def test_basic_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np = self.create_network_policy(vn1_obj, vn2_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np, vnp) vn2_obj.set_network_policy(np, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) for obj in [vn1_obj, vn2_obj]: self.assertTill(self.vnc_db_has_ident, obj=obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) vn1_obj.del_network_policy(np) vn2_obj.del_network_policy(np) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid) self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def test_multiple_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) np1.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'deny' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) expr = ( "('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['8443']['contrail:routing-instance:%s']['links'])" % (':'.join(self.get_ri_name(vn2_obj)), ':'.join( self.get_ri_name(vn1_obj)))) self.assertTill(expr) np1.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'pass' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) np2.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'deny' np2.set_network_policy_entries(np2.network_policy_entries) self._vnc_lib.network_policy_update(np2) expr = ( "('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['8443']['contrail:routing-instance:%s']['links'])" % (':'.join(self.get_ri_name(vn1_obj)), ':'.join( self.get_ri_name(vn2_obj)))) self.assertTill(expr) vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_policy_in_policy(self): vn1_name = self.id() + "vn1" vn2_name = self.id() + "vn2" vn3_name = self.id() + "vn3" vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) np1.network_policy_entries.policy_rule[0].dst_addresses[0].virtual_network = None np1.network_policy_entries.policy_rule[0].dst_addresses[0].network_policy = np2.get_fq_name_str() np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) np2.network_policy_entries.policy_rule[0].src_addresses[0].virtual_network = "local" np2.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np2) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) vn3_obj = VirtualNetwork(vn3_name) vn3_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn3_obj) self.check_ri_ref_present(self.get_ri_name(vn3_obj), self.get_ri_name(vn1_obj)) vn3_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn3_obj) @retries(5) def _match_acl_rule(): acl = self._vnc_lib.access_control_list_read(fq_name=self.get_ri_name(vn1_obj)) for rule in acl.get_access_control_list_entries().get_acl_rule(): if rule.match_condition.dst_address.virtual_network == vn3_obj.get_fq_name_str(): raise Exception("ACL rule still present") _match_acl_rule() vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn3_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) np1.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'deny' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) self.assertTill( self.ifmap_ident_has_link, type_fq_name=('routing-instance', self.get_ri_name(vn1_obj)), link_name='contrail:connection contrail:routing-instance:%s' % ':'.join(self.get_ri_name(vn2_obj))) np1.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'pass' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) np2.network_policy_entries.policy_rule[ 0].action_list.simple_action = 'deny' np2.set_network_policy_entries(np2.network_policy_entries) self._vnc_lib.network_policy_update(np2) self.assertTill( self.ifmap_ident_has_link, type_fq_name=('routing-instance', self.get_ri_name(vn2_obj)), link_name='contrail:connection contrail:routing-instance:%s' % ':'.join(self.get_ri_name(vn1_obj))) vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) np1.network_policy_entries.policy_rule[0].action_list.simple_action = 'deny' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) expr =("('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['contrail:routing-instance:%s']['links'])" % (':'.join(self.get_ri_name(vn2_obj)), ':'.join(self.get_ri_name(vn1_obj)))) self.assertTill(expr) np1.network_policy_entries.policy_rule[0].action_list.simple_action = 'pass' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) np2.network_policy_entries.policy_rule[0].action_list.simple_action = 'deny' np2.set_network_policy_entries(np2.network_policy_entries) self._vnc_lib.network_policy_update(np2) expr = ("('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['contrail:routing-instance:%s']['links'])" % (':'.join(self.get_ri_name(vn1_obj)), ':'.join(self.get_ri_name(vn2_obj)))) self.assertTill(expr) vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self): vn1_name = self.id() + "vn1" vn2_name = self.id() + "vn2" vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) np1.network_policy_entries.policy_rule[0].action_list.simple_action = "deny" np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) self.assertTill( self.ifmap_ident_has_link, type_fq_name=("routing-instance", self.get_ri_name(vn1_obj)), link_name="contrail:connection contrail:routing-instance:%s" % ":".join(self.get_ri_name(vn2_obj)), ) np1.network_policy_entries.policy_rule[0].action_list.simple_action = "pass" np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) np2.network_policy_entries.policy_rule[0].action_list.simple_action = "deny" np2.set_network_policy_entries(np2.network_policy_entries) self._vnc_lib.network_policy_update(np2) self.assertTill( self.ifmap_ident_has_link, type_fq_name=("routing-instance", self.get_ri_name(vn2_obj)), link_name="contrail:connection contrail:routing-instance:%s" % ":".join(self.get_ri_name(vn1_obj)), ) vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) np1.network_policy_entries.policy_rule[0].action_list.simple_action = \ 'deny' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) np1.network_policy_entries.policy_rule[0].action_list.simple_action = \ 'pass' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) np2.network_policy_entries.policy_rule[0].action_list.simple_action = \ 'deny' np2.set_network_policy_entries(np2.network_policy_entries) self._vnc_lib.network_policy_update(np2) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid) self.check_vn_is_deleted(uuid=vn2_obj.uuid)
def test_multiple_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) np1.network_policy_entries.policy_rule[0].action_list.simple_action = 'deny' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) np1.network_policy_entries.policy_rule[0].action_list.simple_action = 'pass' np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) np2.network_policy_entries.policy_rule[0].action_list.simple_action = 'deny' np2.set_network_policy_entries(np2.network_policy_entries) self._vnc_lib.network_policy_update(np2) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid) self.check_vn_is_deleted(uuid=vn2_obj.uuid)
def create_network(self, name, proj_obj, subnet, ipam_name): vn = VirtualNetwork( name=name, parent_obj=proj_obj, virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'), address_allocation_mode='user-defined-subnet-only') try: vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn.get_fq_name()) except NoIdError: # Virtual network does not exist. Create one. vn_uuid = self._vnc_lib.virtual_network_create(vn) vn_obj = self._vnc_lib.virtual_network_read(id=vn_uuid) ipam_obj = self._create_network_ipam(ipam_name, 'flat-subnet', subnet, proj_obj, vn_obj) try: self._vnc_lib.virtual_network_update(vn_obj) except Exception as e: self.logger.error("%s - failed to update virtual network %s %s. %s" % (self._name, vn_obj.uuid, str(vn_obj.fq_name), str(e))) vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn_obj.get_fq_name()) #kube = vnc_kubernetes.VncKubernetes.get_instance() #kube._create_cluster_service_fip_pool(vn_obj, pod_ipam_obj) return vn_obj
def create_network(self, name, proj_obj, pod_subnet, service_subnet): vn = VirtualNetwork( name=name, parent_obj=proj_obj, virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'), address_allocation_mode='user-defined-subnet-only') try: vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn.get_fq_name()) except NoIdError: # Virtual network does not exist. Create one. vn_uuid = self._vnc_lib.virtual_network_create(vn) vn_obj = self._vnc_lib.virtual_network_read(id=vn_uuid) pod_ipam_obj = self._create_network_ipam('pod-ipam', 'flat-subnet', pod_subnet, proj_obj, vn_obj) self._create_network_ipam('service-ipam', '', service_subnet, proj_obj, vn_obj) try: self._vnc_lib.virtual_network_update(vn_obj) except Exception as e: self.logger.error("%s - failed to update virtual network %s %s. %s" % (self._name, vn_obj.uuid, str(vn_obj.fq_name), str(e))) vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn_obj.get_fq_name()) kube = vnc_kubernetes.VncKubernetes.get_instance() kube._create_cluster_service_fip_pool(vn_obj, pod_ipam_obj) return vn_obj
def test_context_undo_fail_db_update(self): project = Project(name='p-{}'.format(self.id())) self.api.project_create(project) vn_og = VirtualNetwork(name='og-vn-{}'.format(self.id()), parent_obj=project) self.api.virtual_network_create(vn_og) vmi_obj = VirtualMachineInterface('vmi-{}'.format(self.id()), parent_obj=project) vmi_obj.set_virtual_network(vn_og) self.api.virtual_machine_interface_create(vmi_obj) vmi_obj = self.api.virtual_machine_interface_read(id=vmi_obj.uuid) # change virtual network for VMI vn_next = VirtualNetwork(name='next-vn-{}'.format(self.id()), parent_obj=project) vn_next.uuid = self.api.virtual_network_create(vn_next) vmi_obj.set_virtual_network(vn_next) def stub(*args, **kwargs): return False, (500, "Fake error") with ExpectedException(HttpError): with test_common.flexmocks([(self._api_server._db_conn, 'dbe_update', stub)]): self.api.virtual_machine_interface_update(vmi_obj) vmi_obj = self.api.virtual_machine_interface_read(id=vmi_obj.uuid) vn_ref_fq_names = [n['to'] for n in vmi_obj.get_virtual_network_refs()] self.assertEqual(len(vn_ref_fq_names), 1) self.assertEqual(vn_ref_fq_names[0], vn_og.get_fq_name())
def _create_virtual_network(self, vn_name, proj_obj, ipam_obj, \ ipam_update, provider=None, subnets=None, \ type='flat-subnet-only'): vn_exists = False vn = VirtualNetwork(name=vn_name, parent_obj=proj_obj, address_allocation_mode=type) try: vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn.get_fq_name()) vn_exists = True except NoIdError: # VN does not exist. Create one. vn_obj = vn if vn_exists: return vn_obj # Attach IPAM to virtual network. # # For flat-subnets, the subnets are specified on the IPAM and # not on the virtual-network to IPAM link. So pass an empty # list of VnSubnetsType. # For user-defined-subnets, use the provided subnets if ipam_update or \ not self._is_ipam_exists(vn_obj, ipam_obj.get_fq_name()): if subnets and type == 'user-defined-subnet-only': vn_obj.add_network_ipam(ipam_obj, subnets) else: vn_obj.add_network_ipam(ipam_obj, VnSubnetsType([])) vn_obj.set_virtual_network_properties( VirtualNetworkType(forwarding_mode='l3')) fabric_snat = False if self.ip_fabric_snat: fabric_snat = True if not vn_exists: if self.ip_fabric_forwarding: if provider: #enable ip_fabric_forwarding vn_obj.add_virtual_network(provider) elif fabric_snat: #enable fabric_snat vn_obj.set_fabric_snat(True) else: #disable fabric_snat vn_obj.set_fabric_snat(False) # Create VN. self._vnc_lib.virtual_network_create(vn_obj) else: # TODO: Handle Network update pass vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn_obj.get_fq_name()) VirtualNetworkKM.locate(vn_obj.uuid) return vn_obj
def _create_isolated_ns_virtual_network(self, ns_name, vn_name, proj_obj): """ Create a virtual network for this namespace. """ vn = VirtualNetwork(name=vn_name, parent_obj=proj_obj, virtual_network_properties=VirtualNetworkType( forwarding_mode='l3'), address_allocation_mode='flat-subnet-only') # Add annotatins on this isolated virtual-network. VirtualNetworkKM.add_annotations(self, vn, namespace=ns_name, name=ns_name, isolated='True') try: vn_uuid = self._vnc_lib.virtual_network_create(vn) except RefsExistError: vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn.get_fq_name()) vn_uuid = vn_obj.uuid # Instance-Ip for pods on this VN, should be allocated from # cluster pod ipam. Attach the cluster pod-ipam object # to this virtual network. ipam_fq_name = vnc_kube_config.pod_ipam_fq_name() ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name) vn.add_network_ipam(ipam_obj, VnSubnetsType([])) # Update VN. self._vnc_lib.virtual_network_update(vn) try: ip_fabric_vn_obj = self._vnc_lib. \ virtual_network_read(fq_name=self._ip_fabric_fq_name) self._create_attach_policy(proj_obj, ip_fabric_vn_obj, vn) except NoIdError: pass # Cache the virtual network. VirtualNetworkKM.locate(vn_uuid) # Cache network info in namespace entry. self._set_namespace_virtual_network(ns_name, vn.get_fq_name()) return vn_uuid
def _create_isolated_ns_virtual_network(self, ns_name, vn_name, proj_obj, ipam_obj=None, provider=None): """ Create a virtual network for this namespace. """ vn = VirtualNetwork( name=vn_name, parent_obj=proj_obj, virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'), address_allocation_mode='flat-subnet-only') # Add annotatins on this isolated virtual-network. VirtualNetworkKM.add_annotations(self, vn, namespace=ns_name, name=ns_name, isolated='True') try: vn_uuid = self._vnc_lib.virtual_network_create(vn) except RefsExistError: vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn.get_fq_name()) vn_uuid = vn_obj.uuid vn = vn_obj # Instance-Ip for pods on this VN, should be allocated from # cluster pod ipam. Attach the cluster pod-ipam object # to this virtual network. vn.add_network_ipam(ipam_obj, VnSubnetsType([])) # enable ip-fabric-forwarding if provider: ip_fabric_forwarding = self._get_ip_fabric_forwarding(ns_name) if ip_fabric_forwarding == True: add_provider = True elif ip_fabric_forwarding == False: add_provider = False else: add_provider = self._args.ip_fabric_forwarding if add_provider: vn.add_virtual_network(provider) else: vn_refs = vn.get_virtual_network_refs() for vn_ref in vn_refs or []: vn_ref_obj = self._vnc_lib.virtual_network_read(id=vn_ref['uuid']) vn.del_virtual_network(vn_ref_obj) # Update VN. self._vnc_lib.virtual_network_update(vn) # Cache the virtual network. VirtualNetworkKM.locate(vn_uuid) return vn
def test_basic_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np = self.create_network_policy(vn1_obj, vn2_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np, vnp) vn2_obj.set_network_policy(np, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) for obj in [vn1_obj, vn2_obj]: ident_name = self.get_obj_imid(obj) gevent.sleep(2) self.assertThat(FakeIfmapClient._graph['8443'], Contains(ident_name)) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) vn1_obj.del_network_policy(np) vn2_obj.del_network_policy(np) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid) self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def _create_isolated_ns_virtual_network(self, ns_name, vn_name, proj_obj): """ Create a virtual network for this namespace. """ vn = VirtualNetwork( name=vn_name, parent_obj=proj_obj, virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'), address_allocation_mode='flat-subnet-only') # Add annotatins on this isolated virtual-network. VirtualNetworkKM.add_annotations(self, vn, namespace=ns_name, name=ns_name, isolated='True') try: vn_uuid = self._vnc_lib.virtual_network_create(vn) except RefsExistError: vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn.get_fq_name()) vn_uuid = vn_obj.uuid # Instance-Ip for pods on this VN, should be allocated from # cluster pod ipam. Attach the cluster pod-ipam object # to this virtual network. ipam_fq_name = vnc_kube_config.pod_ipam_fq_name() ipam_obj = self._vnc_lib.network_ipam_read( fq_name=ipam_fq_name) vn.add_network_ipam(ipam_obj, VnSubnetsType([])) # Update VN. self._vnc_lib.virtual_network_update(vn) # Cache the virtual network. VirtualNetworkKM.locate(vn_uuid) # Cache network info in namespace entry. self._set_namespace_virtual_network(ns_name, vn.get_fq_name()) return vn_uuid
def test_basic_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np = self.create_network_policy(vn1_obj, vn2_obj) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np, vnp) vn2_obj.set_network_policy(np, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) for obj in [vn1_obj, vn2_obj]: ident_name = self.get_obj_imid(obj) gevent.sleep(2) self.assertThat(FakeIfmapClient._graph, Contains(ident_name)) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) vn1_obj.del_network_policy(np) vn2_obj.del_network_policy(np) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj)) self.delete_network_policy(np) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid) self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def create_network(self, name, proj_obj): vn = VirtualNetwork( name=name, parent_obj=proj_obj, virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'), address_allocation_mode='flat-subnet-only') try: vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn.get_fq_name()) except NoIdError: # Virtual network does not exist. Create one. uid = self._vnc_lib.virtual_network_create(vn) vn_obj = self._vnc_lib.virtual_network_read(id=uid) return vn_obj
def _create_isolated_ns_virtual_network(self, ns_name, vn_name, vn_type, proj_obj, ipam_obj=None, provider=None, enforce_policy=False): """ Create/Update a virtual network for this namespace. """ vn_exists = False vn = VirtualNetwork( name=vn_name, parent_obj=proj_obj, virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'), address_allocation_mode='flat-subnet-only') try: vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn.get_fq_name()) vn_exists = True except NoIdError: # VN does not exist. Create one. vn_obj = vn fabric_snat = False if vn_type == 'pod-network': if self._is_ip_fabric_snat_enabled(ns_name): fabric_snat = True if not vn_exists: # Add annotatins on this isolated virtual-network. VirtualNetworkKM.add_annotations(self, vn, namespace=ns_name, name=ns_name, isolated='True') # Instance-Ip for pods on this VN, should be allocated from # cluster pod ipam. Attach the cluster pod-ipam object # to this virtual network. vn_obj.add_network_ipam(ipam_obj, VnSubnetsType([])) if provider: # enable ip_fabric_forwarding vn_obj.add_virtual_network(provider) elif fabric_snat: # enable fabric_snat vn_obj.set_fabric_snat(True) else: # disable fabric_snat vn_obj.set_fabric_snat(False) vn_uuid = self._vnc_lib.virtual_network_create(vn_obj) # Cache the virtual network. VirtualNetworkKM.locate(vn_uuid) else: ip_fabric_enabled = False if provider: vn_refs = vn_obj.get_virtual_network_refs() ip_fabric_fq_name = provider.fq_name for vn in vn_refs or []: vn_fq_name = vn['to'] if vn_fq_name == ip_fabric_fq_name: ip_fabric_enabled = True break if not ip_fabric_enabled and fabric_snat: # enable fabric_snat vn_obj.set_fabric_snat(True) else: # disable fabric_snat vn_obj.set_fabric_snat(False) # Update VN. self._vnc_lib.virtual_network_update(vn_obj) vn_uuid = vn_obj.get_uuid() vn_obj = self._vnc_lib.virtual_network_read(id=vn_uuid) # If required, enforce security policy at virtual network level. if enforce_policy: self._vnc_lib.set_tags(vn_obj, self._labels.get_labels_dict(VncSecurityPolicy.cluster_aps_uuid)) return vn_obj
def test_provider_network(self): """ Test description. Verify: 1. Check creating a non-provider VNs with non-provider VNs connected to it is not allowed 2. Check a non provider-VN can not be created with is_provider_network property set to True 3. Check is_provider_network property of a provider-VN is True by default 4. Check is_provider_network property of a provider-VN can be set as True 5. Check is_provider_network property of provider-VN can not be set as False 6. Check is_provider_network property of non provider-VN can not be set as True 7. Check is_provider_network property of non provider-VN can be set as False 8. Check setting other parameters of a non provider-VN is not affected 9. Check db_resync sets is_provider_network property of provider-VN as True (simulating upgrade case) 10. Check non provider VNs can be added to provider VN 11. Check the provider-VN can be added to a VN 12. Check non provider-VN can not be added to a VN 13. Check many VNs can be linked to the provider-VN 14. Check (provider-vn -> any-VN),DENY acl rule is added to the provider-VN 15. Check (VN -> provider-VN),DENY acl rule is added to the VN 16. Adding a (VN -> provider-VN),PASS acl rule at VN removes (VN -> provider-VN),DENY acl rule Assumption: ip-fabric VN is the provider-VN """ # create two VNs - vn1, vn2 vn1_name = self.id() + '_vn1' vn2_name = self.id() + '_vn2' vn3_name = self.id() + '_vn3' vn4_name = self.id() + '_vn4' vn1_obj1 = VirtualNetwork(vn1_name) vn2_obj1 = VirtualNetwork(vn2_name) vn3_obj1 = VirtualNetwork(vn3_name) vn4_obj1 = VirtualNetwork(vn4_name) self._vnc_lib.virtual_network_create(vn1_obj1) self._vnc_lib.virtual_network_create(vn2_obj1) self._vnc_lib.virtual_network_create(vn3_obj1) # try creating non provider_vn with linked # non provider_vn (linked before creating) vn4_obj1.add_virtual_network(vn3_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) vn4_obj1.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # remove vn3_obj1 and vn2_obj1 # as its not allowed vn4_obj1.del_virtual_network(vn3_obj1) vn4_obj1.del_virtual_network(vn2_obj1) # set is_provider_network on a non provider-vn # and try creating it vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # set it as False and retry creating it vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_create(vn4_obj1) # Check updating other parameters of a non provider VN # when no provider VN is not connected vn4_obj1.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn4_obj1) # retrieve provider network, assuming ip-fabric for now provider_fq_name = ['default-domain', 'default-project', 'ip-fabric'] provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check is_provider_network of provider_vn # can be set to True (ie only as its default) provider_vn.set_is_provider_network(True) self._vnc_lib.virtual_network_update(provider_vn) # check is_provider_network of provider_vn # can not be set to False provider_vn.set_is_provider_network(False) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, provider_vn) # check is_provider_network of non provider_vn # can be set to False vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_update(vn4_obj1) # check is_provider_network of non provider_vn # can not be set to True vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn4_obj1) # check db_resync sets is_provider_network property # as True in provider-vn self._api_server._db_conn.db_resync() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check adding vn3 and vn2 to provider vn provider_vn.add_virtual_network(vn2_obj1) provider_vn.add_virtual_network(vn3_obj1) self._vnc_lib.virtual_network_update(provider_vn) gevent.sleep(5) provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ ref['uuid'] for ref in provider_vn.virtual_network_refs ] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) VirtualNetworkST._dict = {} VirtualNetworkST.reinit() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) vn3_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn3_obj1.get_fq_name()) vn2_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn2_obj1.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ ref['uuid'] for ref in provider_vn.virtual_network_refs ] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn2_obj1), src_vn=vn2_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn3_obj1), src_vn=vn3_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # check adding provider vn to vn1 works vn1_obj1.add_virtual_network(provider_vn) self._vnc_lib.virtual_network_update(vn1_obj1) gevent.sleep(2) vn1_obj2 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj1.get_fq_name()) self.assertEqual(vn1_obj2.virtual_network_refs[0]['to'], provider_fq_name) self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj2), src_vn=vn1_obj2.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # Check updating other parameters of a non provider VN # when a provider VN is connected vn1_obj2.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn1_obj2) # create a policy to allow icp between vn1 <> vn2 # and update vn1 vn1_to_vn2_rule = { "protocol": "icmp", "direction": "<>", "src": { "type": "vn", "value": vn1_obj2 }, "dst": [{ "type": "vn", "value": vn2_obj1 }], "action": "pass" } np = self.create_network_policy_with_multiple_rules([vn1_to_vn2_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj2.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj2) vn1_obj3 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj2.get_fq_name()) # check linking a non provider network is not allowed vn1_obj3.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn1_obj3) vn1_obj4 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj3.get_fq_name()) self.assertEqual(vn1_obj4.virtual_network_refs[0]['to'], provider_fq_name) self.assertNotEqual(vn1_obj4.virtual_network_refs[0]['to'], vn2_obj1.get_fq_name()) # check the provider-network got a deny rule to any VN provider_to_vn1_rule = { "protocol": "icmp", "direction": ">", "src": { "type": "vn", "value": provider_vn }, "dst": [{ "type": "vn", "value": vn1_obj4 }], "action": "pass" } np = self.create_network_policy_with_multiple_rules( [provider_to_vn1_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) provider_vn.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(provider_vn) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') # check the network connected to provider-network # got a deny rule to provider-network self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj4), src_vn=':'.join( vn1_obj4.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # add an explicit policy to allow traffic to provider network # and the implicit deny is removed vn1_to_provider_rule = { "protocol": "any", "direction": ">", "src": { "type": "vn", "value": vn1_obj4 }, "dst": [{ "type": "vn", "value": provider_vn }], "action": "pass" } np = self.create_network_policy_with_multiple_rules( [vn1_to_provider_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj4.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj4) vn1_obj5 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj4.get_fq_name()) self.check_acl_no_implicit_deny_rule( fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) self.check_acl_allow_rule(fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # adding explicit policy to allow traffic to provider network # do not change deny rule in provider network self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any')
def test_policy_in_policy(self): vn1_name = self.id() + 'vn1' vn2_name = self.id() + 'vn2' vn3_name = self.id() + 'vn3' vn1_obj = VirtualNetwork(vn1_name) vn2_obj = VirtualNetwork(vn2_name) np1 = self.create_network_policy(vn1_obj, vn2_obj) np2 = self.create_network_policy(vn2_obj, vn1_obj) np1.network_policy_entries.policy_rule[0].dst_addresses[ 0].virtual_network = None np1.network_policy_entries.policy_rule[0].dst_addresses[ 0].network_policy = np2.get_fq_name_str() np1.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np1) np2.network_policy_entries.policy_rule[0].src_addresses[ 0].virtual_network = 'local' np2.set_network_policy_entries(np1.network_policy_entries) self._vnc_lib.network_policy_update(np2) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj.set_network_policy(np1, vnp) vn2_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn1_obj) self._vnc_lib.virtual_network_create(vn2_obj) self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj)) self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj)) vn3_obj = VirtualNetwork(vn3_name) vn3_obj.set_network_policy(np2, vnp) self._vnc_lib.virtual_network_create(vn3_obj) self.check_ri_ref_present(self.get_ri_name(vn3_obj), self.get_ri_name(vn1_obj)) vn3_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn3_obj) @retries(5) def _match_acl_rule(): acl = self._vnc_lib.access_control_list_read( fq_name=self.get_ri_name(vn1_obj)) for rule in acl.get_access_control_list_entries().get_acl_rule(): if (rule.match_condition.dst_address.virtual_network == vn3_obj.get_fq_name_str()): raise Exception("ACL rule still present") _match_acl_rule() vn1_obj.del_network_policy(np1) vn2_obj.del_network_policy(np2) self._vnc_lib.virtual_network_update(vn1_obj) self._vnc_lib.virtual_network_update(vn2_obj) self.delete_network_policy(np1) self.delete_network_policy(np2) self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn3_obj.get_fq_name()) self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_provider_network(self): ''' Verify: 1. Check creating a non-provider VNs with non-provider VNs connected to it is not allowed 2. Check a non provider-VN can not be created with is_provider_network property set to True 3. Check is_provider_network property of a provider-VN is True by default 4. Check is_provider_network property of a provider-VN can be set as True 5. Check is_provider_network property of provider-VN can not be set as False 6. Check is_provider_network property of non provider-VN can not be set as True 7. Check is_provider_network property of non provider-VN can be set as False 8. Check setting other parameters of a non provider-VN is not affected 9. Check db_resync sets is_provider_network property of provider-VN as True (simulating upgrade case) 10. Check non provider VNs can be added to provider VN 11. Check the provider-VN can be added to a VN 12. Check non provider-VN can not be added to a VN 13. Check many VNs can be linked to the provider-VN 14. Check (provider-vn -> any-VN),DENY acl rule is added to the provider-VN 15. Check (VN -> provider-VN),DENY acl rule is added to the VN 16. Adding a (VN -> provider-VN),PASS acl rule at VN removes (VN -> provider-VN),DENY acl rule Assumption: ip-fabric VN is the provider-VN ''' # create two VNs - vn1, vn2 vn1_name = self.id() + '_vn1' vn2_name = self.id() + '_vn2' vn3_name = self.id() + '_vn3' vn4_name = self.id() + '_vn4' vn1_obj1 = VirtualNetwork(vn1_name) vn2_obj1 = VirtualNetwork(vn2_name) vn3_obj1 = VirtualNetwork(vn3_name) vn4_obj1 = VirtualNetwork(vn4_name) self._vnc_lib.virtual_network_create(vn1_obj1) self._vnc_lib.virtual_network_create(vn2_obj1) self._vnc_lib.virtual_network_create(vn3_obj1) # try creating non provider_vn with linked # non provider_vn (linked before creating) vn4_obj1.add_virtual_network(vn3_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) vn4_obj1.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # remove vn3_obj1 and vn2_obj1 # as its not allowed vn4_obj1.del_virtual_network(vn3_obj1) vn4_obj1.del_virtual_network(vn2_obj1) # set is_provider_network on a non provider-vn # and try creating it vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # set it as False and retry creating it vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_create(vn4_obj1) # Check updating other parameters of a non provider VN # when no provider VN is not connected vn4_obj1.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn4_obj1) # retrieve provider network, assuming ip-fabric for now provider_fq_name = ['default-domain', 'default-project', 'ip-fabric'] provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check is_provider_network of provider_vn # can be set to True (ie only as its default) provider_vn.set_is_provider_network(True) self._vnc_lib.virtual_network_update(provider_vn) # check is_provider_network of provider_vn # can not be set to False provider_vn.set_is_provider_network(False) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, provider_vn) # check is_provider_network of non provider_vn # can be set to False vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_update(vn4_obj1) # check is_provider_network of non provider_vn # can not be set to True vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn4_obj1) # check db_resync sets is_provider_network property # as True in provider-vn self._api_server._db_conn.db_resync() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check adding vn3 and vn2 to provider vn provider_vn.add_virtual_network(vn2_obj1) provider_vn.add_virtual_network(vn3_obj1) self._vnc_lib.virtual_network_update(provider_vn) gevent.sleep(5) provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ref['uuid'] for ref in provider_vn.virtual_network_refs] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) config_db.VirtualNetworkST._dict = {} config_db.VirtualNetworkST.reinit() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) vn3_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn3_obj1.get_fq_name()) vn2_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn2_obj1.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ref['uuid'] for ref in provider_vn.virtual_network_refs] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(vn2_obj1), src_vn=vn2_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(vn3_obj1), src_vn=vn3_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # check adding provider vn to vn1 works vn1_obj1.add_virtual_network(provider_vn) self._vnc_lib.virtual_network_update(vn1_obj1) gevent.sleep(2) vn1_obj2 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj1.get_fq_name()) self.assertEqual(vn1_obj2.virtual_network_refs[0]['to'], provider_fq_name) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(vn1_obj2), src_vn=vn1_obj2.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # Check updating other parameters of a non provider VN # when a provider VN is connected vn1_obj2.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn1_obj2) # create a policy to allow icp between vn1 <> vn2 # and update vn1 vn1_to_vn2_rule = {"protocol": "icmp", "direction": "<>", "src": {"type": "vn", "value": vn1_obj2}, "dst": [{"type": "vn", "value": vn2_obj1}], "action": "pass"} np = self.create_network_policy_with_multiple_rules([vn1_to_vn2_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj2.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj2) vn1_obj3 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj2.get_fq_name()) # check linking a non provider network is not allowed vn1_obj3.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn1_obj3) vn1_obj4 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj3.get_fq_name()) self.assertEqual(vn1_obj4.virtual_network_refs[0]['to'], provider_fq_name) self.assertNotEqual(vn1_obj4.virtual_network_refs[0]['to'], vn2_obj1.get_fq_name()) # check the provider-network got a deny rule to any VN provider_to_vn1_rule = {"protocol": "icmp", "direction": ">", "src": {"type": "vn", "value": provider_vn}, "dst": [{"type": "vn", "value": vn1_obj4}], "action": "pass"} np = self.create_network_policy_with_multiple_rules( [provider_to_vn1_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) provider_vn.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(provider_vn) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') # check the network connected to provider-network # got a deny rule to provider-network self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(vn1_obj4), src_vn=':'.join(vn1_obj4.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # add an explicit policy to allow traffic to provider network # and the implicit deny is removed vn1_to_provider_rule = {"protocol": "any", "direction": ">", "src": {"type": "vn", "value": vn1_obj4}, "dst": [{"type": "vn", "value": provider_vn}], "action": "pass"} np = self.create_network_policy_with_multiple_rules( [vn1_to_provider_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj4.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj4) vn1_obj5 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj4.get_fq_name()) self.check_acl_no_implicit_deny_rule( fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) self.check_acl_allow_rule( fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # adding explicit policy to allow traffic to provider network # do not change deny rule in provider network self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any')
def test_public_snat_routes(self): #create private vn vn_private_name = self.id() + 'vn1' vn_private = self.create_virtual_network(vn_private_name, "1.0.0.0/24") # create virtual machine interface vmi_name = self.id() + 'vmi1' vmi = VirtualMachineInterface(vmi_name, parent_type='project', fq_name=['default-domain', 'default-project', vmi_name]) vmi.add_virtual_network(vn_private) self._vnc_lib.virtual_machine_interface_create(vmi) #create public vn vn_public_name = 'vn-public' vn_public = VirtualNetwork(vn_public_name) vn_public.set_router_external(True) ipam_obj = NetworkIpam('ipam') self._vnc_lib.network_ipam_create(ipam_obj) vn_public.add_network_ipam(ipam_obj, VnSubnetsType( [IpamSubnetType(SubnetType("192.168.7.0", 24))])) self._vnc_lib.virtual_network_create(vn_public) #create logical router, set route targets, #add private network and extend lr to public network lr_name = self.id() + 'lr1' lr = LogicalRouter(lr_name) rtgt_list = RouteTargetList(route_target=['target:1:1']) lr.set_configured_route_target_list(rtgt_list) lr.add_virtual_machine_interface(vmi) lr.add_virtual_network(vn_public) self._vnc_lib.logical_router_create(lr) @retries(5) def _match_route_table(rtgt_list, ri_name): lri = self._vnc_lib.routing_instance_read( fq_name_str=ri_name) sr = lri.get_static_route_entries() if sr is None: raise Exception("sr is None") route = sr.route[0] self.assertEqual(route.prefix, "0.0.0.0/0") self.assertEqual(route.next_hop, "100.64.0.4") for rtgt in rtgt_list: self.assertIn(rtgt, route.route_target) @retries(5) def _wait_to_get_si(): si_list = self._vnc_lib.service_instances_list() si = si_list.get("service-instances")[0] si = self._vnc_lib.service_instance_read(id=si.get("uuid")) return si @retries(5) def _wait_to_delete_si(): si_list = self._vnc_lib.service_instances_list() try: si = si_list.get("service-instances")[0] si = self._vnc_lib.service_instance_read(id=si.get("uuid")) raise except: pass @retries(5) def _wait_to_delete_ip(vn_fq_name): vn = self._vnc_lib.virtual_network_read(fq_name=vn_fq_name) ip_refs = vn.get_instance_ip_back_refs() if ip_refs: raise return # end si = _wait_to_get_si() si_props = si.get_service_instance_properties().get_interface_list()[1] ri_name = si_props.virtual_network + ":" + si_props.virtual_network.split(':')[-1] lr_rtgt = self._vnc_lib.logical_router_read(id=lr.uuid).route_target_refs[0]['to'][0] _match_route_table(['target:1:1', lr_rtgt], ri_name) rtgt_list = RouteTargetList(route_target=['target:2:2']) lr.set_configured_route_target_list(rtgt_list) self._vnc_lib.logical_router_update(lr) _match_route_table(['target:2:2', lr_rtgt], ri_name) lr.del_virtual_network(vn_public) self._vnc_lib.logical_router_update(lr) _wait_to_delete_si() #cleanup self._vnc_lib.logical_router_delete(fq_name=lr.get_fq_name()) self._vnc_lib.virtual_machine_interface_delete(fq_name=vmi.get_fq_name()) _wait_to_delete_ip(vn_private.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn_private.get_fq_name()) _wait_to_delete_ip(vn_public.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn_public.get_fq_name())
def _create_isolated_ns_virtual_network(self, ns_name, vn_name, vn_type, proj_obj, ipam_obj=None, provider=None, enforce_policy=False): """ Create/Update a virtual network for this namespace. """ vn_exists = False vn = VirtualNetwork(name=vn_name, parent_obj=proj_obj, virtual_network_properties=VirtualNetworkType( forwarding_mode='l3'), address_allocation_mode='flat-subnet-only') try: vn_obj = self._vnc_lib.virtual_network_read( fq_name=vn.get_fq_name()) vn_exists = True except NoIdError: # VN does not exist. Create one. vn_obj = vn # Add annotatins on this isolated virtual-network. VirtualNetworkKM.add_annotations(self, vn, namespace=ns_name, name=ns_name, isolated='True') # Instance-Ip for pods on this VN, should be allocated from # cluster pod ipam. Attach the cluster pod-ipam object # to this virtual network. vn_obj.add_network_ipam(ipam_obj, VnSubnetsType([])) fabric_snat = False if vn_type == 'pod-network': if self._is_ip_fabric_snat_enabled(ns_name): fabric_snat = True if not vn_exists: if provider: # enable ip_fabric_forwarding vn_obj.add_virtual_network(provider) elif fabric_snat: # enable fabric_snat vn_obj.set_fabric_snat(True) else: # disable fabric_snat vn_obj.set_fabric_snat(False) vn_uuid = self._vnc_lib.virtual_network_create(vn_obj) # Cache the virtual network. VirtualNetworkKM.locate(vn_uuid) else: ip_fabric_enabled = False if provider: vn_refs = vn_obj.get_virtual_network_refs() ip_fabric_fq_name = provider.fq_name for vn in vn_refs or []: vn_fq_name = vn['to'] if vn_fq_name == ip_fabric_fq_name: ip_fabric_enabled = True break if not ip_fabric_enabled and fabric_snat: # enable fabric_snat vn_obj.set_fabric_snat(True) else: # disable fabric_snat vn_obj.set_fabric_snat(False) # Update VN. self._vnc_lib.virtual_network_update(vn_obj) vn_uuid = vn_obj.get_uuid() vn_obj = self._vnc_lib.virtual_network_read(id=vn_uuid) # If required, enforce security policy at virtual network level. if enforce_policy: self._vnc_lib.set_tags( vn_obj, self._labels.get_labels_dict( VncSecurityPolicy.cluster_aps_uuid)) return vn_obj
def test_public_snat_routes(self): # create private vn vn_private_name = self.id() + 'vn1' vn_private = self.create_virtual_network(vn_private_name, "1.0.0.0/24") # create virtual machine interface vmi_name = self.id() + 'vmi1' vmi = VirtualMachineInterface( vmi_name, parent_type='project', fq_name=['default-domain', 'default-project', vmi_name]) vmi.add_virtual_network(vn_private) self._vnc_lib.virtual_machine_interface_create(vmi) # create public vn vn_public_name = 'vn-public' vn_public = VirtualNetwork(vn_public_name) vn_public.set_router_external(True) ipam_obj = NetworkIpam('ipam') self._vnc_lib.network_ipam_create(ipam_obj) vn_public.add_network_ipam( ipam_obj, VnSubnetsType([IpamSubnetType(SubnetType("192.168.7.0", 24))])) self._vnc_lib.virtual_network_create(vn_public) # create logical router, set route targets, # add private network and extend lr to public network lr_name = self.id() + 'lr1' lr = LogicalRouter(lr_name) rtgt_list = RouteTargetList(route_target=['target:1:1']) lr.set_configured_route_target_list(rtgt_list) lr.add_virtual_machine_interface(vmi) lr.add_virtual_network(vn_public) self._vnc_lib.logical_router_create(lr) @retries(5) def _match_route_table(rtgt_list, ri_name): lri = self._vnc_lib.routing_instance_read(fq_name_str=ri_name) sr = lri.get_static_route_entries() if sr is None: raise Exception("sr is None") route = sr.route[0] self.assertEqual(route.prefix, "0.0.0.0/0") self.assertEqual(route.next_hop, "100.64.0.4") for rtgt in rtgt_list: self.assertIn(rtgt, route.route_target) @retries(5) def _wait_to_get_si(): si_list = self._vnc_lib.service_instances_list() si = si_list.get("service-instances")[0] si = self._vnc_lib.service_instance_read(id=si.get("uuid")) return si @retries(5) def _wait_to_delete_si(): si_list = self._vnc_lib.service_instances_list() try: si = si_list.get("service-instances")[0] si = self._vnc_lib.service_instance_read(id=si.get("uuid")) raise except Exception: pass @retries(5) def _wait_to_delete_ip(vn_fq_name): vn = self._vnc_lib.virtual_network_read(fq_name=vn_fq_name) ip_refs = vn.get_instance_ip_back_refs() if ip_refs: raise return # end si = _wait_to_get_si() si_props = si.get_service_instance_properties().get_interface_list()[1] ri_name = si_props.virtual_network + ":" + \ si_props.virtual_network.split(':')[-1] lr_rtgt = self._vnc_lib.logical_router_read( id=lr.uuid).route_target_refs[0]['to'][0] _match_route_table(['target:1:1', lr_rtgt], ri_name) rtgt_list = RouteTargetList(route_target=['target:2:2']) lr.set_configured_route_target_list(rtgt_list) self._vnc_lib.logical_router_update(lr) _match_route_table(['target:2:2', lr_rtgt], ri_name) lr.del_virtual_network(vn_public) self._vnc_lib.logical_router_update(lr) _wait_to_delete_si() # cleanup self._vnc_lib.logical_router_delete(fq_name=lr.get_fq_name()) self._vnc_lib.virtual_machine_interface_delete( fq_name=vmi.get_fq_name()) _wait_to_delete_ip(vn_private.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn_private.get_fq_name()) _wait_to_delete_ip(vn_public.get_fq_name()) self._vnc_lib.virtual_network_delete(fq_name=vn_public.get_fq_name())