def check(self): super(zstack_kvm_lbl_checker, self).check() self.vm_nic_uuids = self.lbl.get_vm_nics_uuid() self.algorithm = self.lbl.get_algorithm() self.vm_list = [] self.vm_ip_test_dict = {} for vm_nic_uuid in self.vm_nic_uuids: vm = test_lib.lib_get_vm_by_nic(vm_nic_uuid) if vm.state == 'Running': nic_ip = test_lib.lib_get_nic_by_uuid(vm_nic_uuid).ip self.vm_ip_test_dict[nic_ip] = 0 self.vm_list.append(vm) if not self.vm_list: test_util.test_logger('There is not living vm for load balancer test') return self.judge(False) cond = res_ops.gen_query_conditions('listeners.uuid', '=', self.lbl_uuid) vip_uuid = res_ops.query_resource(res_ops.LOAD_BALANCER, cond)[0].vipUuid cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid) self.vip_ip = res_ops.query_resource(res_ops.VIP, cond)[0].ip if not len(self.vm_list) > 1: self.do_so_check() return if self.algorithm == lb_header.LB_ALGORITHM_RR: self.do_rr_check() elif self.algorithm == lb_header.LB_ALGORITHM_LC: #self.do_lc_check() #If not consider long connection, leastconn is same as round robin. self.do_rr_check() elif self.algorithm == lb_header.LB_ALGORITHM_SO: self.do_so_check()
def check(self): super(zstack_kvm_sg_tcp_ingress_checker, self).check() all_ports = port_header.all_ports test_result = True test_util.test_dsc('Check TCP ingress rules') nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) l3_uuid = nic.l3NetworkUuid if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid) return self.judge(self.exp_result) stub_vm = self.test_obj.get_stub_vm(l3_uuid) if not stub_vm: test_util.test_warn('Did not find test stub vm for [nic:] %s. Skip TCP ingress port checking for this nic.' % self.nic_uuid) return self.judge(self.exp_result) stub_vm = stub_vm.vm stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip target_addr = '%s/32' % stub_vm_ip rules = self.test_obj.get_nic_tcp_ingress_rule_by_addr(self.nic_uuid, target_addr) allowed_ports = [] for rule in rules: rule_allowed_ports = port_header.get_ports(port_header.get_port_rule(rule.startPort)) test_util.test_logger('[SG:] %s [ingress rule]: %s allow to access [nic:] %s [ports]: %s from [vm:] %s' % (rule.securityGroupUuid, rule.uuid, self.nic_uuid, rule_allowed_ports, stub_vm.uuid)) for port in rule_allowed_ports: if not port in allowed_ports: allowed_ports.append(port) if not allowed_ports: #If no allowed port, it means all denied. denied_ports = list(all_ports) else: denied_ports = list_ops.list_minus(all_ports, allowed_ports) test_vm = test_lib.lib_get_vm_by_nic(nic.uuid) if test_vm.state == inventory.RUNNING: try: test_lib.lib_open_vm_listen_ports(test_vm, all_ports, l3_uuid) test_lib.lib_check_vm_ports_in_a_command(stub_vm, test_vm, allowed_ports, denied_ports) except: traceback.print_exc(file=sys.stdout) test_util.test_logger('Check result: [Security Group] meets failure when checking TCP ingress rule for [vm:] %s [nic:] %s. ' % (test_vm.uuid, self.nic_uuid)) test_result = False else: test_util.test_warn('Test [vm:] %s is not running. Skip SG TCP ingress connection checker for this vm.' % test_vm.uuid) test_util.test_logger('Check result: [Security Group] finishes TCP ingress testing for [nic:] %s' % self.nic_uuid) print_iptables(test_vm) return self.judge(test_result)
def check(self): super(zstack_vcenter_sg_tcp_ingress_checker, self).check() all_ports = port_header.all_ports test_result = True test_util.test_dsc('Check TCP ingress rules') nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) l3_uuid = nic.l3NetworkUuid if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid) return self.judge(self.exp_result) stub_vm = self.test_obj.get_stub_vm(l3_uuid) if not stub_vm: test_util.test_warn('Did not find test stub vm for [nic:] %s. Skip TCP ingress port checking for this nic.' % self.nic_uuid) return self.judge(self.exp_result) stub_vm = stub_vm.vm stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip target_addr = '%s/32' % stub_vm_ip rules = self.test_obj.get_nic_tcp_ingress_rule_by_addr(self.nic_uuid, target_addr) allowed_ports = [] for rule in rules: rule_allowed_ports = port_header.get_ports(port_header.get_port_rule(rule.startPort)) test_util.test_logger('[SG:] %s [ingress rule]: %s allow to access [nic:] %s [ports]: %s from [vm:] %s' % (rule.securityGroupUuid, rule.uuid, self.nic_uuid, rule_allowed_ports, stub_vm.uuid)) for port in rule_allowed_ports: if not port in allowed_ports: allowed_ports.append(port) if not allowed_ports: #If no allowed port, it means all denied. denied_ports = list(all_ports) else: denied_ports = list_ops.list_minus(all_ports, allowed_ports) test_vm = test_lib.lib_get_vm_by_nic(nic.uuid) if test_vm.state == inventory.RUNNING: try: test_lib.lib_open_vm_listen_ports(test_vm, all_ports, l3_uuid) test_lib.lib_check_vm_ports_in_a_command(stub_vm, test_vm, allowed_ports, denied_ports) except: traceback.print_exc(file=sys.stdout) test_util.test_logger('Check result: [Security Group] meets failure when checking TCP ingress rule for [vm:] %s [nic:] %s. ' % (test_vm.uuid, self.nic_uuid)) test_result = False else: test_util.test_warn('Test [vm:] %s is not running. Skip SG TCP ingress connection checker for this vm.' % test_vm.uuid) test_util.test_logger('Check result: [Security Group] finishes TCP ingress testing for [nic:] %s' % self.nic_uuid) print_iptables(test_vm) return self.judge(test_result)
def calc_pf_sg_allowed_denied_ports(self, pf_rule): vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid) target_vm = test_lib.lib_get_vm_by_nic(vm_nic.uuid) all_ports = port_header.all_ports #consolidate rules for TCP/UDP/ICMP with different AllowedCidr rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd) #If there is ingress controlled by SG rule and the PF rule is not in the # allowed SG rule's range, the ingress PF connection will be blocked. sg_tcp_ingress_flag = _sg_rule_exist_for_pf(vm_nic, pf_rule) if sg_tcp_ingress_flag: test_util.test_logger('SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid) return [], all_ports else: allowed_ports = port_header.get_ports(rule_port) denied_ports = list_ops.list_minus(all_ports, allowed_ports) return allowed_ports, denied_ports
def attach(self, test_sg, nic_vm_list): ''' nic_vm_list = [(nic_uuid, test_vm), (nic_uuid2, test_vm2)] record the test_vm's nic_uuid for attaching to SG. test_vm is ZstackTestVm() SG test case should call this API to attach nic to SG. ''' nic_list = [] for nic_vm in nic_vm_list: nic_uuid = nic_vm[0] test_vm = nic_vm[1] nic_list.append(nic_uuid) nic = test_lib.lib_get_nic_by_uuid(nic_uuid) self._add_nic_sg_dict(nic_uuid, test_sg) self._add_sg_nic_dict(test_sg, nic) self._map_nic_vm(nic_uuid, test_vm) test_sg.attach(nic_list)
def get_all_available_vr_ip(self): vip = self.test_obj.get_vip() l3_uuid = vip.l3NetworkUuid vrs = test_lib.lib_find_vr_by_l3_uuid(l3_uuid) eip_vm_vr_uuids = [] if self.vm_nic_uuid: #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly. vm_nic = test_lib.lib_get_nic_by_uuid(self.vm_nic_uuid) vr_l3_uuid = vm_nic.l3NetworkUuid vr = test_lib.lib_find_vr_by_l3_uuid(vr_l3_uuid)[0] eip_vm_vr_uuids.append(vr.uuid) for vr in vrs: vnic = test_lib.lib_get_vm_nic_by_l3(vr, l3_uuid) if vr.uuid in eip_vm_vr_uuids: continue ip = vnic.ip self.available_vr_dict[ip] = vr
def check(self): super(zstack_vcenter_lbl_checker, self).check() self.vm_nic_uuids = self.lbl.get_vm_nics_uuid() self.algorithm = self.lbl.get_algorithm() self.vm_list = [] self.vm_ip_test_dict = {} if self.lbl.get_creation_option().get_instance_port( ) != 22 and self.lbl.get_creation_option().get_instance_port() != 80: test_util.test_logger( 'LBL target port is not 22 and 80, skip test.') return self.judge(self.exp_result) for vm_nic_uuid in self.vm_nic_uuids: vm = test_lib.lib_get_vm_by_nic(vm_nic_uuid) if vm.state == 'Running': nic_ip = test_lib.lib_get_nic_by_uuid(vm_nic_uuid).ip self.vm_ip_test_dict[nic_ip] = 0 self.vm_list.append(vm) if not self.vm_list: test_util.test_logger( 'There is not living vm for load balancer test') return self.judge(False) cond = res_ops.gen_query_conditions('listeners.uuid', '=', self.lbl_uuid) vip_uuid = res_ops.query_resource(res_ops.LOAD_BALANCER, cond)[0].vipUuid cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid) self.vip_ip = res_ops.query_resource(res_ops.VIP, cond)[0].ip if not len(self.vm_list) > 1: self.do_so_check() return if self.algorithm == lb_header.LB_ALGORITHM_RR: self.do_rr_check() elif self.algorithm == lb_header.LB_ALGORITHM_LC: #self.do_lc_check() #If not consider long connection, leastconn is same as round robin. self.do_rr_check() elif self.algorithm == lb_header.LB_ALGORITHM_SO: self.do_so_check()
def vm_check(self, test_result): vm = self.test_obj.vm test_util.test_logger("Begin to check VM DHCP in VM: %s" % vm.uuid) nic = test_lib.lib_get_nic_by_uuid(self.test_obj.get_creation_option().get_vm_nic_uuid()) test_lib.lib_find_vr_by_vm(vm) guest_ip = nic.ip host = test_lib.lib_get_vm_host(vm) vm_command = '/sbin/ifconfig' vm_cmd_result = test_lib.lib_ssh_vm_cmd_by_agent_with_retry(host.managementIp, self.test_obj.vip.ip, test_lib.lib_get_vm_username(vm), test_lib.lib_get_vm_password(vm), vm_command) if not vm_cmd_result: test_util.test_logger('Checker result: FAIL to execute test ssh command in test [vm:] %s throught [host:] %s.' % (vm.uuid, host.name)) return self.judge(False) if guest_ip in vm_cmd_result: test_util.test_logger('Checker result: guest [ip:] %s is SET in guest [vm:] %s.' % (guest_ip, vm.uuid)) else: test_util.test_logger('Checker result: guest [ip:] %s is NOT found in guest [vm:] %s. \n It might be because the ifconfig is not reflect the ip address yet. \n The current ifconfig result is: %s' % (guest_ip, vm.uuid, vm_cmd_result)) return self.judge(False) return self.judge(True)
def check(self): super(zstack_kvm_sg_icmp_ingress_checker, self).check() test_result = True nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) l3_uuid = nic.l3NetworkUuid test_util.test_dsc('Check ICMP ingress rules') if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid) return self.judge(self.exp_result) stub_vm = self.test_obj.get_stub_vm(l3_uuid) if not stub_vm: #test_util.test_warn('Did not find test stub vm for [target address:] %s. Skip testing some TCP rules' % target_addr) test_util.test_warn('Did not find test stub vm for [l3:] %s. Skip testing some TCP rules' % l3_uuid) return self.judge(self.exp_result) stub_vm = stub_vm.vm stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip target_addr = '%s/32' % stub_vm_ip test_vm = test_lib.lib_get_vm_by_nic(nic.uuid) if test_vm.state == inventory.RUNNING: rules = self.test_obj.get_nic_icmp_ingress_rule_by_addr(self.nic_uuid, target_addr) target_ip = test_lib.lib_get_vm_ip_by_l3(test_vm, l3_uuid) if rules: if test_lib.lib_check_ping(stub_vm, target_ip, no_exception=True): test_util.test_logger('Check result: [Security Group] pass ICMP ingress rule checking to ping [vm:] %s from [vm:] %s' % (test_vm.uuid, stub_vm.uuid)) else: test_util.test_logger('Check result: [Security Group] meets failure to ping [vm:] %s from [vm:] %s when checking ICMP ingress rule. ' % (test_vm.uuid, stub_vm.uuid)) test_result = False else: if not test_lib.lib_check_ping(stub_vm, target_ip, no_exception=True): test_util.test_logger('Check result: [Security Group] pass ICMP ingress rule checking to ping [vm:] %s from [vm:] %s. Expected failure.' % (test_vm.uuid, stub_vm.uuid)) else: test_util.test_logger('Check result: [Security Group] meet failure when checking ICMP ingress rule to ping [vm:] %s from [vm:] %s. Unexpected ping successfully.' % (test_vm.uuid, stub_vm.uuid)) else: test_util.test_warn('Test [vm:] %s is not running. Skip SG ICMP ingress checker for this vm.' % test_vm.uuid) test_util.test_logger('Check result: [Security Group] pass ICMP ingress testing for [vm:] %s [nic:] %s' % (test_vm.uuid, self.nic_uuid)) print_iptables(test_vm) return self.judge(test_result)
def check(self): super(zstack_vcenter_sg_icmp_ingress_checker, self).check() test_result = True nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) l3_uuid = nic.l3NetworkUuid test_util.test_dsc('Check ICMP ingress rules') if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid) return self.judge(self.exp_result) stub_vm = self.test_obj.get_stub_vm(l3_uuid) if not stub_vm: test_util.test_warn('Did not find test stub vm for [target address:] %s. Skip testing some TCP rules' % target_addr) return self.judge(self.exp_result) stub_vm = stub_vm.vm stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip target_addr = '%s/32' % stub_vm_ip test_vm = test_lib.lib_get_vm_by_nic(nic.uuid) if test_vm.state == inventory.RUNNING: rules = self.test_obj.get_nic_icmp_ingress_rule_by_addr(self.nic_uuid, target_addr) target_ip = test_lib.lib_get_vm_ip_by_l3(test_vm, l3_uuid) if rules: if test_lib.lib_check_ping(stub_vm, target_ip, no_exception=True): test_util.test_logger('Check result: [Security Group] pass ICMP ingress rule checking to ping [vm:] %s from [vm:] %s' % (test_vm.uuid, stub_vm.uuid)) else: test_util.test_logger('Check result: [Security Group] meets failure to ping [vm:] %s from [vm:] %s when checking ICMP ingress rule. ' % (test_vm.uuid, stub_vm.uuid)) test_result = False else: if not test_lib.lib_check_ping(stub_vm, target_ip, no_exception=True): test_util.test_logger('Check result: [Security Group] pass ICMP ingress rule checking to ping [vm:] %s from [vm:] %s. Expected failure.' % (test_vm.uuid, stub_vm.uuid)) else: test_util.test_logger('Check result: [Security Group] meet failure when checking ICMP ingress rule to ping [vm:] %s from [vm:] %s. Unexpected ping successfully.' % (test_vm.uuid, stub_vm.uuid)) else: test_util.test_warn('Test [vm:] %s is not running. Skip SG ICMP ingress checker for this vm.' % test_vm.uuid) test_util.test_logger('Check result: [Security Group] pass ICMP ingress testing for [vm:] %s [nic:] %s' % (test_vm.uuid, self.nic_uuid)) print_iptables(test_vm) return self.judge(test_result)
def get_allowed_denied_vr_vm(self, allowed_vr_ip, vm_nic_uuid): ''' Get source VR vm for PF port testing. @return: allowed_vr, denied_vr ''' #get allowed vr vm allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip) vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip) l3_uuid = vr_nic.l3NetworkUuid allowed_vr_uuid_list = [allowed_vr_vm.uuid] #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly. if vm_nic_uuid: vm_nic = test_lib.lib_get_nic_by_uuid(vm_nic_uuid) vr_l3_uuid = vm_nic.l3NetworkUuid pf_vr = test_lib.lib_find_vr_by_l3_uuid(vr_l3_uuid)[0] allowed_vr_uuid_list.append(pf_vr.uuid) denied_vr_vm = _find_denied_vr(allowed_vr_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list) return allowed_vr_vm, denied_vr_vm
def check(self): ''' check will assume target vm only have 1 port forwarding VR. So all vms PF rules are assigned to 1 VM nic. ''' super(zstack_vcenter_pf_tcp_checker, self).check() test_result = True target_vm = self.test_obj.get_target_vm().vm pf_rule = self.test_obj.get_port_forwarding() vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid) all_ports = port_header.all_ports #only open ports when VM is running. if self.test_obj.get_target_vm().state == vm_header.RUNNING: test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid) #consolidate rules for TCP/UDP/ICMP with different AllowedCidr rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd) #check SG ingress limitation. Since SG rule will not consider vip as #allowedCidr, if there is ingress limitation, the ingress PF connection #will be blocked. sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule) allowedCidr = pf_rule.allowedCidr allowed_vr_ip = allowedCidr.split('/')[0] allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip) vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip) l3_uuid = vr_nic.l3NetworkUuid allowed_vr_uuid_list = [allowed_vr_vm.uuid] #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly. pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm) for pf_vr in pf_vm_vrs: allowed_vr_uuid_list.append(pf_vr.uuid) denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list) denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm) vip_uuid = pf_rule.vipUuid cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid) vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip if sg_tcp_ingress_flag: test_util.test_logger('SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, [], all_ports, target_vm) except: test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. " % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: allowed_ports = port_header.get_ports(rule_port) denied_ports = list_ops.list_minus(all_ports, allowed_ports) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid)) try: test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, [], all_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s" % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (pf_rule.uuid, target_vm.uuid)) test_util.test_logger('Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s' % (target_vm.uuid, vm_nic.uuid)) return self.judge(test_result)
def check(self): ''' check will assume target vm only have 1 port forwarding VR. So all vms PF rules are assigned to 1 VM nic. ''' super(zstack_kvm_pf_tcp_checker, self).check() test_result = True target_vm = self.test_obj.get_target_vm().vm pf_rule = self.test_obj.get_port_forwarding() vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid) all_ports = port_header.all_ports #only open ports when VM is running. if self.test_obj.get_target_vm().state == vm_header.RUNNING: test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid) #consolidate rules for TCP/UDP/ICMP with different AllowedCidr rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd) #check SG ingress limitation. Since SG rule will not consider vip as #allowedCidr, if there is ingress limitation, the ingress PF connection #will be blocked. sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule) allowedCidr = pf_rule.allowedCidr allowed_vr_ip = allowedCidr.split('/')[0] allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip) vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip) l3_uuid = vr_nic.l3NetworkUuid allowed_vr_uuid_list = [allowed_vr_vm.uuid] #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly. pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm) for pf_vr in pf_vm_vrs: allowed_vr_uuid_list.append(pf_vr.uuid) denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list) denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm) vip_uuid = pf_rule.vipUuid cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid) vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip if sg_tcp_ingress_flag: test_util.test_logger( 'SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, [], all_ports, target_vm) except: test_util.test_logger( "Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. " % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: allowed_ports = port_header.get_ports(rule_port) denied_ports = list_ops.list_minus(all_ports, allowed_ports) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger( "Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: test_util.test_logger( "Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid)) try: test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, [], all_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger( "Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s" % (pf_rule.uuid, target_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) else: test_util.test_logger( "Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (pf_rule.uuid, target_vm.uuid)) test_util.test_logger( 'Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s' % (target_vm.uuid, vm_nic.uuid)) return self.judge(test_result)
def check(self): test_util.test_dsc('Check TCP access between SG VMs.') super(zstack_vcenter_sg_tcp_internal_vms_checker, self).check() nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) l3_uuid = nic.l3NetworkUuid if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s, since it doesn't provide DHCP service" % l3_uuid) return self.judge(self.exp_result) test_result = True all_ports = port_header.all_ports tcp_egress_rules = self.test_obj.get_nic_tcp_egress_rules(self.nic_uuid) src_all_allowed_egress_ports = get_all_ports(tcp_egress_rules) if not src_all_allowed_egress_ports: src_all_allowed_egress_ports = list(all_ports) #src_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(self.nic_uuid)) #if not src_all_allowed_ingress_ports: # src_all_allowed_ingress_ports = list(all_ports) nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid) src_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid) #save all shared sg for self.nic_uuid, the key was the other nic_uuid, who shared sg with self.nic_uuid nic_shared_sg_dict = {} #find all other nic shared with same sg. for sg in nic_sg_list: same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid)) if len(same_l3_nic_list) == 1: test_util.test_logger("Skip [SG:] %s, since there is not 2nd VM is attached in this SG." % sg.security_group.uuid) continue if self.nic_uuid in same_l3_nic_list: same_l3_nic_list.remove(self.nic_uuid) for nic_uuid in same_l3_nic_list: if not nic_shared_sg_dict.has_key(nic_uuid): nic_shared_sg_dict[nic_uuid] = [sg] elif not sg in nic_shared_sg_dict[nic_uuid]: nic_shared_sg_dict[nic_uuid].append(sg) #for each shared sg nic to test. for nic_uuid in nic_shared_sg_dict.keys(): dst_vm = test_lib.lib_get_vm_by_nic(nic_uuid) if dst_vm.state != inventory.RUNNING: test_util.test_logger("Skip [vm:] %s, since it is not running." % dst_vm.uuid) continue allowed_ingress_ports = [] allowed_egress_ports = [] #find out all shared SG ingress ports and egress ports for sg in nic_shared_sg_dict[nic_uuid]: sg_allowed_ingress_ports = \ get_all_ports(sg.get_tcp_ingress_all_rule()) for port in sg_allowed_ingress_ports: if not port in allowed_ingress_ports: allowed_ingress_ports.append(port) sg_allowed_egress_ports = \ get_all_ports(sg.get_tcp_egress_all_rule()) if not sg_allowed_egress_ports: sg_allowed_egress_ports = list(all_ports) for port in sg_allowed_egress_ports: if not port in allowed_egress_ports: allowed_egress_ports.append(port) #find out all not shared SG ingress and egress ports for target src_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(self.nic_uuid).ip dst_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(nic_uuid).ip #query all other left SG rules, which might not shard between src_vm #and dst_vm, but setting specifically for these two vms. for in_port in get_all_ports(self.test_obj.get_nic_tcp_ingress_rule_by_addr(nic_uuid, src_vm_allowedCidr)): if not in_port in allowed_ingress_ports: allowed_ingress_ports.append(in_port) for out_port in get_all_ports(self.test_obj.get_nic_tcp_egress_rule_by_addr(self.nic_uuid, dst_vm_allowedCidr)): if not out_port in allowed_egress_ports: allowed_egress_ports.append(out_port) dst_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(nic_uuid)) if not dst_all_allowed_ingress_ports: test_util.test_logger('Destinated VM nic: %s does not allow any ingress rule, since it does not set any ingress rule' % nic_uuid) continue #if (not allowed_ingress_ports) \ # and (not dst_all_allowed_ingress_ports) \ # and (not self.test_obj.get_nic_udp_ingress_rules(nic_uuid)) \ # and (not self.test_obj.get_nic_icmp_ingress_rules(nic_uuid)): # # allowed_ingress_ports = list(all_ports) #if not find suitable port, means all egress opened. if (not src_all_allowed_egress_ports) \ and (not self.test_obj.get_nic_udp_egress_rules(nic_uuid)) \ and (not self.test_obj.get_nic_icmp_egress_rules(nic_uuid)): allowed_egress_ports = list(all_ports) shared_ports = get_shared_ports(allowed_egress_ports, \ allowed_ingress_ports) not_shared_ports = list_ops.list_minus(all_ports, shared_ports) test_lib.lib_open_vm_listen_ports(dst_vm, all_ports, l3_uuid) try: test_lib.lib_check_vm_ports(src_vm, dst_vm, shared_ports, \ not_shared_ports) except: traceback.print_exc(file=sys.stdout) test_util.test_logger('Check result: [Security Group] meets failure when checking TCP Egress rule between [src_vm:] %s and [dst_vm:] %s. ' % (src_vm.uuid, dst_vm.uuid)) test_result = False break test_util.test_logger('Check result: [Security Group] finishes TCP connection testing from [vm:] %s to other VMs in same SG.' % src_vm.uuid) print_iptables(src_vm) return self.judge(test_result)
def check(self): super(pf_checker, self).check() test_result = True try: test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid) except: test_util.test_logger('Check Result: [vip:] %s is not exist' % self.test_obj.get_vip().uuid) self.test_obj.update() return self.judge(False) if not self.test_obj.get_pf_list(): test_util.test_logger('Check Result: [vip:] %s is not attached to any pf.' % self.test_obj.get_vip().uuid) self.test_obj.update() return self.judge(False) vip = self.test_obj.get_vip() vipIp = vip.ip all_ports = port_header.all_ports pf_running_list = self.test_obj.get_pf_list_for_running_vm() pf_tcp_list, pf_udp_list = self.separate_tcp_udp_list(pf_running_list) pf_tcp_dict = self.gen_tcp_dict_by_allowed_cidr(pf_tcp_list) pf_stopped_list = self.test_obj.get_pf_list_for_stopped_vm() pf_detached_list = self.test_obj.get_detached_pf_list() vip_l3 = self.test_obj.get_vip().l3NetworkUuid if not pf_running_list: # all ports should be denied, since no living vm. for pf in pf_stopped_list: test_result = self.check_denied_pf(pf) if test_result != self.exp_result: return self.judge(test_result) for pf in pf_detached_list: test_result = self.check_denied_pf(pf) if test_result != self.exp_result: return self.judge(test_result) else: #open TCP ports for living vms for pf in pf_tcp_list: target_vm = pf.get_target_vm().vm vm_l3 = test_lib.lib_get_nic_by_uuid(pf.get_port_forwarding().vmNicUuid).l3NetworkUuid test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_l3) #calc allowed ports, per allowed_cidr for allowed_vr_ip, pf_dict_list in pf_tcp_dict.iteritems(): allowed_ports = [] denied_ports = all_ports #find all pf rules on running vm. These rules are supposed to be connectable, unless they are blocked by target vm's sg. allowed_ports, denied_ports = \ self.count_pf_allowed_denied_ports( pf_dict_list, allowed_ports, denied_ports) #although the target_vm might be different, but the denied_vr_vm should be same. target_vm_nic_uuid = pf_dict_list[0].get_port_forwarding().vmNicUuid allowed_vr_vm, denied_vr_vm = \ self.get_allowed_denied_vr_vm(allowed_vr_ip, target_vm_nic_uuid) denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \ (vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) if test_result != self.exp_result: return self.judge(test_result) test_util.test_logger("Checking pass for [vip:] %s Port Forwardings TCP rules for allowed Cidr: %s from [vm:] %s " % \ (vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid)) #check denied vr access. allowed_ports = [] denied_ports = all_ports #the denied vr might be in other pf rule. if denied_vr_ip in pf_tcp_dict.keys(): allowed_ports, denied_ports = \ self.count_pf_allowed_denied_ports( pf_tcp_dict[denied_vr_ip], allowed_ports, denied_ports) try: test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCPs for not allowed Cidr from [vm:] %s" % (vip.uuid, allowed_vr_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (vip.uuid, allowed_vr_vm.uuid)) if test_result != self.exp_result: return self.judge(test_result) #check pf_udp rule existance. for pf in pf_udp_list: test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables(pf.get_port_forwarding()) test_util.test_logger('Check result: [Port Forwarding] %s finishes UDP rule existance testing' % pf.get_port_forwarding().uuid) return self.judge(test_result) test_util.test_logger('Check result: [Port Forwarding] finishes [vip:] %s TCP testing.' % vip.uuid) return self.judge(test_result)
def check(self): super(eip_checker, self).check() try: test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid) except: test_util.test_logger('Check Result: [vip:] %s does not exist' % self.test_obj.get_vip().uuid) return self.judge(False) vip = self.test_obj.get_vip() vipIp = vip.ip eip_obj = self.test_obj.get_eip() eip = eip_obj.get_eip() try: test_eip = test_lib.lib_get_eip_by_uuid(eip.uuid) except: test_util.test_logger('Check Result: [eip:] %s does not exist' % eip.uuid) return self.judge(False) if eip_obj.state == eip_header.ATTACHED: self.vm_nic_uuid = eip.vmNicUuid self.get_all_available_vr_ip() all_ports = port_header.all_ports if not self.vm_nic_uuid: #eip is not attached self.set_random_denied_vr() return self.judge(self.check_eip_denied_tcp()) else: vm_nic = test_lib.lib_get_nic_by_uuid(self.vm_nic_uuid) #only open ports when VM is running. if eip_obj.get_target_vm().state == vm_header.RUNNING: target_vm = eip_obj.get_target_vm().vm test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid) else: self.set_random_denied_vr() return self.judge(self.check_eip_denied_tcp()) #make sure no any SG rule can impact eip testing. sg_invs = test_lib.lib_get_sg_invs_by_nic_uuid(self.vm_nic_uuid) test_result = self.exp_result if not sg_invs: #If no SG TCP rules for vm_nic, means all ports are connectable self.set_random_allowed_vr() self.denied_vr = None self.denied_vr_ip = None self.allowed_ports = all_ports self.denied_ports = [] test_result = self.check_eip_allowed_tcp() if test_result != self.exp_result: return self.judge(test_result) #if no icmp rule, means ping should be successful test_result = self.check_eip_icmp(True) if test_result != self.exp_result: return self.judge(test_result) else: self.calc_sg_tcp_ports(sg_invs) test_result = self.check_eip_allowed_tcp() if test_result != self.exp_result: return self.judge(test_result) test_result = self.check_eip_denied_tcp() if test_result != self.exp_result: return self.judge(test_result) test_util.test_logger('Checker Result for EIP checker: %s' % test_result) return self.judge(test_result)
def check(self): super(zstack_vcenter_sg_icmp_internal_vms_checker, self).check() #only check ingress icmp. if not self.test_obj.get_nic_icmp_ingress_rules(self.nic_uuid): test_util.test_logger("Skip SG internal ICMP test, since there isn't icmp ingress rules for nic: %s" % self.nic_uuid) return self.judge(self.exp_result) test_result = True test_util.test_dsc('Check ICMP rules between attached VMs') nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid) nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) dst_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid) l3_uuid = nic.l3NetworkUuid if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, test vm's IP address is not stable." % l3_uuid) return self.judge(self.exp_result) target_ip = nic.ip allowed_src_nic_list = [] temp_allowed_src_nic_list = [] denied_nic_list = [] for sg in nic_sg_list: same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid)) if len(same_l3_nic_list) < 2 : test_util.test_logger("Skip [l3:] %s ICMP internal VMs checking, since there is less 2 SG VMs in this l3." % l3_uuid) continue #if source vm's udp and tcp engress rules exist, while icmp ingress # rule does not exist, the src vm egress icmp should be denied. #minus current nic. nic_list_temp = list_ops.list_minus(list(same_l3_nic_list), [nic.uuid]) for nic_uuid in nic_list_temp: source_nic_egress_icmp_rules = \ self.test_obj.get_nic_icmp_egress_rules(nic_uuid) if not source_nic_egress_icmp_rules: if self.test_obj.get_nic_tcp_egress_rules(nic_uuid) or \ self.test_obj.get_nic_udp_egress_rules(nic_uuid): if not nic_uuid in denied_nic_list: denied_nic_list.append(nic_uuid) else: if not nic_uuid in temp_allowed_src_nic_list: temp_allowed_src_nic_list.append(nic_uuid) else: for rule in source_nic_egress_icmp_rules: if target_ip in rule.allowedCidr: if not nic_uuid in allowed_src_nic_list: allowed_src_nic_list.append(nic_uuid) break else: if not nic_uuid in denied_nic_list: denied_nic_list.append(nic_uuid) for nic_uuid in list(denied_nic_list): if nic_uuid in allowed_src_nic_list: denied_nic_list.remove(nic_uuid) for nic_uuid in temp_allowed_src_nic_list: if not nic_uuid in denied_nic_list and \ not nic_uuid in allowed_src_nic_list: allowed_src_nic_list.append(nic_uuid) allowed_vm_list = get_all_running_vms_by_nics(allowed_src_nic_list) denied_vm_list = get_all_running_vms_by_nics(denied_nic_list) for src_vm in allowed_vm_list: if test_lib.lib_check_ping(src_vm, target_ip, no_exception=True): test_util.test_logger('Check result: [Security Group] pass ICMP rule checking to ping [vm:] %s from [vm:] %s' % (src_vm.uuid, dst_vm.uuid)) else: test_util.test_logger('Check result: [Security Group] is FAIL to ping [vm:] %s from [vm:] %s when checking ICMP rule. ' % (src_vm.uuid, dst_vm.uuid)) test_result = False for src_vm in denied_vm_list: if test_lib.lib_check_ping(src_vm, target_ip, no_exception=True): test_util.test_logger('Unexpected Result: [Security Group] ICMP ping [vm:] %s from [vm:] %s successfully' % (src_vm.uuid, dst_vm.uuid)) test_result = False else: test_util.test_logger('Expected Result: [Security Group] FAIL to ping [vm:] %s from [vm:] %s when checking ICMP rule. ' % (src_vm.uuid, dst_vm.uuid)) test_util.test_logger('Check result: [Security Group] finishes ICMP connection testing from other attached VMs to target [vm:] %s in same SG.' % dst_vm.uuid) print_iptables(dst_vm) return self.judge(test_result)
def check(self): super(zstack_kvm_sg_icmp_internal_vms_checker, self).check() #only check ingress icmp. if not self.test_obj.get_nic_icmp_ingress_rules(self.nic_uuid): test_util.test_logger("Skip SG internal ICMP test, since there isn't icmp ingress rules for nic: %s" % self.nic_uuid) return self.judge(self.exp_result) test_result = True test_util.test_dsc('Check ICMP rules between attached VMs') nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid) nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) dst_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid) l3_uuid = nic.l3NetworkUuid if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, test vm's IP address is not stable." % l3_uuid) return self.judge(self.exp_result) target_ip = nic.ip allowed_src_nic_list = [] temp_allowed_src_nic_list = [] denied_nic_list = [] for sg in nic_sg_list: same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid)) if len(same_l3_nic_list) < 2 : test_util.test_logger("Skip [l3:] %s ICMP internal VMs checking, since there is less 2 SG VMs in this l3." % l3_uuid) continue #if source vm's udp and tcp engress rules exist, while icmp ingress # rule does not exist, the src vm egress icmp should be denied. #minus current nic. nic_list_temp = list_ops.list_minus(list(same_l3_nic_list), [nic.uuid]) for nic_uuid in nic_list_temp: source_nic_egress_icmp_rules = \ self.test_obj.get_nic_icmp_egress_rules(nic_uuid) if not source_nic_egress_icmp_rules: if self.test_obj.get_nic_tcp_egress_rules(nic_uuid) or \ self.test_obj.get_nic_udp_egress_rules(nic_uuid): if not nic_uuid in denied_nic_list: denied_nic_list.append(nic_uuid) else: if not nic_uuid in temp_allowed_src_nic_list: temp_allowed_src_nic_list.append(nic_uuid) else: for rule in source_nic_egress_icmp_rules: if target_ip in rule.allowedCidr: if not nic_uuid in allowed_src_nic_list: allowed_src_nic_list.append(nic_uuid) break else: if not nic_uuid in denied_nic_list: denied_nic_list.append(nic_uuid) for nic_uuid in list(denied_nic_list): if nic_uuid in allowed_src_nic_list: denied_nic_list.remove(nic_uuid) for nic_uuid in temp_allowed_src_nic_list: if not nic_uuid in denied_nic_list and \ not nic_uuid in allowed_src_nic_list: allowed_src_nic_list.append(nic_uuid) allowed_vm_list = get_all_running_vms_by_nics(allowed_src_nic_list) denied_vm_list = get_all_running_vms_by_nics(denied_nic_list) for src_vm in allowed_vm_list: if test_lib.lib_check_ping(src_vm, target_ip, no_exception=True): test_util.test_logger('Check result: [Security Group] pass ICMP rule checking to ping [vm:] %s from [vm:] %s' % (src_vm.uuid, dst_vm.uuid)) else: test_util.test_logger('Check result: [Security Group] is FAIL to ping [vm:] %s from [vm:] %s when checking ICMP rule. ' % (src_vm.uuid, dst_vm.uuid)) test_result = False for src_vm in denied_vm_list: if test_lib.lib_check_ping(src_vm, target_ip, no_exception=True): test_util.test_logger('Unexpected Result: [Security Group] ICMP ping [vm:] %s from [vm:] %s successfully' % (src_vm.uuid, dst_vm.uuid)) test_result = False else: test_util.test_logger('Expected Result: [Security Group] FAIL to ping [vm:] %s from [vm:] %s when checking ICMP rule. ' % (src_vm.uuid, dst_vm.uuid)) test_util.test_logger('Check result: [Security Group] finishes ICMP connection testing from other attached VMs to target [vm:] %s in same SG.' % dst_vm.uuid) print_iptables(dst_vm) return self.judge(test_result)
def check(self): test_util.test_dsc('Check TCP access between SG VMs.') super(zstack_kvm_sg_tcp_internal_vms_checker, self).check() nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid) l3_uuid = nic.l3NetworkUuid if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid): test_util.test_logger("Skip SG test for [l3:] %s, since it doesn't provide DHCP service" % l3_uuid) return self.judge(self.exp_result) test_result = True all_ports = port_header.all_ports tcp_egress_rules = self.test_obj.get_nic_tcp_egress_rules(self.nic_uuid) src_all_allowed_egress_ports = get_all_ports(tcp_egress_rules) if not src_all_allowed_egress_ports: src_all_allowed_egress_ports = list(all_ports) #src_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(self.nic_uuid)) #if not src_all_allowed_ingress_ports: # src_all_allowed_ingress_ports = list(all_ports) nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid) src_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid) #save all shared sg for self.nic_uuid, the key was the other nic_uuid, who shared sg with self.nic_uuid nic_shared_sg_dict = {} #find all other nic shared with same sg. for sg in nic_sg_list: same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid)) if len(same_l3_nic_list) == 1: test_util.test_logger("Skip [SG:] %s, since there is not 2nd VM is attached in this SG." % sg.security_group.uuid) continue if self.nic_uuid in same_l3_nic_list: same_l3_nic_list.remove(self.nic_uuid) for nic_uuid in same_l3_nic_list: if not nic_shared_sg_dict.has_key(nic_uuid): nic_shared_sg_dict[nic_uuid] = [sg] elif not sg in nic_shared_sg_dict[nic_uuid]: nic_shared_sg_dict[nic_uuid].append(sg) #for each shared sg nic to test. for nic_uuid in nic_shared_sg_dict.keys(): dst_vm = test_lib.lib_get_vm_by_nic(nic_uuid) if dst_vm.state != inventory.RUNNING: test_util.test_logger("Skip [vm:] %s, since it is not running." % dst_vm.uuid) continue allowed_ingress_ports = [] allowed_egress_ports = [] #find out all shared SG ingress ports and egress ports for sg in nic_shared_sg_dict[nic_uuid]: sg_allowed_ingress_ports = \ get_all_ports(sg.get_tcp_ingress_all_rule()) for port in sg_allowed_ingress_ports: if not port in allowed_ingress_ports: allowed_ingress_ports.append(port) sg_allowed_egress_ports = \ get_all_ports(sg.get_tcp_egress_all_rule()) if not sg_allowed_egress_ports: sg_allowed_egress_ports = list(all_ports) for port in sg_allowed_egress_ports: if not port in allowed_egress_ports: allowed_egress_ports.append(port) #find out all not shared SG ingress and egress ports for target src_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(self.nic_uuid).ip dst_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(nic_uuid).ip #query all other left SG rules, which might not shard between src_vm #and dst_vm, but setting specifically for these two vms. for in_port in get_all_ports(self.test_obj.get_nic_tcp_ingress_rule_by_addr(nic_uuid, src_vm_allowedCidr)): if not in_port in allowed_ingress_ports: allowed_ingress_ports.append(in_port) for out_port in get_all_ports(self.test_obj.get_nic_tcp_egress_rule_by_addr(self.nic_uuid, dst_vm_allowedCidr)): if not out_port in allowed_egress_ports: allowed_egress_ports.append(out_port) dst_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(nic_uuid)) if not dst_all_allowed_ingress_ports: test_util.test_logger('Destinated VM nic: %s does not allow any ingress rule, since it does not set any ingress rule' % nic_uuid) continue #if (not allowed_ingress_ports) \ # and (not dst_all_allowed_ingress_ports) \ # and (not self.test_obj.get_nic_udp_ingress_rules(nic_uuid)) \ # and (not self.test_obj.get_nic_icmp_ingress_rules(nic_uuid)): # # allowed_ingress_ports = list(all_ports) #if not find suitable port, means all egress opened. if (not src_all_allowed_egress_ports) \ and (not self.test_obj.get_nic_udp_egress_rules(nic_uuid)) \ and (not self.test_obj.get_nic_icmp_egress_rules(nic_uuid)): allowed_egress_ports = list(all_ports) if internal_sg_allow_all(self.nic_uuid, nic_uuid, 'Ingress'): allowed_ingress_ports = all_ports if internal_sg_allow_all(self.nic_uuid, nic_uuid, 'Egress'): allowed_egress_ports = all_ports shared_ports = get_shared_ports(allowed_egress_ports, \ allowed_ingress_ports) not_shared_ports = list_ops.list_minus(all_ports, shared_ports) test_lib.lib_open_vm_listen_ports(dst_vm, all_ports, l3_uuid) try: test_lib.lib_check_vm_ports(src_vm, dst_vm, shared_ports, \ not_shared_ports) except: traceback.print_exc(file=sys.stdout) test_util.test_logger('Check result: [Security Group] meets failure when checking TCP Egress rule between [src_vm:] %s and [dst_vm:] %s. ' % (src_vm.uuid, dst_vm.uuid)) test_result = False break test_util.test_logger('Check result: [Security Group] finishes TCP connection testing from [vm:] %s to other VMs in same SG.' % src_vm.uuid) print_iptables(src_vm) return self.judge(test_result)