def check_eip_denied_tcp(self): if not self.denied_vr_ip: test_util.test_logger('No denied vm for eip testing. Skip EIP deined TCP checking') return True vip = self.test_obj.get_vip() vip_ip = vip.ip eip_obj = self.test_obj.get_eip() eip = eip_obj.get_eip() if not eip_obj.get_target_vm(): #eip is not attached yet. use vip's VR vm l3_uuid = self.test_obj.get_vip().l3NetworkUuid target_vm = test_lib.lib_find_vr_by_l3_uuid(l3_uuid)[0] else: target_vm = eip_obj.get_target_vm().vm all_ports = port_header.all_ports try: test_lib.lib_check_ports_in_a_command(self.denied_vr, self.denied_vr_ip, vip_ip, [], all_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Unexpected Result: Catch failure when checking [vip:] %s EIP: %s for denied ip: %s from [vm:] %s. All ports should be denied." % \ (vip.uuid, eip.uuid, self.denied_vr_ip, self.denied_vr.uuid)) return False test_util.test_logger("Expected Result: Network checking pass for [vip:] %s EIP: %s by denied ip: %s from [vm:] %s . " % \ (vip.uuid, eip.uuid, self.denied_vr_ip, self.denied_vr.uuid)) return True
def check_denied_pf(self, pf): pf_rule = pf.get_port_forwarding() test_result = True all_ports = port_header.all_ports #all pf with same vip should have same l3. allowed_ports = [] denied_ports = all_ports if not pf.get_target_vm(): #Pf is not attached, use vip's VR VM. This wont' impact testing result. l3_uuid = self.test_obj.get_vip().l3NetworkUuid target_vm = test_lib.lib_find_vr_by_l3_uuid(l3_uuid)[0] vm_nic_uuid = None else: target_vm = pf.get_target_vm().vm vm_nic_uuid = pf_rule.vmNicUuid allowedCidr = pf_rule.allowedCidr allowed_vr_ip = allowedCidr.split('/')[0] allowed_vr_vm, denied_vr_vm = \ self.get_allowed_denied_vr_vm(allowed_vr_ip, vm_nic_uuid) vipIp = self.test_obj.get_vip().ip try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, \ allowed_vr_ip, vipIp, allowed_ports, \ denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \ (self.test_obj.get_vip().uuid, allowed_vr_ip, \ allowed_vr_vm.uuid)) test_result = False return test_result
def test(): flavor = case_flavor[os.environ.get('CASE_FLAVOR')] test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc") for vpc_name in vpc_name_list: vr_list.append(test_stub.create_vpc_vrouter(vpc_name)) for vr, l3_list in izip(vr_list, vpc_l3_list): test_stub.attach_l3_to_vpc_vr(vr, l3_list) test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format( flavor['vm1l3'], flavor['vm2l3'])) vm1, vm2 = [ test_stub.create_vm_with_random_offering( vm_name='vpc_vm_{}'.format(name), l3_name=name) for name in (flavor['vm1l3'], flavor['vm2l3']) ] [test_obj_dict.add_vm(vm) for vm in (vm1, vm2)] [vm.check() for vm in (vm1, vm2)] vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr_list[0].inv) vip_list = [] for vm in (vm1, vm2): test_util.test_dsc("Create vip for vm {}".format(vm.get_vm().name)) vip = test_stub.create_vip('vip_{}'.format(vm.get_vm().name), vr_pub_nic.l3NetworkUuid) test_obj_dict.add_vip(vip) vip_list.append(vip) test_util.test_dsc("Create eip for vm {}".format(vm.get_vm().name)) eip = test_stub.create_eip('eip_{}'.format(vm.get_vm().name), vip_uuid=vip.get_vip().uuid) vip.attach_eip(eip) eip.attach(vm.get_vm().vmNics[0].uuid, vm) vip.check() vm.check() for vm in (vm1, vm2): vm.check() vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)] vip1, vip2 = vip_list test_util.test_dsc("test two vm EIP connectivity") test_stub.run_command_in_vm(vm1_inv, 'iptables -F') test_stub.run_command_in_vm(vm2_inv, 'iptables -F') test_lib.lib_check_ping(vm1_inv, vip2.get_vip().ip) test_lib.lib_check_ping(vm2_inv, vip1.get_vip().ip) test_lib.lib_check_ports_in_a_command(vm1_inv, vip1.get_vip().ip, vip2.get_vip().ip, ["22"], [], vm2_inv) test_lib.lib_check_ports_in_a_command(vm2_inv, vip2.get_vip().ip, vip1.get_vip().ip, ["22"], [], vm1_inv) test_lib.lib_error_cleanup(test_obj_dict) test_stub.remove_all_vpc_vrouter()
def check_tcp_between_vms(vm1, vm2, allowed_port_list, denied_port_list): vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)] test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip, vm2_inv.vmNics[0].ip, allowed_port_list, denied_port_list, vm2_inv) test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip, vm1_inv.vmNics[0].ip, allowed_port_list, denied_port_list, vm1_inv)
def test(): flavor = case_flavor[os.environ.get('CASE_FLAVOR')] test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc") for vpc_name in vpc_name_list: vr_list.append(test_stub.create_vpc_vrouter(vpc_name)) time.sleep(120) #waiting for vrouter boot up for vr, l3_list in izip(vr_list, vpc_l3_list): test_stub.attach_l3_to_vpc_vr(vr, l3_list) test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format(flavor['vm1l3'], flavor['vm2l3'])) vm1, vm2 = [test_stub.create_vm_with_random_offering(vm_name='vpc_vm_{}'.format(name), l3_name=name) for name in (flavor['vm1l3'], flavor['vm2l3'])] [test_obj_dict.add_vm(vm) for vm in (vm1,vm2)] [vm.check() for vm in (vm1,vm2)] vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr_list[0].inv) vip_list = [] for vm in (vm1, vm2): test_util.test_dsc("Create vip for vm {}".format(vm.get_vm().name)) vip = test_stub.create_vip('vip_{}'.format(vm.get_vm().name), vr_pub_nic.l3NetworkUuid) test_obj_dict.add_vip(vip) vip_list.append(vip) test_util.test_dsc("Create eip for vm {}".format(vm.get_vm().name)) eip = test_stub.create_eip('eip_{}'.format(vm.get_vm().name), vip_uuid=vip.get_vip().uuid) vip.attach_eip(eip) eip.attach(vm.get_vm().vmNics[0].uuid, vm) time.sleep(10) #waiting for eip attach to vm vip.check() vm.check() for vm in (vm1, vm2): vm.check() vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)] vip1, vip2 = vip_list test_util.test_dsc("test two vm EIP connectivity") test_stub.run_command_in_vm(vm1_inv, 'iptables -F') test_stub.run_command_in_vm(vm2_inv, 'iptables -F') test_lib.lib_check_ping(vm1_inv, vip2.get_vip().ip) test_lib.lib_check_ping(vm2_inv, vip1.get_vip().ip) test_lib.lib_check_ports_in_a_command(vm1_inv, vip1.get_vip().ip, vip2.get_vip().ip, ["22"], [], vm2_inv) test_lib.lib_check_ports_in_a_command(vm2_inv, vip2.get_vip().ip, vip1.get_vip().ip, ["22"], [], vm1_inv)
def check_eip_allowed_tcp(self): if not self.allowed_vr_ip: test_util.test_logger('No allowed vm for eip testing. Skip EIP allowed TCP checking') return True vip = self.test_obj.get_vip() vip_ip = vip.ip eip = self.test_obj.get_eip().get_eip() target_vm = self.test_obj.get_eip().get_target_vm().vm try: test_lib.lib_check_ports_in_a_command(self.allowed_vr, self.allowed_vr_ip, vip_ip, self.allowed_ports, self.denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Unexpected Result: Catch failure when checking [vip:] %s EIP: %s for allowed ip: %s from [vm:] %s . " % \ (vip.uuid, eip.uuid, self.allowed_vr_ip, self.allowed_vr.uuid)) return False test_util.test_logger("Expected Result: Network checking pass for [vip:] %s EIP: %s by allowed ip: %s from [vm:] %s . " % \ (vip.uuid, eip.uuid, self.allowed_vr_ip, self.allowed_vr.uuid)) return True
def check(self): ''' check will assume target vm only have 1 port forwarding VR. So all vms PF rules are assigned to 1 VM nic. ''' super(zstack_kvm_pf_tcp_checker, self).check() test_result = True target_vm = self.test_obj.get_target_vm().vm pf_rule = self.test_obj.get_port_forwarding() vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid) all_ports = port_header.all_ports #only open ports when VM is running. if self.test_obj.get_target_vm().state == vm_header.RUNNING: test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid) #consolidate rules for TCP/UDP/ICMP with different AllowedCidr rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd) #check SG ingress limitation. Since SG rule will not consider vip as #allowedCidr, if there is ingress limitation, the ingress PF connection #will be blocked. sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule) allowedCidr = pf_rule.allowedCidr allowed_vr_ip = allowedCidr.split('/')[0] allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip) vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip) l3_uuid = vr_nic.l3NetworkUuid allowed_vr_uuid_list = [allowed_vr_vm.uuid] #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly. pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm) for pf_vr in pf_vm_vrs: allowed_vr_uuid_list.append(pf_vr.uuid) denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list) denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm) vip_uuid = pf_rule.vipUuid cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid) vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip if sg_tcp_ingress_flag: test_util.test_logger( 'SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, [], all_ports, target_vm) except: test_util.test_logger( "Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. " % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: allowed_ports = port_header.get_ports(rule_port) denied_ports = list_ops.list_minus(all_ports, allowed_ports) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger( "Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: test_util.test_logger( "Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid)) try: test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, [], all_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger( "Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s" % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: test_util.test_logger( "Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (pf_rule.uuid, target_vm.uuid)) test_util.test_logger( 'Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s' % (target_vm.uuid, vm_nic.uuid)) return self.judge(test_result)
def check(self): super(pf_checker, self).check() test_result = True try: test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid) except: test_util.test_logger('Check Result: [vip:] %s is not exist' % self.test_obj.get_vip().uuid) self.test_obj.update() return self.judge(False) if not self.test_obj.get_pf_list(): test_util.test_logger('Check Result: [vip:] %s is not attached to any pf.' % self.test_obj.get_vip().uuid) self.test_obj.update() return self.judge(False) vip = self.test_obj.get_vip() vipIp = vip.ip all_ports = port_header.all_ports pf_running_list = self.test_obj.get_pf_list_for_running_vm() pf_tcp_list, pf_udp_list = self.separate_tcp_udp_list(pf_running_list) pf_tcp_dict = self.gen_tcp_dict_by_allowed_cidr(pf_tcp_list) pf_stopped_list = self.test_obj.get_pf_list_for_stopped_vm() pf_detached_list = self.test_obj.get_detached_pf_list() vip_l3 = self.test_obj.get_vip().l3NetworkUuid if not pf_running_list: # all ports should be denied, since no living vm. for pf in pf_stopped_list: test_result = self.check_denied_pf(pf) if test_result != self.exp_result: return self.judge(test_result) for pf in pf_detached_list: test_result = self.check_denied_pf(pf) if test_result != self.exp_result: return self.judge(test_result) else: #open TCP ports for living vms for pf in pf_tcp_list: target_vm = pf.get_target_vm().vm vm_l3 = test_lib.lib_get_nic_by_uuid(pf.get_port_forwarding().vmNicUuid).l3NetworkUuid test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_l3) #calc allowed ports, per allowed_cidr for allowed_vr_ip, pf_dict_list in pf_tcp_dict.iteritems(): allowed_ports = [] denied_ports = all_ports #find all pf rules on running vm. These rules are supposed to be connectable, unless they are blocked by target vm's sg. allowed_ports, denied_ports = \ self.count_pf_allowed_denied_ports( pf_dict_list, allowed_ports, denied_ports) #although the target_vm might be different, but the denied_vr_vm should be same. target_vm_nic_uuid = pf_dict_list[0].get_port_forwarding().vmNicUuid allowed_vr_vm, denied_vr_vm = \ self.get_allowed_denied_vr_vm(allowed_vr_ip, target_vm_nic_uuid) denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \ (vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) if test_result != self.exp_result: return self.judge(test_result) test_util.test_logger("Checking pass for [vip:] %s Port Forwardings TCP rules for allowed Cidr: %s from [vm:] %s " % \ (vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid)) #check denied vr access. allowed_ports = [] denied_ports = all_ports #the denied vr might be in other pf rule. if denied_vr_ip in pf_tcp_dict.keys(): allowed_ports, denied_ports = \ self.count_pf_allowed_denied_ports( pf_tcp_dict[denied_vr_ip], allowed_ports, denied_ports) try: test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCPs for not allowed Cidr from [vm:] %s" % (vip.uuid, allowed_vr_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (vip.uuid, allowed_vr_vm.uuid)) if test_result != self.exp_result: return self.judge(test_result) #check pf_udp rule existance. for pf in pf_udp_list: test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables(pf.get_port_forwarding()) test_util.test_logger('Check result: [Port Forwarding] %s finishes UDP rule existance testing' % pf.get_port_forwarding().uuid) return self.judge(test_result) test_util.test_logger('Check result: [Port Forwarding] finishes [vip:] %s TCP testing.' % vip.uuid) return self.judge(test_result)
def test(): test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc") for vpc_name in vpc_name_list: vr_list.append(test_stub.create_vpc_vrouter(vpc_name)) for vr, l3_list in izip(vr_list, vpc_l3_list): test_stub.attach_l3_to_vpc_vr(vr, l3_list) vr1, vr2 = vr_list test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format(VLAN1_NAME, VXLAN1_NAME)) vm1 = test_stub.create_vm_with_random_offering(vm_name='vpc_vm_{}'.format(VLAN1_NAME), l3_name=VLAN1_NAME) test_obj_dict.add_vm(vm1) vm1.check() vm2 = test_stub.create_vm_with_random_offering(vm_name='vpc_vm_{}'.format(VXLAN1_NAME), l3_name=VXLAN1_NAME) test_obj_dict.add_vm(vm2) vm2.check() cond = res_ops.gen_query_conditions('name', '=', os.environ.get(SECOND_PUB)) second_pub_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0] test_util.test_dsc("Create vroute route for vpc1") cond = res_ops.gen_query_conditions('name', '=', os.environ.get(VXLAN1_NAME)) vpc2_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0] vpc2_l3_cdir = vpc2_l3.ipRanges[0].networkCidr vpc2_second_pub_ip = [nic.ip for nic in vr2.inv.vmNics if nic.l3NetworkUuid == second_pub_l3.uuid][0] route_table1 = net_ops.create_vrouter_route_table('vpc1') route_entry1 = net_ops.add_vrouter_route_entry(route_table1.uuid, vpc2_l3_cdir, vpc2_second_pub_ip) net_ops.attach_vrouter_route_table_to_vrouter(route_table1.uuid, vr1.inv.uuid) test_util.test_dsc("Create vroute route for vpc2") cond = res_ops.gen_query_conditions('name', '=', os.environ.get(VLAN1_NAME)) vpc1_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0] vpc1_l3_cdir = vpc1_l3.ipRanges[0].networkCidr vpc1_second_pub_ip = [nic.ip for nic in vr1.inv.vmNics if nic.l3NetworkUuid == second_pub_l3.uuid][0] route_table2 = net_ops.create_vrouter_route_table('vpc2') route_entry1 = net_ops.add_vrouter_route_entry(route_table2.uuid, vpc1_l3_cdir, vpc1_second_pub_ip) net_ops.attach_vrouter_route_table_to_vrouter(route_table2.uuid, vr2.inv.uuid) vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)] test_lib.lib_check_ping(vm1_inv, vm2_inv.vmNics[0].ip) test_lib.lib_check_ping(vm2_inv, vm1_inv.vmNics[0].ip) test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip, vm2_inv.vmNics[0].ip, ["22"], [], vm2_inv) test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip, vm1_inv.vmNics[0].ip, ["22"], [], vm1_inv) net_ops.detach_vrouter_route_table_from_vrouter(route_table1.uuid, vr1.inv.uuid) net_ops.detach_vrouter_route_table_from_vrouter(route_table2.uuid, vr2.inv.uuid) with test_lib.expected_failure('Check two vm pingable', Exception): test_lib.lib_check_ping(vm1_inv, vm2_inv.vmNics[0].ip) with test_lib.expected_failure('Check two vm pingable', Exception): test_lib.lib_check_ping(vm2_inv, vm1_inv.vmNics[0].ip) test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip, vm2_inv.vmNics[0].ip, [], ["22"], vm2_inv) test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip, vm1_inv.vmNics[0].ip, [], ["22"], vm1_inv) test_lib.lib_error_cleanup(test_obj_dict) test_stub.remove_all_vpc_vrouter()
def test(): test_util.test_dsc('Create test vm with EIP and check.') vm1 = test_stub.create_vlan_vm(os.environ.get('l3VlanNetworkName1')) test_obj_dict.add_vm(vm1) vm2 = test_stub.create_vlan_vm(os.environ.get('l3VlanNetworkName1')) test_obj_dict.add_vm(vm2) l3_name = os.environ.get('l3VlanNetworkName1') vr1_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid vrs = test_lib.lib_find_vr_by_l3_uuid(vr1_l3_uuid) temp_vm1 = None if not vrs: #create temp_vm1 for getting vlan1's vr for test pf_vm portforwarding temp_vm1 = test_stub.create_vlan_vm() test_obj_dict.add_vm(temp_vm1) vr1 = test_lib.lib_find_vr_by_vm(temp_vm1.vm)[0] else: vr1 = vrs[0] if vr1.applianceVmType == "vrouter": test_util.test_skip("vrouter VR does not support single VM multiple EIP") l3_name = os.environ.get('l3NoVlanNetworkName1') vr2_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid vrs = test_lib.lib_find_vr_by_l3_uuid(vr2_l3_uuid) temp_vm2 = None if not vrs: #create temp_vm2 for getting novlan's vr for test pf_vm portforwarding temp_vm2 = test_stub.create_user_vlan_vm() test_obj_dict.add_vm(temp_vm2) vr2 = test_lib.lib_find_vr_by_vm(temp_vm2.vm)[0] else: vr2 = vrs[0] if vr1.applianceVmType == "vrouter": test_util.test_skip("vrouter VR does not support single VM multiple EIP") #we do not need temp_vm1 and temp_vm2, since we just use their VRs. if temp_vm1: temp_vm1.destroy() test_obj_dict.rm_vm(temp_vm1) if temp_vm2: temp_vm2.destroy() test_obj_dict.rm_vm(temp_vm2) vm_nic1 = vm1.vm.vmNics[0] vm_nic1_uuid = vm_nic1.uuid vm_nic2 = vm2.vm.vmNics[0] vm_nic2_uuid = vm_nic2.uuid pri_l3_uuid = vm_nic1.l3NetworkUuid vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0] vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr) l3_uuid = vr_pub_nic.l3NetworkUuid vip1 = test_stub.create_vip('create_vip 1', l3_uuid) test_obj_dict.add_vip(vip1) eip1 = test_stub.create_eip('create eip 1', vip_uuid=vip1.get_vip().uuid, \ vnic_uuid=vm_nic1_uuid, vm_obj=vm1) vip1.attach_eip(eip1) vip2 = test_stub.create_vip('create_vip 2', l3_uuid) test_obj_dict.add_vip(vip2) eip2 = test_stub.create_eip('create eip 2', vip_uuid=vip2.get_vip().uuid, \ vnic_uuid=vm_nic2_uuid, vm_obj=vm2) vip2.attach_eip(eip2) vm1.check() vip1.check() vm2.check() vip2.check() test_lib.lib_check_ports_in_a_command(vm1.get_vm(), vip1.get_vip().ip, \ vip2.get_vip().ip, test_stub.target_ports, [], vm2.get_vm()) test_lib.lib_check_ports_in_a_command(vm2.get_vm(), vip2.get_vip().ip, \ vip1.get_vip().ip, test_stub.target_ports, [], vm1.get_vm()) vm1.destroy() test_obj_dict.rm_vm(vm1) test_lib.lib_check_ports_in_a_command(vm2.get_vm(), vip2.get_vip().ip, \ vip1.get_vip().ip, [], test_stub.target_ports, vm1.get_vm()) vm2.destroy() test_obj_dict.rm_vm(vm2) vip1.delete() test_obj_dict.rm_vip(vip1) vip2.delete() test_obj_dict.rm_vip(vip2) test_util.test_pass('Test 2 EIPs for 2 VMs Success')
def check(self): ''' check will assume target vm only have 1 port forwarding VR. So all vms PF rules are assigned to 1 VM nic. ''' super(zstack_vcenter_pf_tcp_checker, self).check() test_result = True target_vm = self.test_obj.get_target_vm().vm pf_rule = self.test_obj.get_port_forwarding() vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid) all_ports = port_header.all_ports #only open ports when VM is running. if self.test_obj.get_target_vm().state == vm_header.RUNNING: test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid) #consolidate rules for TCP/UDP/ICMP with different AllowedCidr rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd) #check SG ingress limitation. Since SG rule will not consider vip as #allowedCidr, if there is ingress limitation, the ingress PF connection #will be blocked. sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule) allowedCidr = pf_rule.allowedCidr allowed_vr_ip = allowedCidr.split('/')[0] allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip) vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip) l3_uuid = vr_nic.l3NetworkUuid allowed_vr_uuid_list = [allowed_vr_vm.uuid] #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly. pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm) for pf_vr in pf_vm_vrs: allowed_vr_uuid_list.append(pf_vr.uuid) denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list) denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm) vip_uuid = pf_rule.vipUuid cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid) vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip if sg_tcp_ingress_flag: test_util.test_logger('SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, [], all_ports, target_vm) except: test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. " % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: allowed_ports = port_header.get_ports(rule_port) denied_ports = list_ops.list_minus(all_ports, allowed_ports) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid)) try: test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, [], all_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s" % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (pf_rule.uuid, target_vm.uuid)) test_util.test_logger('Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s' % (target_vm.uuid, vm_nic.uuid)) return self.judge(test_result)
def test(): test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc") for vpc_name in vpc_name_list: vr_list.append(test_stub.create_vpc_vrouter(vpc_name)) for vr, l3_list in izip(vr_list, vpc_l3_list): test_stub.attach_l3_to_vpc_vr(vr, l3_list) vr1, vr2 = vr_list test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format( VLAN1_NAME, VXLAN1_NAME)) vm1 = test_stub.create_vm_with_random_offering( vm_name='vpc_vm_{}'.format(VLAN1_NAME), l3_name=VLAN1_NAME) test_obj_dict.add_vm(vm1) vm1.check() vm2 = test_stub.create_vm_with_random_offering( vm_name='vpc_vm_{}'.format(VXLAN1_NAME), l3_name=VXLAN1_NAME) test_obj_dict.add_vm(vm2) vm2.check() cond = res_ops.gen_query_conditions('name', '=', os.environ.get(SECOND_PUB)) second_pub_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0] test_util.test_dsc("Create vroute route for vpc1") cond = res_ops.gen_query_conditions('name', '=', os.environ.get(VXLAN1_NAME)) vpc2_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0] vpc2_l3_cdir = vpc2_l3.ipRanges[0].networkCidr vpc2_second_pub_ip = [ nic.ip for nic in vr2.inv.vmNics if nic.l3NetworkUuid == second_pub_l3.uuid ][0] route_table1 = net_ops.create_vrouter_route_table('vpc1') route_entry1 = net_ops.add_vrouter_route_entry(route_table1.uuid, vpc2_l3_cdir, vpc2_second_pub_ip) net_ops.attach_vrouter_route_table_to_vrouter(route_table1.uuid, vr1.inv.uuid) test_util.test_dsc("Create vroute route for vpc2") cond = res_ops.gen_query_conditions('name', '=', os.environ.get(VLAN1_NAME)) vpc1_l3 = res_ops.query_resource(res_ops.L3_NETWORK, cond)[0] vpc1_l3_cdir = vpc1_l3.ipRanges[0].networkCidr vpc1_second_pub_ip = [ nic.ip for nic in vr1.inv.vmNics if nic.l3NetworkUuid == second_pub_l3.uuid ][0] route_table2 = net_ops.create_vrouter_route_table('vpc2') route_entry1 = net_ops.add_vrouter_route_entry(route_table2.uuid, vpc1_l3_cdir, vpc1_second_pub_ip) net_ops.attach_vrouter_route_table_to_vrouter(route_table2.uuid, vr2.inv.uuid) vm1_inv, vm2_inv = [vm.get_vm() for vm in (vm1, vm2)] test_lib.lib_check_ping(vm1_inv, vm2_inv.vmNics[0].ip) test_lib.lib_check_ping(vm2_inv, vm1_inv.vmNics[0].ip) test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip, vm2_inv.vmNics[0].ip, ["22"], [], vm2_inv) test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip, vm1_inv.vmNics[0].ip, ["22"], [], vm1_inv) net_ops.detach_vrouter_route_table_from_vrouter(route_table1.uuid, vr1.inv.uuid) net_ops.detach_vrouter_route_table_from_vrouter(route_table2.uuid, vr2.inv.uuid) with test_lib.expected_failure('Check two vm pingable', Exception): test_lib.lib_check_ping(vm1_inv, vm2_inv.vmNics[0].ip) with test_lib.expected_failure('Check two vm pingable', Exception): test_lib.lib_check_ping(vm2_inv, vm1_inv.vmNics[0].ip) test_lib.lib_check_ports_in_a_command(vm1_inv, vm1_inv.vmNics[0].ip, vm2_inv.vmNics[0].ip, [], ["22"], vm2_inv) test_lib.lib_check_ports_in_a_command(vm2_inv, vm2_inv.vmNics[0].ip, vm1_inv.vmNics[0].ip, [], ["22"], vm1_inv) test_lib.lib_error_cleanup(test_obj_dict) test_stub.remove_all_vpc_vrouter()