, "ICMP acceptance rule wasn't added") self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type ' '8 -j ACCEPT' % security_group_chain in self.out_rules, "ICMP Echo Request acceptance rule wasn't added") self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport ' '--dports 80:81 -j ACCEPT' % security_group_chain \ in self.out_rules, "TCP port 80/81 acceptance rule wasn't added")