def _prepare_vms(self): sgs = [self.safe_client.create_security_group(self.tenant_id) for _ in range(2)] port1 = self.safe_client.create_port( self.tenant_id, self.network['id'], self.environment.hosts[0].hostname, device_owner="compute:test_ovs_dhcp", security_groups=[sgs[0]['id']]) port2 = self.safe_client.create_port( self.tenant_id, self.network['id'], self.environment.hosts[0].hostname, device_owner="compute:test_ovs_dhcp", security_groups=[sgs[1]['id']]) # insert security-group-rules allow icmp self.safe_client.create_security_group_rule( self.tenant_id, sgs[0]['id'], direction=constants.INGRESS_DIRECTION, ethertype=constants.IPv4, protocol=constants.PROTO_NAME_ICMP) self.safe_client.create_security_group_rule( self.tenant_id, sgs[0]['id'], direction=constants.INGRESS_DIRECTION, ethertype=constants.IPv6, protocol=constants.PROTO_NAME_ICMP) # insert security-group-rules allow icmp self.safe_client.create_security_group_rule( self.tenant_id, sgs[1]['id'], direction=constants.INGRESS_DIRECTION, ethertype=constants.IPv4, protocol=constants.PROTO_NAME_ICMP) self.safe_client.create_security_group_rule( self.tenant_id, sgs[1]['id'], direction=constants.INGRESS_DIRECTION, ethertype=constants.IPv6, protocol=constants.PROTO_NAME_ICMP) vm1 = self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[0], self.network['id'], self.tenant_id, self.safe_client, neutron_port=port1, use_dhcp=True, use_dhcp6=True)) vm2 = self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[0], self.network['id'], self.tenant_id, self.safe_client, neutron_port=port2, use_dhcp=True, use_dhcp6=True)) return machine.FakeFullstackMachinesList([vm1, vm2])
def _boot_fake_vm_in_network(self, host, tenant_id, network_id, wait=True): vm = self.useFixture( machine.FakeFullstackMachine( host, network_id, tenant_id, self.safe_client, use_dhcp=True)) if wait: vm.block_until_boot() return vm
def _prepare_vm_with_qos_policy(self, limit, burst): qos_policy = self._create_qos_policy() qos_policy_id = qos_policy['id'] rule = self.safe_client.create_bandwidth_limit_rule( self.tenant_id, qos_policy_id, limit, burst) # Make it consistent with GET reply qos_policy['rules'].append(rule) rule['type'] = qos_consts.RULE_TYPE_BANDWIDTH_LIMIT rule['qos_policy_id'] = qos_policy_id port = self.safe_client.create_port( self.tenant_id, self.network['id'], self.environment.hosts[0].hostname, qos_policy_id) vm = self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[0], self.network['id'], self.tenant_id, self.safe_client, neutron_port=port)) return vm, qos_policy
def test_l3_network_connectivity(self): tenant_uuid = uuidutils.generate_uuid() bgpvpn = self.safe_client.create_bgpvpn(tenant_uuid, route_targets=['64512:1']) network_ids = list() for subnet_cidr in (base.SUBNET_CIDR1, base.SUBNET_CIDR2): network_ids.append( self._create_net_subnet_bgpvpn_assoc(tenant_uuid, subnet_cidr, bgpvpn['id'])[0] ) fake_machines = list() for network_id in network_ids: fake_machines.extend([ self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[i], network_id, tenant_uuid, self.safe_client)) for i in range(self.compute_node_count)*self.port_per_compute_per_net]) vms = machine.FakeFullstackMachinesList(fake_machines) vms.block_until_all_boot() vms.ping_all()
def test_vm_port_rebound_when_L2_agent_revived(self): """Test scenario 1. Create port which will be properly bound to host 2. Stop L2 agent and wait until it will be DEAD 3. Create another port - it should have "binding_failed" 4. Turn on L2 agent 5. Port from p.3 should be bound properly after L2 agent will be UP """ vm_1 = self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[0], self.network['id'], self.tenant_id, self.safe_client)) vm_1.block_until_boot() self._ensure_port_bound(vm_1.neutron_port['id']) vm_1_port = self.safe_client.client.show_port( vm_1.neutron_port['id'])['port'] self.l2_agent_process = self.environment.hosts[0].l2_agent self.l2_agent = self.safe_client.client.list_agents( agent_type=self.l2_agent_type)['agents'][0] self.l2_agent_process.stop() self._wait_until_agent_down(self.l2_agent['id']) vm_2 = self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[0], self.network['id'], self.tenant_id, self.safe_client)) self._ensure_port_binding_failed(vm_2.neutron_port['id']) vm_2_port = self.safe_client.client.show_port( vm_2.neutron_port['id'])['port'] # check if vm_1 port is still bound as it was before self._ensure_port_bound(vm_1.neutron_port['id']) # and that revision number of vm_1's port wasn't changed self.assertEqual( vm_1_port['revision_number'], self.safe_client.client.show_port( vm_1_port['id'])['port']['revision_number']) self.l2_agent_process.start() self._wait_until_agent_up(self.l2_agent['id']) self._ensure_port_bound(vm_2_port['id'])
def _prepare_vms_in_net(self, tenant_uuid, network): vms = machine.FakeFullstackMachinesList( self.useFixture( machine.FakeFullstackMachine(host, network['id'], tenant_uuid, self.safe_client)) for host in self.environment.hosts) vms.block_until_all_boot() return vms
def _spawn_vm(self): host = random.choice(self.environment.hosts) vm = self.useFixture( machine.FakeFullstackMachine(host, self.network['id'], self.project_id, self.safe_client, use_dhcp=True)) vm.block_until_boot() return vm
def create_vm_in_network(self, network): """Create a fake machine in given network.""" return self.useFixture( machine.FakeFullstackMachine( self.host, network.id, self.tenant_id, self.safe_client ) )
def _prepare_vms(self): port1 = self.safe_client.create_port( self.project_id, self.network['id'], self.environment.hosts[0].hostname, device_owner="compute:test_local_ip") port2 = self.safe_client.create_port( self.project_id, self.network['id'], self.environment.hosts[0].hostname, device_owner="compute:test_local_ip") port3 = self.safe_client.create_port( self.project_id, self.network['id'], self.environment.hosts[1].hostname, device_owner="compute:test_local_ip") vm1 = self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[0], self.network['id'], self.project_id, self.safe_client, neutron_port=port1)) vm2 = self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[0], self.network['id'], self.project_id, self.safe_client, neutron_port=port2)) vm_diff_host = self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[1], self.network['id'], self.project_id, self.safe_client, neutron_port=port3)) return machine.FakeFullstackMachinesList([vm1, vm2, vm_diff_host])
def _prepare_vms_in_net(self, tenant_uuid, network, use_dhcp=False): vms = machine.FakeFullstackMachinesList( self.useFixture( machine.FakeFullstackMachine(host, network['id'], tenant_uuid, self.safe_client, use_dhcp=use_dhcp)) for host in self.environment.hosts) vms.block_until_all_boot() if use_dhcp: vms.block_until_all_dhcp_config_done() return vms
def _create_vm_on_host( self, project_id, network_id, sg_id, host, mac_address=None): if mac_address: port = self.safe_client.create_port( project_id, network_id, host.hostname, security_groups=[sg_id], mac_address=mac_address) else: port = self.safe_client.create_port( project_id, network_id, host.hostname, security_groups=[sg_id]) return self.useFixture( machine.FakeFullstackMachine( host, network_id, project_id, self.safe_client, neutron_port=port))
def _create_resources(self, tenant_uuid, subnet_cidr, stateful=True): if self.firewall_driver == 'iptables_hybrid': # The iptables_hybrid driver lacks isolation between agents index_to_host = [0] * 4 else: index_to_host = [0, 1, 1, 0] network = self.safe_client.create_network(tenant_uuid) self.safe_client.create_subnet(tenant_uuid, network['id'], subnet_cidr) sgs = [ self.safe_client.create_security_group(tenant_uuid, stateful=stateful) for i in range(3) ] ports = [ self.safe_client.create_port(tenant_uuid, network['id'], self.environment.hosts[host].hostname, security_groups=[], port_security_enabled=False) for host in index_to_host ] self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) vms = [ self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[host], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[port], use_dhcp=True)) for port, host in enumerate(index_to_host) ] map(lambda vm: vm.block_until_boot(), vms) map(lambda vm: vm.block_until_dhcp_config_done(), vms) return vms, ports, sgs, network, index_to_host
def _create_net_subnet_and_vm(self, tenant_id, cidr, host, router): network = self.safe_client.create_network(tenant_id) subnet = self.safe_client.create_subnet(tenant_id, network['id'], cidr, enable_dhcp=False) vm = self.useFixture( machine.FakeFullstackMachine(host, network['id'], tenant_id, self.safe_client)) vm.block_until_boot() router_interface_info = self.safe_client.add_router_interface( router['id'], subnet['id']) self.block_until_port_status_active(router_interface_info['port_id']) return vm
def _create_network_subnet_and_vm(self): self.network = self.safe_client.create_network(self.project_id) self.subnet = self.safe_client.create_subnet(self.project_id, self.network['id'], cidr='10.0.0.0/24', gateway_ip='10.0.0.1', name='subnet-test', enable_dhcp=True) self.vm = self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[0], self.network['id'], self.project_id, self.safe_client, use_dhcp=True)) self.vm.block_until_boot()
def test_connectivity(self): tenant_uuid = uuidutils.generate_uuid() network = self.safe_client.create_network(tenant_uuid) self.safe_client.create_subnet(tenant_uuid, network['id'], base.SUBNET_CIDR1) vms = machine.FakeFullstackMachinesList([ self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[i], network['id'], tenant_uuid, self.safe_client)) for i in range(3) ]) vms.block_until_all_boot() vms.ping_all()
def test_l3_router_connectivity(self): tenant_uuid = uuidutils.generate_uuid() bgpvpn = self.safe_client.create_bgpvpn(tenant_uuid, route_targets=['64512:1']) network1 = self.safe_client.create_network(tenant_uuid) subnet1 = self.safe_client.create_subnet( tenant_uuid, network1['id'], '10.0.0.0/24') network2 = self.safe_client.create_network(tenant_uuid) subnet2 = self.safe_client.create_subnet( tenant_uuid, network2['id'], '20.0.0.0/24') router = self.safe_client.create_router(tenant_uuid) self.safe_client.add_router_interface(router['id'], subnet1['id']) self.safe_client.add_router_interface(router['id'], subnet2['id']) self.safe_client.create_router_association(tenant_uuid, bgpvpn['id'], router['id']) network3 = self.safe_client.create_network(tenant_uuid) self.safe_client.create_subnet( tenant_uuid, network3['id'], '30.0.0.0/24') self.safe_client.create_network_association(tenant_uuid, bgpvpn['id'], network3['id']) fake_machines = list() for network in (network1, network2, network3): fake_machines.extend([ self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[i], network['id'], tenant_uuid, self.safe_client)) for i in range(self.compute_node_count)*self.port_per_compute_per_net]) vms = machine.FakeFullstackMachinesList(fake_machines) vms.block_until_all_boot() vms.ping_all()
def _prepare_vm_with_qos_policy(self, rule_add_functions): qos_policy = self._create_qos_policy() qos_policy_id = qos_policy['id'] port = self.safe_client.create_port(self.tenant_id, self.network['id'], self.environment.hosts[0].hostname, qos_policy_id) for rule_add in rule_add_functions: rule_add(qos_policy) vm = self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[0], self.network['id'], self.tenant_id, self.safe_client, neutron_port=port)) return vm, qos_policy
def test_connectivity(self): tenant_uuid = uuidutils.generate_uuid() network = self.safe_client.create_network(tenant_uuid) self.safe_client.create_subnet(tenant_uuid, network['id'], '20.0.0.0/24') vms = [ self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[i], network['id'], tenant_uuid, self.safe_client)) for i in range(2) ] for vm in vms: vm.block_until_boot() vms[0].block_until_ping(vms[1].ip)
def _create_net_subnet_and_vm(self, tenant_id, subnet_cidrs, host, router): network = self.safe_client.create_network(tenant_id) for cidr in subnet_cidrs: # For IPv6 subnets, enable_dhcp should be set to true. enable_dhcp = (netaddr.IPNetwork(cidr).version == constants.IP_VERSION_6) subnet = self.safe_client.create_subnet( tenant_id, network['id'], cidr, enable_dhcp=enable_dhcp) router_interface_info = self.safe_client.add_router_interface( router['id'], subnet['id']) self.block_until_port_status_active( router_interface_info['port_id']) vm = self.useFixture( machine.FakeFullstackMachine( host, network['id'], tenant_id, self.safe_client)) vm.block_until_boot() return vm
def _prepare_resources(self): self.tenant_uuid = uuidutils.generate_uuid() network = self.safe_client.create_network(self.tenant_uuid) self.safe_client.create_subnet(self.tenant_uuid, network['id'], '20.0.0.0/24', enable_dhcp=False) vms = machine.FakeFullstackMachinesList( self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[0], network['id'], self.tenant_uuid, self.safe_client, use_dhcp=False)) for i in range(2)) vms.block_until_all_boot() for vm in vms: self._add_icmp_security_group_rule(vm) return vms
def test_dscp_marking_packets(self): # Create port (vm) which will be used to received and test packets receiver_port = self.safe_client.create_port( self.tenant_id, self.network['id'], self.environment.hosts[1].hostname) receiver = self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[1], self.network['id'], self.tenant_id, self.safe_client, neutron_port=receiver_port)) # Create port with qos policy attached sender, qos_policy = self._prepare_vm_with_qos_policy( [functools.partial(self._add_dscp_rule, DSCP_MARK)]) sender.block_until_boot() receiver.block_until_boot() self._wait_for_dscp_marking_rule_applied(sender, DSCP_MARK) l2_extensions.wait_for_dscp_marked_packet(sender, receiver, DSCP_MARK)
def test_securitygroup(self): """Tests if a security group rules are working, by confirming that 0. traffic is allowed when port security is disabled, 1. connection from outside of allowed security group is blocked 2. connection from allowed security group is permitted 3. traffic not explicitly allowed (eg. ICMP) is blocked, 4. a security group update takes effect, 5. a security group update for entire port range works 6. a remote security group member addition works, and 7. an established connection stops by deleting a SG rule. 8. multiple overlapping remote rules work, 9. test other protocol functionality by using SCTP protocol 10. test two vms with same mac on the same host in different networks 11. test using multiple security groups 12. test stateless security groups when firewall driver is iptables or iptables_hybrid. """ tenant_uuid = uuidutils.generate_uuid() subnet_cidr = '20.0.0.0/24' vms, ports, sgs, network, index_to_host = self._create_resources( tenant_uuid, subnet_cidr) # 0. check that traffic is allowed when port security is disabled self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) vms[0].block_until_ping(vms[1].ip) vms[0].block_until_ping(vms[2].ip) vms[1].block_until_ping(vms[2].ip) # Apply security groups to the ports for port, sg in zip(ports, self.index_to_sg): self.safe_client.client.update_port( port['id'], body={ 'port': { 'port_security_enabled': True, 'security_groups': [sgs[sg]['id']] } }) # 1. connection from outside of allowed security group is blocked netcat = net_helpers.NetcatTester(vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # Wait until port update takes effect on the ports common_utils.wait_until_true( netcat.test_no_connectivity, exception=AssertionError( "Still can connect to the VM from different host.")) netcat.stop_processes() # 2. check if connection from allowed security group is permitted self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 3. check if traffic not explicitly allowed (eg. ICMP) is blocked vms[0].block_until_no_ping(vms[1].ip) vms[0].block_until_no_ping(vms[2].ip) vms[1].block_until_no_ping(vms[2].ip) # 4. check if a security group update takes effect self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) rule1 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3344, port_range_max=3344) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) # 5. check if a security group update for entire port range works self.client.delete_security_group_rule(rule1['id']) self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.TCP) rule1 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=1, port_range_max=65535) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.TCP) self.client.delete_security_group_rule(rule1['id']) # 6. check if a remote security group member addition works rule2 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3355, port_range_max=3355) self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) # 7. check if an established connection stops by deleting # the supporting SG rule. index_to_host.append(index_to_host[2]) self.index_to_sg.append(1) ports.append( self.safe_client.create_port( tenant_uuid, network['id'], self.environment.hosts[index_to_host[-1]].hostname, security_groups=[sgs[1]['id']])) vms.append( self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[index_to_host[-1]], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[-1], use_dhcp=True))) self.assertEqual(5, len(vms)) vms[4].block_until_boot() netcat = net_helpers.NetcatTester(vms[4].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) self.addCleanup(netcat.stop_processes) self.assertTrue(netcat.test_connectivity()) self.client.delete_security_group_rule(rule2['id']) common_utils.wait_until_true(lambda: netcat.test_no_connectivity(), sleep=8) netcat.stop_processes() # 8. check if multiple overlapping remote rules work self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[2]['id'], direction='ingress', ethertype=constants.IPv4) for i in range(2): self.assert_connection(vms[0].namespace, vms[1].namespace, vms[1].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[2].namespace, vms[1].namespace, vms[1].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[3].namespace, vms[0].namespace, vms[0].ip, 8080, net_helpers.NetcatTester.TCP) # 9. check SCTP is supported by security group self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NUM_SCTP, port_range_min=3366, port_range_max=3366) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) # 10. test two vms with same mac on the same host in different networks self._test_overlapping_mac_addresses() # 11. Check using multiple security groups self._test_using_multiple_security_groups() # 12. test stateless security groups when firewall driver is iptables # or iptables_hybrid. # TODO(njohnston): Re-add the iptables here once it is stable if self.firewall_driver == 'iptables_hybrid': self._test_stateless_security_groups()
def test_securitygroup(self): """Tests if a security group rules are working, by confirming that 0. traffic is allowed when port security is disabled, 1. connection from outside of allowed security group is blocked 2. connection from allowed security group is permitted 3. traffic not explicitly allowed (eg. ICMP) is blocked, 4. a security group update takes effect, 5. a remote security group member addition works, and 6. an established connection stops by deleting a SG rule. 7. multiple overlapping remote rules work, 8. test other protocol functionality by using SCTP protocol 9. test two vms with same mac on the same host in different networks """ index_to_sg = [0, 0, 1, 2] if self.firewall_driver == 'iptables_hybrid': # The iptables_hybrid driver lacks isolation between agents index_to_host = [0] * 4 else: index_to_host = [0, 1, 1, 0] tenant_uuid = uuidutils.generate_uuid() network = self.safe_client.create_network(tenant_uuid) self.safe_client.create_subnet(tenant_uuid, network['id'], '20.0.0.0/24') sgs = [ self.safe_client.create_security_group(tenant_uuid) for i in range(3) ] ports = [ self.safe_client.create_port(tenant_uuid, network['id'], self.environment.hosts[host].hostname, security_groups=[], port_security_enabled=False) for host in index_to_host ] self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) vms = [ self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[host], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[port], use_dhcp=True)) for port, host in enumerate(index_to_host) ] for vm in vms: vm.block_until_boot() # 0. check that traffic is allowed when port security is disabled self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) net_helpers.assert_ping(vms[0].namespace, vms[1].ip) net_helpers.assert_ping(vms[0].namespace, vms[2].ip) net_helpers.assert_ping(vms[1].namespace, vms[2].ip) # Apply security groups to the ports for port, sg in zip(ports, index_to_sg): self.safe_client.client.update_port( port['id'], body={ 'port': { 'port_security_enabled': True, 'security_groups': [sgs[sg]['id']] } }) # 1. connection from outside of allowed security group is blocked netcat = net_helpers.NetcatTester(vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # Wait until port update takes effect on the ports common_utils.wait_until_true( netcat.test_no_connectivity, exception=AssertionError( "Still can connect to the VM from different host.")) netcat.stop_processes() # 2. check if connection from allowed security group is permitted self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 3. check if traffic not explicitly allowed (eg. ICMP) is blocked net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip) net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip) net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip) # 4. check if a security group update takes effect self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3344, port_range_max=3344) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) # 5. check if a remote security group member addition works rule2 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3355, port_range_max=3355) self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) # 6. check if an established connection stops by deleting # the supporting SG rule. index_to_host.append(index_to_host[2]) index_to_sg.append(1) ports.append( self.safe_client.create_port( tenant_uuid, network['id'], self.environment.hosts[index_to_host[-1]].hostname, security_groups=[sgs[1]['id']])) vms.append( self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[index_to_host[-1]], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[-1], use_dhcp=True))) self.assertEqual(5, len(vms)) vms[4].block_until_boot() netcat = net_helpers.NetcatTester(vms[4].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) self.addCleanup(netcat.stop_processes) self.assertTrue(netcat.test_connectivity()) self.client.delete_security_group_rule(rule2['id']) common_utils.wait_until_true(lambda: netcat.test_no_connectivity(), sleep=8) netcat.stop_processes() # 7. check if multiple overlapping remote rules work self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[2]['id'], direction='ingress', ethertype=constants.IPv4) for i in range(2): self.assert_connection(vms[0].namespace, vms[1].namespace, vms[1].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[2].namespace, vms[1].namespace, vms[1].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[3].namespace, vms[0].namespace, vms[0].ip, 8080, net_helpers.NetcatTester.TCP) # 8. check SCTP is supported by security group self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NUM_SCTP, port_range_min=3366, port_range_max=3366) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) # 9. test two vms with same mac on the same host in different networks self._test_overlapping_mac_addresses()
def test_l2_network_connectivity(self): # create <n> fake machines in 2 different networks, all using # the same IP subnet, and check that each machine can reach all the # others. We create machines so that we confirm that connectivity # still works *inside* a given network, both locally on a compute # node, and across different compute nodes if self.evpn_driver is 'dummy': self.skipTest("L2VPN unsupported for this scenario") tenant_uuid = uuidutils.generate_uuid() bgpvpn = self.safe_client.create_bgpvpn(tenant_uuid, type="l2", route_targets=['64512:10']) fake_machines = list() for network in range(2): # we'll use the same subnet range for all networks, but # choose in this range distinct IP addresses for each fake machine network_id, subnet_id = self._create_net_subnet_bgpvpn_assoc( tenant_uuid, base.SUBNET_CIDR1, bgpvpn['id'] ) for compute, port_i in itertools.product( range(self.compute_node_count), range(self.port_per_compute_per_net)): # NOTE(tmorin): choice of fixed IP done this way for sake # of simplicity, of course, this breaks e.g. for # compute_node_count > 10 fixed_ip = (base.SUBNET_CIDR1[:base.SUBNET_CIDR1.find('0/24')] + str(100 * network + 10 * (compute+1) + port_i)) neutron_port = self.safe_client.create_port( network_id=network_id, tenant_id=tenant_uuid, hostname=self.environment.hosts[compute].hostname, fixed_ips=[{"subnet_id": subnet_id, "ip_address": fixed_ip}] ) fake_machines.append( self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[compute], network_id, tenant_uuid, self.safe_client, neutron_port=neutron_port ) ) ) vms = machine.FakeFullstackMachinesList(fake_machines) vms.block_until_all_boot() vms.ping_all()
def test_securitygroup(self): """Tests if a security group rules are working, by confirming that 1. connection from allowed security group is allowed, 2. connection from elsewhere is blocked, 3. traffic not explicitly allowed (eg. ICMP) is blocked, 4. a security group update takes effect, 5. a remote security group member addition works, and 6. an established connection stops by deleting a SG rule. 7. test other protocol functionality by using SCTP protocol """ index_to_sg = [0, 0, 1] if self.firewall_driver == 'iptables_hybrid': # The iptables_hybrid driver lacks isolation between agents index_to_host = [0] * 3 else: index_to_host = [0, 1, 1] tenant_uuid = uuidutils.generate_uuid() network = self.safe_client.create_network(tenant_uuid) self.safe_client.create_subnet( tenant_uuid, network['id'], '20.0.0.0/24') sgs = [self.safe_client.create_security_group(tenant_uuid) for i in range(2)] ports = [ self.safe_client.create_port(tenant_uuid, network['id'], self.environment.hosts[host].hostname, security_groups=[sgs[sg]['id']]) for host, sg in zip(index_to_host, index_to_sg)] self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) vms = [ self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[host], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[port])) for port, host in enumerate(index_to_host)] for vm in vms: vm.block_until_boot() # 1. check if connection from allowed security group is allowed self.assert_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 2. check if connection from elsewhere is blocked self.assert_no_connection( vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 3. check if traffic not explicitly allowed (eg. ICMP) is blocked net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip) net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip) net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip) # 4. check if a security group update takes effect self.assert_no_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3344, port_range_max=3344) self.assert_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) # 5. check if a remote security group member addition works rule2 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3355, port_range_max=3355) self.assert_connection( vms[2].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) # NOTE(slaweq) iptables driver currently contains a bug # https://bugs.launchpad.net/neutron/+bug/1657260 # where established connections are not dropped after security group # rule is removed. Remove this workaround once bug #1657260 is fixed. if self.firewall_driver != 'iptables': # 6. check if an established connection stops by deleting # the supporting SG rule. index_to_host.append(index_to_host[2]) index_to_sg.append(1) ports.append( self.safe_client.create_port(tenant_uuid, network['id'], self.environment.hosts[ index_to_host[3]].hostname, security_groups=[sgs[1]['id']])) vms.append( self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[index_to_host[3]], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[3]))) vms[3].block_until_boot() netcat = net_helpers.NetcatTester(vms[3].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) self.addCleanup(netcat.stop_processes) self.assertTrue(netcat.test_connectivity()) self.client.delete_security_group_rule(rule2['id']) common_utils.wait_until_true(lambda: netcat.test_no_connectivity(), sleep=8) netcat.stop_processes() # 7. check SCTP is supported by security group self.assert_no_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NUM_SCTP, port_range_min=3366, port_range_max=3366) self.assert_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP)
def test_tcp_securitygroup(self): """Tests if a TCP security group rule is working, by confirming that 1. connection from allowed security group is allowed, 2. connection from elsewhere is blocked, 3. traffic not explicitly allowed (eg. ICMP) is blocked, and 4. a security group update takes effect. """ index_to_sg = [0, 0, 1] if self.firewall_driver == 'iptables_hybrid': # The iptables_hybrid driver lacks isolation between agents index_to_host = [0] * 3 else: index_to_host = [0, 1, 1] tenant_uuid = uuidutils.generate_uuid() network = self.safe_client.create_network(tenant_uuid) self.safe_client.create_subnet(tenant_uuid, network['id'], '20.0.0.0/24') sgs = [ self.safe_client.create_security_group(tenant_uuid) for i in range(2) ] ports = [ self.safe_client.create_port(tenant_uuid, network['id'], self.environment.hosts[host].hostname, security_groups=[sgs[sg]['id']]) for host, sg in zip(index_to_host, index_to_sg) ] self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) vms = [ self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[host], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[port])) for port, host in enumerate(index_to_host) ] for vm in vms: vm.block_until_boot() # 1. check if connection from allowed security group is allowed self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 2. check if connection from elsewhere is blocked self.assert_no_connection(vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 3. check if traffic not explicitly allowed (eg. ICMP) is blocked net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip) net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip) net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip) # 4. check if a security group update takes effect self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3344, port_range_max=3344) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP)