def test_basic_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np = self.create_network_policy(vn1_obj, vn2_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np, vnp)
vn2_obj.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
for obj in [vn1_obj, vn2_obj]:
self.assertTill(self.vnc_db_has_ident, obj=obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
vn1_obj.del_network_policy(np)
vn2_obj.del_network_policy(np)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def test_basic_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np = self.create_network_policy(vn1_obj, vn2_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np, vnp)
vn2_obj.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
for obj in [vn1_obj, vn2_obj]:
self.assertTill(self.vnc_db_has_ident, obj=obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
vn1_obj.del_network_policy(np)
vn2_obj.del_network_policy(np)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def test_multiple_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
np1.network_policy_entries.policy_rule[
0].action_list.simple_action = 'deny'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
expr = (
"('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['8443']['contrail:routing-instance:%s']['links'])"
% (':'.join(self.get_ri_name(vn2_obj)), ':'.join(
self.get_ri_name(vn1_obj))))
self.assertTill(expr)
np1.network_policy_entries.policy_rule[
0].action_list.simple_action = 'pass'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
np2.network_policy_entries.policy_rule[
0].action_list.simple_action = 'deny'
np2.set_network_policy_entries(np2.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
expr = (
"('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['8443']['contrail:routing-instance:%s']['links'])"
% (':'.join(self.get_ri_name(vn1_obj)), ':'.join(
self.get_ri_name(vn2_obj))))
self.assertTill(expr)
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_policy_in_policy(self):
vn1_name = self.id() + "vn1"
vn2_name = self.id() + "vn2"
vn3_name = self.id() + "vn3"
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
np1.network_policy_entries.policy_rule[0].dst_addresses[0].virtual_network = None
np1.network_policy_entries.policy_rule[0].dst_addresses[0].network_policy = np2.get_fq_name_str()
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
np2.network_policy_entries.policy_rule[0].src_addresses[0].virtual_network = "local"
np2.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj))
vn3_obj = VirtualNetwork(vn3_name)
vn3_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn3_obj)
self.check_ri_ref_present(self.get_ri_name(vn3_obj), self.get_ri_name(vn1_obj))
vn3_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn3_obj)
@retries(5)
def _match_acl_rule():
acl = self._vnc_lib.access_control_list_read(fq_name=self.get_ri_name(vn1_obj))
for rule in acl.get_access_control_list_entries().get_acl_rule():
if rule.match_condition.dst_address.virtual_network == vn3_obj.get_fq_name_str():
raise Exception("ACL rule still present")
_match_acl_rule()
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn3_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
np1.network_policy_entries.policy_rule[
0].action_list.simple_action = 'deny'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
self.assertTill(
self.ifmap_ident_has_link,
type_fq_name=('routing-instance', self.get_ri_name(vn1_obj)),
link_name='contrail:connection contrail:routing-instance:%s' %
':'.join(self.get_ri_name(vn2_obj)))
np1.network_policy_entries.policy_rule[
0].action_list.simple_action = 'pass'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
np2.network_policy_entries.policy_rule[
0].action_list.simple_action = 'deny'
np2.set_network_policy_entries(np2.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
self.assertTill(
self.ifmap_ident_has_link,
type_fq_name=('routing-instance', self.get_ri_name(vn2_obj)),
link_name='contrail:connection contrail:routing-instance:%s' %
':'.join(self.get_ri_name(vn1_obj)))
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
np1.network_policy_entries.policy_rule[0].action_list.simple_action = 'deny'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
expr =("('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['contrail:routing-instance:%s']['links'])"
% (':'.join(self.get_ri_name(vn2_obj)),
':'.join(self.get_ri_name(vn1_obj))))
self.assertTill(expr)
np1.network_policy_entries.policy_rule[0].action_list.simple_action = 'pass'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
np2.network_policy_entries.policy_rule[0].action_list.simple_action = 'deny'
np2.set_network_policy_entries(np2.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
expr = ("('contrail:connection contrail:routing-instance:%s' in FakeIfmapClient._graph['contrail:routing-instance:%s']['links'])"
% (':'.join(self.get_ri_name(vn1_obj)),
':'.join(self.get_ri_name(vn2_obj))))
self.assertTill(expr)
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self):
vn1_name = self.id() + "vn1"
vn2_name = self.id() + "vn2"
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj), self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj), self.get_ri_name(vn1_obj))
np1.network_policy_entries.policy_rule[0].action_list.simple_action = "deny"
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
self.assertTill(
self.ifmap_ident_has_link,
type_fq_name=("routing-instance", self.get_ri_name(vn1_obj)),
link_name="contrail:connection contrail:routing-instance:%s" % ":".join(self.get_ri_name(vn2_obj)),
)
np1.network_policy_entries.policy_rule[0].action_list.simple_action = "pass"
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
np2.network_policy_entries.policy_rule[0].action_list.simple_action = "deny"
np2.set_network_policy_entries(np2.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
self.assertTill(
self.ifmap_ident_has_link,
type_fq_name=("routing-instance", self.get_ri_name(vn2_obj)),
link_name="contrail:connection contrail:routing-instance:%s" % ":".join(self.get_ri_name(vn1_obj)),
)
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_multiple_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
np1.network_policy_entries.policy_rule[0].action_list.simple_action = \
'deny'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
np1.network_policy_entries.policy_rule[0].action_list.simple_action = \
'pass'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
np2.network_policy_entries.policy_rule[0].action_list.simple_action = \
'deny'
np2.set_network_policy_entries(np2.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
self.check_vn_is_deleted(uuid=vn2_obj.uuid)
def test_multiple_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
np1.network_policy_entries.policy_rule[0].action_list.simple_action = 'deny'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
np1.network_policy_entries.policy_rule[0].action_list.simple_action = 'pass'
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
np2.network_policy_entries.policy_rule[0].action_list.simple_action = 'deny'
np2.set_network_policy_entries(np2.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
self.check_vn_is_deleted(uuid=vn2_obj.uuid)
def create_network(self, name, proj_obj, subnet, ipam_name):
vn = VirtualNetwork(
name=name, parent_obj=proj_obj,
virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'),
address_allocation_mode='user-defined-subnet-only')
try:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
except NoIdError:
# Virtual network does not exist. Create one.
vn_uuid = self._vnc_lib.virtual_network_create(vn)
vn_obj = self._vnc_lib.virtual_network_read(id=vn_uuid)
ipam_obj = self._create_network_ipam(ipam_name, 'flat-subnet',
subnet, proj_obj, vn_obj)
try:
self._vnc_lib.virtual_network_update(vn_obj)
except Exception as e:
self.logger.error("%s - failed to update virtual network %s %s. %s"
% (self._name, vn_obj.uuid, str(vn_obj.fq_name),
str(e)))
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn_obj.get_fq_name())
#kube = vnc_kubernetes.VncKubernetes.get_instance()
#kube._create_cluster_service_fip_pool(vn_obj, pod_ipam_obj)
return vn_obj
def create_network(self, name, proj_obj, pod_subnet, service_subnet):
vn = VirtualNetwork(
name=name, parent_obj=proj_obj,
virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'),
address_allocation_mode='user-defined-subnet-only')
try:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
except NoIdError:
# Virtual network does not exist. Create one.
vn_uuid = self._vnc_lib.virtual_network_create(vn)
vn_obj = self._vnc_lib.virtual_network_read(id=vn_uuid)
pod_ipam_obj = self._create_network_ipam('pod-ipam', 'flat-subnet',
pod_subnet, proj_obj, vn_obj)
self._create_network_ipam('service-ipam', '', service_subnet, proj_obj,
vn_obj)
try:
self._vnc_lib.virtual_network_update(vn_obj)
except Exception as e:
self.logger.error("%s - failed to update virtual network %s %s. %s"
% (self._name, vn_obj.uuid, str(vn_obj.fq_name),
str(e)))
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn_obj.get_fq_name())
kube = vnc_kubernetes.VncKubernetes.get_instance()
kube._create_cluster_service_fip_pool(vn_obj, pod_ipam_obj)
return vn_obj
def test_context_undo_fail_db_update(self):
project = Project(name='p-{}'.format(self.id()))
self.api.project_create(project)
vn_og = VirtualNetwork(name='og-vn-{}'.format(self.id()),
parent_obj=project)
self.api.virtual_network_create(vn_og)
vmi_obj = VirtualMachineInterface('vmi-{}'.format(self.id()),
parent_obj=project)
vmi_obj.set_virtual_network(vn_og)
self.api.virtual_machine_interface_create(vmi_obj)
vmi_obj = self.api.virtual_machine_interface_read(id=vmi_obj.uuid)
# change virtual network for VMI
vn_next = VirtualNetwork(name='next-vn-{}'.format(self.id()),
parent_obj=project)
vn_next.uuid = self.api.virtual_network_create(vn_next)
vmi_obj.set_virtual_network(vn_next)
def stub(*args, **kwargs):
return False, (500, "Fake error")
with ExpectedException(HttpError):
with test_common.flexmocks([(self._api_server._db_conn,
'dbe_update', stub)]):
self.api.virtual_machine_interface_update(vmi_obj)
vmi_obj = self.api.virtual_machine_interface_read(id=vmi_obj.uuid)
vn_ref_fq_names = [n['to'] for n in vmi_obj.get_virtual_network_refs()]
self.assertEqual(len(vn_ref_fq_names), 1)
self.assertEqual(vn_ref_fq_names[0], vn_og.get_fq_name())
def _create_virtual_network(self, vn_name, proj_obj, ipam_obj, \
ipam_update, provider=None, subnets=None, \
type='flat-subnet-only'):
vn_exists = False
vn = VirtualNetwork(name=vn_name,
parent_obj=proj_obj,
address_allocation_mode=type)
try:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
vn_exists = True
except NoIdError:
# VN does not exist. Create one.
vn_obj = vn
if vn_exists:
return vn_obj
# Attach IPAM to virtual network.
#
# For flat-subnets, the subnets are specified on the IPAM and
# not on the virtual-network to IPAM link. So pass an empty
# list of VnSubnetsType.
# For user-defined-subnets, use the provided subnets
if ipam_update or \
not self._is_ipam_exists(vn_obj, ipam_obj.get_fq_name()):
if subnets and type == 'user-defined-subnet-only':
vn_obj.add_network_ipam(ipam_obj, subnets)
else:
vn_obj.add_network_ipam(ipam_obj, VnSubnetsType([]))
vn_obj.set_virtual_network_properties(
VirtualNetworkType(forwarding_mode='l3'))
fabric_snat = False
if self.ip_fabric_snat:
fabric_snat = True
if not vn_exists:
if self.ip_fabric_forwarding:
if provider:
#enable ip_fabric_forwarding
vn_obj.add_virtual_network(provider)
elif fabric_snat:
#enable fabric_snat
vn_obj.set_fabric_snat(True)
else:
#disable fabric_snat
vn_obj.set_fabric_snat(False)
# Create VN.
self._vnc_lib.virtual_network_create(vn_obj)
else:
# TODO: Handle Network update
pass
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn_obj.get_fq_name())
VirtualNetworkKM.locate(vn_obj.uuid)
return vn_obj
def _create_isolated_ns_virtual_network(self, ns_name, vn_name, proj_obj):
"""
Create a virtual network for this namespace.
"""
vn = VirtualNetwork(name=vn_name,
parent_obj=proj_obj,
virtual_network_properties=VirtualNetworkType(
forwarding_mode='l3'),
address_allocation_mode='flat-subnet-only')
# Add annotatins on this isolated virtual-network.
VirtualNetworkKM.add_annotations(self,
vn,
namespace=ns_name,
name=ns_name,
isolated='True')
try:
vn_uuid = self._vnc_lib.virtual_network_create(vn)
except RefsExistError:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
vn_uuid = vn_obj.uuid
# Instance-Ip for pods on this VN, should be allocated from
# cluster pod ipam. Attach the cluster pod-ipam object
# to this virtual network.
ipam_fq_name = vnc_kube_config.pod_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
vn.add_network_ipam(ipam_obj, VnSubnetsType([]))
# Update VN.
self._vnc_lib.virtual_network_update(vn)
try:
ip_fabric_vn_obj = self._vnc_lib. \
virtual_network_read(fq_name=self._ip_fabric_fq_name)
self._create_attach_policy(proj_obj, ip_fabric_vn_obj, vn)
except NoIdError:
pass
# Cache the virtual network.
VirtualNetworkKM.locate(vn_uuid)
# Cache network info in namespace entry.
self._set_namespace_virtual_network(ns_name, vn.get_fq_name())
return vn_uuid
def _create_virtual_network(self, vn_name, proj_obj, ipam_obj, \
ipam_update, provider=None, subnets=None, \
type='flat-subnet-only'):
vn_exists = False
vn = VirtualNetwork(name=vn_name, parent_obj=proj_obj,
address_allocation_mode=type)
try:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
vn_exists = True
except NoIdError:
# VN does not exist. Create one.
vn_obj = vn
if vn_exists:
return vn_obj
# Attach IPAM to virtual network.
#
# For flat-subnets, the subnets are specified on the IPAM and
# not on the virtual-network to IPAM link. So pass an empty
# list of VnSubnetsType.
# For user-defined-subnets, use the provided subnets
if ipam_update or \
not self._is_ipam_exists(vn_obj, ipam_obj.get_fq_name()):
if subnets and type == 'user-defined-subnet-only':
vn_obj.add_network_ipam(ipam_obj, subnets)
else:
vn_obj.add_network_ipam(ipam_obj, VnSubnetsType([]))
vn_obj.set_virtual_network_properties(
VirtualNetworkType(forwarding_mode='l3'))
fabric_snat = False
if self.ip_fabric_snat:
fabric_snat = True
if not vn_exists:
if self.ip_fabric_forwarding:
if provider:
#enable ip_fabric_forwarding
vn_obj.add_virtual_network(provider)
elif fabric_snat:
#enable fabric_snat
vn_obj.set_fabric_snat(True)
else:
#disable fabric_snat
vn_obj.set_fabric_snat(False)
# Create VN.
self._vnc_lib.virtual_network_create(vn_obj)
else:
# TODO: Handle Network update
pass
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn_obj.get_fq_name())
VirtualNetworkKM.locate(vn_obj.uuid)
return vn_obj
def _create_isolated_ns_virtual_network(self, ns_name, vn_name,
proj_obj, ipam_obj=None, provider=None):
"""
Create a virtual network for this namespace.
"""
vn = VirtualNetwork(
name=vn_name, parent_obj=proj_obj,
virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'),
address_allocation_mode='flat-subnet-only')
# Add annotatins on this isolated virtual-network.
VirtualNetworkKM.add_annotations(self, vn, namespace=ns_name,
name=ns_name, isolated='True')
try:
vn_uuid = self._vnc_lib.virtual_network_create(vn)
except RefsExistError:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
vn_uuid = vn_obj.uuid
vn = vn_obj
# Instance-Ip for pods on this VN, should be allocated from
# cluster pod ipam. Attach the cluster pod-ipam object
# to this virtual network.
vn.add_network_ipam(ipam_obj, VnSubnetsType([]))
# enable ip-fabric-forwarding
if provider:
ip_fabric_forwarding = self._get_ip_fabric_forwarding(ns_name)
if ip_fabric_forwarding == True:
add_provider = True
elif ip_fabric_forwarding == False:
add_provider = False
else:
add_provider = self._args.ip_fabric_forwarding
if add_provider:
vn.add_virtual_network(provider)
else:
vn_refs = vn.get_virtual_network_refs()
for vn_ref in vn_refs or []:
vn_ref_obj = self._vnc_lib.virtual_network_read(id=vn_ref['uuid'])
vn.del_virtual_network(vn_ref_obj)
# Update VN.
self._vnc_lib.virtual_network_update(vn)
# Cache the virtual network.
VirtualNetworkKM.locate(vn_uuid)
return vn
def test_basic_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np = self.create_network_policy(vn1_obj, vn2_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np, vnp)
vn2_obj.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
for obj in [vn1_obj, vn2_obj]:
ident_name = self.get_obj_imid(obj)
gevent.sleep(2)
self.assertThat(FakeIfmapClient._graph['8443'],
Contains(ident_name))
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
vn1_obj.del_network_policy(np)
vn2_obj.del_network_policy(np)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def _create_isolated_ns_virtual_network(self, ns_name, vn_name, proj_obj):
"""
Create a virtual network for this namespace.
"""
vn = VirtualNetwork(
name=vn_name, parent_obj=proj_obj,
virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'),
address_allocation_mode='flat-subnet-only')
# Add annotatins on this isolated virtual-network.
VirtualNetworkKM.add_annotations(self, vn, namespace=ns_name,
name=ns_name, isolated='True')
try:
vn_uuid = self._vnc_lib.virtual_network_create(vn)
except RefsExistError:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
vn_uuid = vn_obj.uuid
# Instance-Ip for pods on this VN, should be allocated from
# cluster pod ipam. Attach the cluster pod-ipam object
# to this virtual network.
ipam_fq_name = vnc_kube_config.pod_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(
fq_name=ipam_fq_name)
vn.add_network_ipam(ipam_obj, VnSubnetsType([]))
# Update VN.
self._vnc_lib.virtual_network_update(vn)
# Cache the virtual network.
VirtualNetworkKM.locate(vn_uuid)
# Cache network info in namespace entry.
self._set_namespace_virtual_network(ns_name, vn.get_fq_name())
return vn_uuid
def test_basic_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np = self.create_network_policy(vn1_obj, vn2_obj)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np, vnp)
vn2_obj.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
for obj in [vn1_obj, vn2_obj]:
ident_name = self.get_obj_imid(obj)
gevent.sleep(2)
self.assertThat(FakeIfmapClient._graph, Contains(ident_name))
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
vn1_obj.del_network_policy(np)
vn2_obj.del_network_policy(np)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.check_ri_refs_are_deleted(fq_name=self.get_ri_name(vn2_obj))
self.delete_network_policy(np)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
self.check_ri_is_deleted(fq_name=self.get_ri_name(vn2_obj))
def create_network(self, name, proj_obj):
vn = VirtualNetwork(
name=name,
parent_obj=proj_obj,
virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'),
address_allocation_mode='flat-subnet-only')
try:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
except NoIdError:
# Virtual network does not exist. Create one.
uid = self._vnc_lib.virtual_network_create(vn)
vn_obj = self._vnc_lib.virtual_network_read(id=uid)
return vn_obj
def _create_isolated_ns_virtual_network(self, ns_name, vn_name,
vn_type, proj_obj, ipam_obj=None, provider=None,
enforce_policy=False):
"""
Create/Update a virtual network for this namespace.
"""
vn_exists = False
vn = VirtualNetwork(
name=vn_name, parent_obj=proj_obj,
virtual_network_properties=VirtualNetworkType(forwarding_mode='l3'),
address_allocation_mode='flat-subnet-only')
try:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
vn_exists = True
except NoIdError:
# VN does not exist. Create one.
vn_obj = vn
fabric_snat = False
if vn_type == 'pod-network':
if self._is_ip_fabric_snat_enabled(ns_name):
fabric_snat = True
if not vn_exists:
# Add annotatins on this isolated virtual-network.
VirtualNetworkKM.add_annotations(self, vn, namespace=ns_name,
name=ns_name, isolated='True')
# Instance-Ip for pods on this VN, should be allocated from
# cluster pod ipam. Attach the cluster pod-ipam object
# to this virtual network.
vn_obj.add_network_ipam(ipam_obj, VnSubnetsType([]))
if provider:
# enable ip_fabric_forwarding
vn_obj.add_virtual_network(provider)
elif fabric_snat:
# enable fabric_snat
vn_obj.set_fabric_snat(True)
else:
# disable fabric_snat
vn_obj.set_fabric_snat(False)
vn_uuid = self._vnc_lib.virtual_network_create(vn_obj)
# Cache the virtual network.
VirtualNetworkKM.locate(vn_uuid)
else:
ip_fabric_enabled = False
if provider:
vn_refs = vn_obj.get_virtual_network_refs()
ip_fabric_fq_name = provider.fq_name
for vn in vn_refs or []:
vn_fq_name = vn['to']
if vn_fq_name == ip_fabric_fq_name:
ip_fabric_enabled = True
break
if not ip_fabric_enabled and fabric_snat:
# enable fabric_snat
vn_obj.set_fabric_snat(True)
else:
# disable fabric_snat
vn_obj.set_fabric_snat(False)
# Update VN.
self._vnc_lib.virtual_network_update(vn_obj)
vn_uuid = vn_obj.get_uuid()
vn_obj = self._vnc_lib.virtual_network_read(id=vn_uuid)
# If required, enforce security policy at virtual network level.
if enforce_policy:
self._vnc_lib.set_tags(vn_obj,
self._labels.get_labels_dict(VncSecurityPolicy.cluster_aps_uuid))
return vn_obj
def test_provider_network(self):
"""
Test description.
Verify:
1. Check creating a non-provider VNs with
non-provider VNs connected to it is not allowed
2. Check a non provider-VN can not be created
with is_provider_network property set to True
3. Check is_provider_network property of a
provider-VN is True by default
4. Check is_provider_network property of a
provider-VN can be set as True
5. Check is_provider_network property of provider-VN
can not be set as False
6. Check is_provider_network property of non provider-VN
can not be set as True
7. Check is_provider_network property of non provider-VN
can be set as False
8. Check setting other parameters of a non provider-VN
is not affected
9. Check db_resync sets is_provider_network property
of provider-VN as True (simulating upgrade case)
10. Check non provider VNs can be added to
provider VN
11. Check the provider-VN can be added to a VN
12. Check non provider-VN can not be added to a VN
13. Check many VNs can be linked to the provider-VN
14. Check (provider-vn -> any-VN),DENY acl rule is added to
the provider-VN
15. Check (VN -> provider-VN),DENY acl rule is added to
the VN
16. Adding a (VN -> provider-VN),PASS acl rule at VN removes
(VN -> provider-VN),DENY acl rule
Assumption: ip-fabric VN is the provider-VN
"""
# create two VNs - vn1, vn2
vn1_name = self.id() + '_vn1'
vn2_name = self.id() + '_vn2'
vn3_name = self.id() + '_vn3'
vn4_name = self.id() + '_vn4'
vn1_obj1 = VirtualNetwork(vn1_name)
vn2_obj1 = VirtualNetwork(vn2_name)
vn3_obj1 = VirtualNetwork(vn3_name)
vn4_obj1 = VirtualNetwork(vn4_name)
self._vnc_lib.virtual_network_create(vn1_obj1)
self._vnc_lib.virtual_network_create(vn2_obj1)
self._vnc_lib.virtual_network_create(vn3_obj1)
# try creating non provider_vn with linked
# non provider_vn (linked before creating)
vn4_obj1.add_virtual_network(vn3_obj1)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create,
vn4_obj1)
vn4_obj1.add_virtual_network(vn2_obj1)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create,
vn4_obj1)
# remove vn3_obj1 and vn2_obj1
# as its not allowed
vn4_obj1.del_virtual_network(vn3_obj1)
vn4_obj1.del_virtual_network(vn2_obj1)
# set is_provider_network on a non provider-vn
# and try creating it
vn4_obj1.set_is_provider_network(True)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create,
vn4_obj1)
# set it as False and retry creating it
vn4_obj1.set_is_provider_network(False)
self._vnc_lib.virtual_network_create(vn4_obj1)
# Check updating other parameters of a non provider VN
# when no provider VN is not connected
vn4_obj1.set_mac_aging_time(400)
self._vnc_lib.virtual_network_update(vn4_obj1)
# retrieve provider network, assuming ip-fabric for now
provider_fq_name = ['default-domain', 'default-project', 'ip-fabric']
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_fq_name)
self.assertEqual(provider_vn.get_is_provider_network(), True)
# check is_provider_network of provider_vn
# can be set to True (ie only as its default)
provider_vn.set_is_provider_network(True)
self._vnc_lib.virtual_network_update(provider_vn)
# check is_provider_network of provider_vn
# can not be set to False
provider_vn.set_is_provider_network(False)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update,
provider_vn)
# check is_provider_network of non provider_vn
# can be set to False
vn4_obj1.set_is_provider_network(False)
self._vnc_lib.virtual_network_update(vn4_obj1)
# check is_provider_network of non provider_vn
# can not be set to True
vn4_obj1.set_is_provider_network(True)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update,
vn4_obj1)
# check db_resync sets is_provider_network property
# as True in provider-vn
self._api_server._db_conn.db_resync()
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_fq_name)
self.assertEqual(provider_vn.get_is_provider_network(), True)
# check adding vn3 and vn2 to provider vn
provider_vn.add_virtual_network(vn2_obj1)
provider_vn.add_virtual_network(vn3_obj1)
self._vnc_lib.virtual_network_update(provider_vn)
gevent.sleep(5)
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_vn.get_fq_name())
self.assertEqual(len(provider_vn.virtual_network_refs), 2)
linked_uuids = [
ref['uuid'] for ref in provider_vn.virtual_network_refs
]
self.assertIn(vn3_obj1.uuid, linked_uuids)
self.assertIn(vn2_obj1.uuid, linked_uuids)
VirtualNetworkST._dict = {}
VirtualNetworkST.reinit()
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_vn.get_fq_name())
vn3_obj1 = self._vnc_lib.virtual_network_read(
fq_name=vn3_obj1.get_fq_name())
vn2_obj1 = self._vnc_lib.virtual_network_read(
fq_name=vn2_obj1.get_fq_name())
self.assertEqual(len(provider_vn.virtual_network_refs), 2)
linked_uuids = [
ref['uuid'] for ref in provider_vn.virtual_network_refs
]
self.assertIn(vn3_obj1.uuid, linked_uuids)
self.assertIn(vn2_obj1.uuid, linked_uuids)
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(provider_vn),
src_vn=':'.join(provider_fq_name),
dst_vn='any')
self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn2_obj1),
src_vn=vn2_obj1.get_fq_name_str(),
dst_vn=':'.join(provider_fq_name))
self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn3_obj1),
src_vn=vn3_obj1.get_fq_name_str(),
dst_vn=':'.join(provider_fq_name))
# check adding provider vn to vn1 works
vn1_obj1.add_virtual_network(provider_vn)
self._vnc_lib.virtual_network_update(vn1_obj1)
gevent.sleep(2)
vn1_obj2 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj1.get_fq_name())
self.assertEqual(vn1_obj2.virtual_network_refs[0]['to'],
provider_fq_name)
self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj2),
src_vn=vn1_obj2.get_fq_name_str(),
dst_vn=':'.join(provider_fq_name))
# Check updating other parameters of a non provider VN
# when a provider VN is connected
vn1_obj2.set_mac_aging_time(400)
self._vnc_lib.virtual_network_update(vn1_obj2)
# create a policy to allow icp between vn1 <> vn2
# and update vn1
vn1_to_vn2_rule = {
"protocol": "icmp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1_obj2
},
"dst": [{
"type": "vn",
"value": vn2_obj1
}],
"action": "pass"
}
np = self.create_network_policy_with_multiple_rules([vn1_to_vn2_rule])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj2.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1_obj2)
vn1_obj3 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj2.get_fq_name())
# check linking a non provider network is not allowed
vn1_obj3.add_virtual_network(vn2_obj1)
self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update,
vn1_obj3)
vn1_obj4 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj3.get_fq_name())
self.assertEqual(vn1_obj4.virtual_network_refs[0]['to'],
provider_fq_name)
self.assertNotEqual(vn1_obj4.virtual_network_refs[0]['to'],
vn2_obj1.get_fq_name())
# check the provider-network got a deny rule to any VN
provider_to_vn1_rule = {
"protocol": "icmp",
"direction": ">",
"src": {
"type": "vn",
"value": provider_vn
},
"dst": [{
"type": "vn",
"value": vn1_obj4
}],
"action": "pass"
}
np = self.create_network_policy_with_multiple_rules(
[provider_to_vn1_rule])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
provider_vn.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(provider_vn)
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(provider_vn),
src_vn=':'.join(provider_fq_name),
dst_vn='any')
# check the network connected to provider-network
# got a deny rule to provider-network
self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj4),
src_vn=':'.join(
vn1_obj4.get_fq_name()),
dst_vn=':'.join(provider_fq_name))
# add an explicit policy to allow traffic to provider network
# and the implicit deny is removed
vn1_to_provider_rule = {
"protocol": "any",
"direction": ">",
"src": {
"type": "vn",
"value": vn1_obj4
},
"dst": [{
"type": "vn",
"value": provider_vn
}],
"action": "pass"
}
np = self.create_network_policy_with_multiple_rules(
[vn1_to_provider_rule])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj4.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1_obj4)
vn1_obj5 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj4.get_fq_name())
self.check_acl_no_implicit_deny_rule(
fq_name=self.get_ri_name(vn1_obj5),
src_vn=':'.join(vn1_obj5.get_fq_name()),
dst_vn=':'.join(provider_fq_name))
self.check_acl_allow_rule(fq_name=self.get_ri_name(vn1_obj5),
src_vn=':'.join(vn1_obj5.get_fq_name()),
dst_vn=':'.join(provider_fq_name))
# adding explicit policy to allow traffic to provider network
# do not change deny rule in provider network
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(provider_vn),
src_vn=':'.join(provider_fq_name),
dst_vn='any')
def test_policy_in_policy(self):
vn1_name = self.id() + 'vn1'
vn2_name = self.id() + 'vn2'
vn3_name = self.id() + 'vn3'
vn1_obj = VirtualNetwork(vn1_name)
vn2_obj = VirtualNetwork(vn2_name)
np1 = self.create_network_policy(vn1_obj, vn2_obj)
np2 = self.create_network_policy(vn2_obj, vn1_obj)
np1.network_policy_entries.policy_rule[0].dst_addresses[
0].virtual_network = None
np1.network_policy_entries.policy_rule[0].dst_addresses[
0].network_policy = np2.get_fq_name_str()
np1.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np1)
np2.network_policy_entries.policy_rule[0].src_addresses[
0].virtual_network = 'local'
np2.set_network_policy_entries(np1.network_policy_entries)
self._vnc_lib.network_policy_update(np2)
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj.set_network_policy(np1, vnp)
vn2_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn1_obj)
self._vnc_lib.virtual_network_create(vn2_obj)
self.check_ri_ref_present(self.get_ri_name(vn1_obj),
self.get_ri_name(vn2_obj))
self.check_ri_ref_present(self.get_ri_name(vn2_obj),
self.get_ri_name(vn1_obj))
vn3_obj = VirtualNetwork(vn3_name)
vn3_obj.set_network_policy(np2, vnp)
self._vnc_lib.virtual_network_create(vn3_obj)
self.check_ri_ref_present(self.get_ri_name(vn3_obj),
self.get_ri_name(vn1_obj))
vn3_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn3_obj)
@retries(5)
def _match_acl_rule():
acl = self._vnc_lib.access_control_list_read(
fq_name=self.get_ri_name(vn1_obj))
for rule in acl.get_access_control_list_entries().get_acl_rule():
if (rule.match_condition.dst_address.virtual_network ==
vn3_obj.get_fq_name_str()):
raise Exception("ACL rule still present")
_match_acl_rule()
vn1_obj.del_network_policy(np1)
vn2_obj.del_network_policy(np2)
self._vnc_lib.virtual_network_update(vn1_obj)
self._vnc_lib.virtual_network_update(vn2_obj)
self.delete_network_policy(np1)
self.delete_network_policy(np2)
self._vnc_lib.virtual_network_delete(fq_name=vn1_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn2_obj.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn3_obj.get_fq_name())
self.check_vn_is_deleted(uuid=vn1_obj.uuid)
def test_provider_network(self):
'''
Verify:
1. Check creating a non-provider VNs with
non-provider VNs connected to it is not allowed
2. Check a non provider-VN can not be created
with is_provider_network property set to True
3. Check is_provider_network property of a
provider-VN is True by default
4. Check is_provider_network property of a
provider-VN can be set as True
5. Check is_provider_network property of provider-VN
can not be set as False
6. Check is_provider_network property of non provider-VN
can not be set as True
7. Check is_provider_network property of non provider-VN
can be set as False
8. Check setting other parameters of a non provider-VN
is not affected
9. Check db_resync sets is_provider_network property
of provider-VN as True (simulating upgrade case)
10. Check non provider VNs can be added to
provider VN
11. Check the provider-VN can be added to a VN
12. Check non provider-VN can not be added to a VN
13. Check many VNs can be linked to the provider-VN
14. Check (provider-vn -> any-VN),DENY acl rule is added to
the provider-VN
15. Check (VN -> provider-VN),DENY acl rule is added to
the VN
16. Adding a (VN -> provider-VN),PASS acl rule at VN removes
(VN -> provider-VN),DENY acl rule
Assumption: ip-fabric VN is the provider-VN
'''
# create two VNs - vn1, vn2
vn1_name = self.id() + '_vn1'
vn2_name = self.id() + '_vn2'
vn3_name = self.id() + '_vn3'
vn4_name = self.id() + '_vn4'
vn1_obj1 = VirtualNetwork(vn1_name)
vn2_obj1 = VirtualNetwork(vn2_name)
vn3_obj1 = VirtualNetwork(vn3_name)
vn4_obj1 = VirtualNetwork(vn4_name)
self._vnc_lib.virtual_network_create(vn1_obj1)
self._vnc_lib.virtual_network_create(vn2_obj1)
self._vnc_lib.virtual_network_create(vn3_obj1)
# try creating non provider_vn with linked
# non provider_vn (linked before creating)
vn4_obj1.add_virtual_network(vn3_obj1)
self.assertRaises(BadRequest,
self._vnc_lib.virtual_network_create,
vn4_obj1)
vn4_obj1.add_virtual_network(vn2_obj1)
self.assertRaises(BadRequest,
self._vnc_lib.virtual_network_create,
vn4_obj1)
# remove vn3_obj1 and vn2_obj1
# as its not allowed
vn4_obj1.del_virtual_network(vn3_obj1)
vn4_obj1.del_virtual_network(vn2_obj1)
# set is_provider_network on a non provider-vn
# and try creating it
vn4_obj1.set_is_provider_network(True)
self.assertRaises(BadRequest,
self._vnc_lib.virtual_network_create,
vn4_obj1)
# set it as False and retry creating it
vn4_obj1.set_is_provider_network(False)
self._vnc_lib.virtual_network_create(vn4_obj1)
# Check updating other parameters of a non provider VN
# when no provider VN is not connected
vn4_obj1.set_mac_aging_time(400)
self._vnc_lib.virtual_network_update(vn4_obj1)
# retrieve provider network, assuming ip-fabric for now
provider_fq_name = ['default-domain', 'default-project', 'ip-fabric']
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_fq_name)
self.assertEqual(provider_vn.get_is_provider_network(), True)
# check is_provider_network of provider_vn
# can be set to True (ie only as its default)
provider_vn.set_is_provider_network(True)
self._vnc_lib.virtual_network_update(provider_vn)
# check is_provider_network of provider_vn
# can not be set to False
provider_vn.set_is_provider_network(False)
self.assertRaises(BadRequest,
self._vnc_lib.virtual_network_update,
provider_vn)
# check is_provider_network of non provider_vn
# can be set to False
vn4_obj1.set_is_provider_network(False)
self._vnc_lib.virtual_network_update(vn4_obj1)
# check is_provider_network of non provider_vn
# can not be set to True
vn4_obj1.set_is_provider_network(True)
self.assertRaises(BadRequest,
self._vnc_lib.virtual_network_update,
vn4_obj1)
# check db_resync sets is_provider_network property
# as True in provider-vn
self._api_server._db_conn.db_resync()
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_fq_name)
self.assertEqual(provider_vn.get_is_provider_network(), True)
# check adding vn3 and vn2 to provider vn
provider_vn.add_virtual_network(vn2_obj1)
provider_vn.add_virtual_network(vn3_obj1)
self._vnc_lib.virtual_network_update(provider_vn)
gevent.sleep(5)
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_vn.get_fq_name())
self.assertEqual(len(provider_vn.virtual_network_refs), 2)
linked_uuids = [ref['uuid'] for ref in
provider_vn.virtual_network_refs]
self.assertIn(vn3_obj1.uuid, linked_uuids)
self.assertIn(vn2_obj1.uuid, linked_uuids)
config_db.VirtualNetworkST._dict = {}
config_db.VirtualNetworkST.reinit()
provider_vn = self._vnc_lib.virtual_network_read(
fq_name=provider_vn.get_fq_name())
vn3_obj1 = self._vnc_lib.virtual_network_read(
fq_name=vn3_obj1.get_fq_name())
vn2_obj1 = self._vnc_lib.virtual_network_read(
fq_name=vn2_obj1.get_fq_name())
self.assertEqual(len(provider_vn.virtual_network_refs), 2)
linked_uuids = [ref['uuid'] for ref in
provider_vn.virtual_network_refs]
self.assertIn(vn3_obj1.uuid, linked_uuids)
self.assertIn(vn2_obj1.uuid, linked_uuids)
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(provider_vn),
src_vn=':'.join(provider_fq_name),
dst_vn='any')
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(vn2_obj1),
src_vn=vn2_obj1.get_fq_name_str(),
dst_vn=':'.join(provider_fq_name))
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(vn3_obj1),
src_vn=vn3_obj1.get_fq_name_str(),
dst_vn=':'.join(provider_fq_name))
# check adding provider vn to vn1 works
vn1_obj1.add_virtual_network(provider_vn)
self._vnc_lib.virtual_network_update(vn1_obj1)
gevent.sleep(2)
vn1_obj2 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj1.get_fq_name())
self.assertEqual(vn1_obj2.virtual_network_refs[0]['to'],
provider_fq_name)
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(vn1_obj2),
src_vn=vn1_obj2.get_fq_name_str(),
dst_vn=':'.join(provider_fq_name))
# Check updating other parameters of a non provider VN
# when a provider VN is connected
vn1_obj2.set_mac_aging_time(400)
self._vnc_lib.virtual_network_update(vn1_obj2)
# create a policy to allow icp between vn1 <> vn2
# and update vn1
vn1_to_vn2_rule = {"protocol": "icmp",
"direction": "<>",
"src": {"type": "vn", "value": vn1_obj2},
"dst": [{"type": "vn", "value": vn2_obj1}],
"action": "pass"}
np = self.create_network_policy_with_multiple_rules([vn1_to_vn2_rule])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj2.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1_obj2)
vn1_obj3 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj2.get_fq_name())
# check linking a non provider network is not allowed
vn1_obj3.add_virtual_network(vn2_obj1)
self.assertRaises(BadRequest,
self._vnc_lib.virtual_network_update,
vn1_obj3)
vn1_obj4 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj3.get_fq_name())
self.assertEqual(vn1_obj4.virtual_network_refs[0]['to'],
provider_fq_name)
self.assertNotEqual(vn1_obj4.virtual_network_refs[0]['to'],
vn2_obj1.get_fq_name())
# check the provider-network got a deny rule to any VN
provider_to_vn1_rule = {"protocol": "icmp",
"direction": ">",
"src": {"type": "vn", "value": provider_vn},
"dst": [{"type": "vn", "value": vn1_obj4}],
"action": "pass"}
np = self.create_network_policy_with_multiple_rules(
[provider_to_vn1_rule])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
provider_vn.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(provider_vn)
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(provider_vn),
src_vn=':'.join(provider_fq_name),
dst_vn='any')
# check the network connected to provider-network
# got a deny rule to provider-network
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(vn1_obj4),
src_vn=':'.join(vn1_obj4.get_fq_name()),
dst_vn=':'.join(provider_fq_name))
# add an explicit policy to allow traffic to provider network
# and the implicit deny is removed
vn1_to_provider_rule = {"protocol": "any",
"direction": ">",
"src": {"type": "vn", "value": vn1_obj4},
"dst": [{"type": "vn", "value": provider_vn}],
"action": "pass"}
np = self.create_network_policy_with_multiple_rules(
[vn1_to_provider_rule])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1_obj4.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1_obj4)
vn1_obj5 = self._vnc_lib.virtual_network_read(
fq_name=vn1_obj4.get_fq_name())
self.check_acl_no_implicit_deny_rule(
fq_name=self.get_ri_name(vn1_obj5),
src_vn=':'.join(vn1_obj5.get_fq_name()),
dst_vn=':'.join(provider_fq_name))
self.check_acl_allow_rule(
fq_name=self.get_ri_name(vn1_obj5),
src_vn=':'.join(vn1_obj5.get_fq_name()),
dst_vn=':'.join(provider_fq_name))
# adding explicit policy to allow traffic to provider network
# do not change deny rule in provider network
self.check_acl_implicit_deny_rule(
fq_name=self.get_ri_name(provider_vn),
src_vn=':'.join(provider_fq_name),
dst_vn='any')
def test_public_snat_routes(self):
#create private vn
vn_private_name = self.id() + 'vn1'
vn_private = self.create_virtual_network(vn_private_name, "1.0.0.0/24")
# create virtual machine interface
vmi_name = self.id() + 'vmi1'
vmi = VirtualMachineInterface(vmi_name, parent_type='project',
fq_name=['default-domain', 'default-project', vmi_name])
vmi.add_virtual_network(vn_private)
self._vnc_lib.virtual_machine_interface_create(vmi)
#create public vn
vn_public_name = 'vn-public'
vn_public = VirtualNetwork(vn_public_name)
vn_public.set_router_external(True)
ipam_obj = NetworkIpam('ipam')
self._vnc_lib.network_ipam_create(ipam_obj)
vn_public.add_network_ipam(ipam_obj, VnSubnetsType(
[IpamSubnetType(SubnetType("192.168.7.0", 24))]))
self._vnc_lib.virtual_network_create(vn_public)
#create logical router, set route targets,
#add private network and extend lr to public network
lr_name = self.id() + 'lr1'
lr = LogicalRouter(lr_name)
rtgt_list = RouteTargetList(route_target=['target:1:1'])
lr.set_configured_route_target_list(rtgt_list)
lr.add_virtual_machine_interface(vmi)
lr.add_virtual_network(vn_public)
self._vnc_lib.logical_router_create(lr)
@retries(5)
def _match_route_table(rtgt_list, ri_name):
lri = self._vnc_lib.routing_instance_read(
fq_name_str=ri_name)
sr = lri.get_static_route_entries()
if sr is None:
raise Exception("sr is None")
route = sr.route[0]
self.assertEqual(route.prefix, "0.0.0.0/0")
self.assertEqual(route.next_hop, "100.64.0.4")
for rtgt in rtgt_list:
self.assertIn(rtgt, route.route_target)
@retries(5)
def _wait_to_get_si():
si_list = self._vnc_lib.service_instances_list()
si = si_list.get("service-instances")[0]
si = self._vnc_lib.service_instance_read(id=si.get("uuid"))
return si
@retries(5)
def _wait_to_delete_si():
si_list = self._vnc_lib.service_instances_list()
try:
si = si_list.get("service-instances")[0]
si = self._vnc_lib.service_instance_read(id=si.get("uuid"))
raise
except:
pass
@retries(5)
def _wait_to_delete_ip(vn_fq_name):
vn = self._vnc_lib.virtual_network_read(fq_name=vn_fq_name)
ip_refs = vn.get_instance_ip_back_refs()
if ip_refs:
raise
return
# end
si = _wait_to_get_si()
si_props = si.get_service_instance_properties().get_interface_list()[1]
ri_name = si_props.virtual_network + ":" + si_props.virtual_network.split(':')[-1]
lr_rtgt = self._vnc_lib.logical_router_read(id=lr.uuid).route_target_refs[0]['to'][0]
_match_route_table(['target:1:1', lr_rtgt], ri_name)
rtgt_list = RouteTargetList(route_target=['target:2:2'])
lr.set_configured_route_target_list(rtgt_list)
self._vnc_lib.logical_router_update(lr)
_match_route_table(['target:2:2', lr_rtgt], ri_name)
lr.del_virtual_network(vn_public)
self._vnc_lib.logical_router_update(lr)
_wait_to_delete_si()
#cleanup
self._vnc_lib.logical_router_delete(fq_name=lr.get_fq_name())
self._vnc_lib.virtual_machine_interface_delete(fq_name=vmi.get_fq_name())
_wait_to_delete_ip(vn_private.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn_private.get_fq_name())
_wait_to_delete_ip(vn_public.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn_public.get_fq_name())
def _create_isolated_ns_virtual_network(self,
ns_name,
vn_name,
vn_type,
proj_obj,
ipam_obj=None,
provider=None,
enforce_policy=False):
"""
Create/Update a virtual network for this namespace.
"""
vn_exists = False
vn = VirtualNetwork(name=vn_name,
parent_obj=proj_obj,
virtual_network_properties=VirtualNetworkType(
forwarding_mode='l3'),
address_allocation_mode='flat-subnet-only')
try:
vn_obj = self._vnc_lib.virtual_network_read(
fq_name=vn.get_fq_name())
vn_exists = True
except NoIdError:
# VN does not exist. Create one.
vn_obj = vn
# Add annotatins on this isolated virtual-network.
VirtualNetworkKM.add_annotations(self,
vn,
namespace=ns_name,
name=ns_name,
isolated='True')
# Instance-Ip for pods on this VN, should be allocated from
# cluster pod ipam. Attach the cluster pod-ipam object
# to this virtual network.
vn_obj.add_network_ipam(ipam_obj, VnSubnetsType([]))
fabric_snat = False
if vn_type == 'pod-network':
if self._is_ip_fabric_snat_enabled(ns_name):
fabric_snat = True
if not vn_exists:
if provider:
# enable ip_fabric_forwarding
vn_obj.add_virtual_network(provider)
elif fabric_snat:
# enable fabric_snat
vn_obj.set_fabric_snat(True)
else:
# disable fabric_snat
vn_obj.set_fabric_snat(False)
vn_uuid = self._vnc_lib.virtual_network_create(vn_obj)
# Cache the virtual network.
VirtualNetworkKM.locate(vn_uuid)
else:
ip_fabric_enabled = False
if provider:
vn_refs = vn_obj.get_virtual_network_refs()
ip_fabric_fq_name = provider.fq_name
for vn in vn_refs or []:
vn_fq_name = vn['to']
if vn_fq_name == ip_fabric_fq_name:
ip_fabric_enabled = True
break
if not ip_fabric_enabled and fabric_snat:
# enable fabric_snat
vn_obj.set_fabric_snat(True)
else:
# disable fabric_snat
vn_obj.set_fabric_snat(False)
# Update VN.
self._vnc_lib.virtual_network_update(vn_obj)
vn_uuid = vn_obj.get_uuid()
vn_obj = self._vnc_lib.virtual_network_read(id=vn_uuid)
# If required, enforce security policy at virtual network level.
if enforce_policy:
self._vnc_lib.set_tags(
vn_obj,
self._labels.get_labels_dict(
VncSecurityPolicy.cluster_aps_uuid))
return vn_obj
def test_public_snat_routes(self):
# create private vn
vn_private_name = self.id() + 'vn1'
vn_private = self.create_virtual_network(vn_private_name, "1.0.0.0/24")
# create virtual machine interface
vmi_name = self.id() + 'vmi1'
vmi = VirtualMachineInterface(
vmi_name,
parent_type='project',
fq_name=['default-domain', 'default-project', vmi_name])
vmi.add_virtual_network(vn_private)
self._vnc_lib.virtual_machine_interface_create(vmi)
# create public vn
vn_public_name = 'vn-public'
vn_public = VirtualNetwork(vn_public_name)
vn_public.set_router_external(True)
ipam_obj = NetworkIpam('ipam')
self._vnc_lib.network_ipam_create(ipam_obj)
vn_public.add_network_ipam(
ipam_obj,
VnSubnetsType([IpamSubnetType(SubnetType("192.168.7.0", 24))]))
self._vnc_lib.virtual_network_create(vn_public)
# create logical router, set route targets,
# add private network and extend lr to public network
lr_name = self.id() + 'lr1'
lr = LogicalRouter(lr_name)
rtgt_list = RouteTargetList(route_target=['target:1:1'])
lr.set_configured_route_target_list(rtgt_list)
lr.add_virtual_machine_interface(vmi)
lr.add_virtual_network(vn_public)
self._vnc_lib.logical_router_create(lr)
@retries(5)
def _match_route_table(rtgt_list, ri_name):
lri = self._vnc_lib.routing_instance_read(fq_name_str=ri_name)
sr = lri.get_static_route_entries()
if sr is None:
raise Exception("sr is None")
route = sr.route[0]
self.assertEqual(route.prefix, "0.0.0.0/0")
self.assertEqual(route.next_hop, "100.64.0.4")
for rtgt in rtgt_list:
self.assertIn(rtgt, route.route_target)
@retries(5)
def _wait_to_get_si():
si_list = self._vnc_lib.service_instances_list()
si = si_list.get("service-instances")[0]
si = self._vnc_lib.service_instance_read(id=si.get("uuid"))
return si
@retries(5)
def _wait_to_delete_si():
si_list = self._vnc_lib.service_instances_list()
try:
si = si_list.get("service-instances")[0]
si = self._vnc_lib.service_instance_read(id=si.get("uuid"))
raise
except Exception:
pass
@retries(5)
def _wait_to_delete_ip(vn_fq_name):
vn = self._vnc_lib.virtual_network_read(fq_name=vn_fq_name)
ip_refs = vn.get_instance_ip_back_refs()
if ip_refs:
raise
return
# end
si = _wait_to_get_si()
si_props = si.get_service_instance_properties().get_interface_list()[1]
ri_name = si_props.virtual_network + ":" + \
si_props.virtual_network.split(':')[-1]
lr_rtgt = self._vnc_lib.logical_router_read(
id=lr.uuid).route_target_refs[0]['to'][0]
_match_route_table(['target:1:1', lr_rtgt], ri_name)
rtgt_list = RouteTargetList(route_target=['target:2:2'])
lr.set_configured_route_target_list(rtgt_list)
self._vnc_lib.logical_router_update(lr)
_match_route_table(['target:2:2', lr_rtgt], ri_name)
lr.del_virtual_network(vn_public)
self._vnc_lib.logical_router_update(lr)
_wait_to_delete_si()
# cleanup
self._vnc_lib.logical_router_delete(fq_name=lr.get_fq_name())
self._vnc_lib.virtual_machine_interface_delete(
fq_name=vmi.get_fq_name())
_wait_to_delete_ip(vn_private.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn_private.get_fq_name())
_wait_to_delete_ip(vn_public.get_fq_name())
self._vnc_lib.virtual_network_delete(fq_name=vn_public.get_fq_name())
