def test():
global test_obj_dict
test_util.test_dsc("Create 1 VMs with vlan VR L3 network for SG testing.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm1.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm1_ip = test_lib.lib_get_vm_nic_by_l3(vr_vm, l3_uuid).ip
target_ip_prefix = '10.10.10.'
test_util.test_dsc("Create security groups.")
for i in range(sg_num):
target_ip = '%s%s' % (target_ip_prefix, str(1+i))
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, target_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, target_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, target_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.INGRESS, target_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.INGRESS, target_ip)
sg = test_stub.create_sg()
test_obj_dict.add_sg(sg.security_group.uuid)
sg.add_rule([rule1, rule2, rule3, rule4, rule5])
sg_vm.attach(sg, [vm_nics])
time.sleep(3)
#need regularlly clean up log files in virtual router when doing stress test
test_lib.lib_check_cleanup_vr_logs_by_vm(vm1.vm)
#clean up all vm and sg
test_lib.lib_robot_cleanup(test_obj_dict)
test_util.test_pass('Create/Destroy VM with VR successfully')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
sg_vm = test_sg_vm_header.ZstackTestSgVm()
test_obj_dict.set_sg_vm(sg_vm)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
sg1.add_rule([rule1])
sg1.add_rule([rule2])
sg1.add_rule([rule3])
sg_vm.check()
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
# nic_uuid3 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
# vm3_nics = (nic_uuid3, vm3)
#test_stub.lib_add_sg_rules(sg1.uuid, [rule0, rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
#sg_vm.attach(sg1, [vm1_nics, vm2_nics, vm3_nics])
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
sg_vm.delete_sg(sg1)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass('Delete Security Group with 2 attached NICs Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc("Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
sg_vm = test_sg_vm_header.ZstackTestSgVm()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.add_stub_vm(l3_uuid, vm2)
#add sg1
test_util.test_dsc("Add VM1 nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1")
vm1.stop()
#remove vm1 nic from sg1
test_util.test_dsc("Remove nic from security group 1 to stopped vm1.")
sg_vm.detach(sg1, nic_uuid)
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
sg_vm.check()
vm1.destroy()
vm2.destroy()
sg_vm.delete_sg(sg1)
test_util.test_pass('Detach stopped VM NIC from Security Group Test Success')
def test():
global test_obj_dict
test_util.test_dsc("Create 1 VMs with vlan VR L3 network for SG testing.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm1.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm1_ip = test_lib.lib_get_vm_nic_by_l3(vr_vm, l3_uuid).ip
target_ip_prefix = '10.10.10.'
rule_list = []
for j in range(rule_num):
target_ip = '%s%s' % (target_ip_prefix, str(1 + j))
rule = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, target_ip)
rule_list.append(rule)
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg1.add_rule(rule_list)
sg_vm.attach(sg1, [vm_nics])
rule_list = []
for j in range(rule_num):
target_ip = '%s%s' % (target_ip_prefix, str(1 + j))
rule = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, target_ip)
rule_list.append(rule)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg2.add_rule(rule_list)
sg_vm.attach(sg2, [vm_nics])
sg1_rules = test_lib.lib_get_sg_rule(sg1.security_group.uuid)
if len(sg1_rules) != 200:
test_util.test_fail(
"Did not find 200 SG rules for SG1: %s. We only catch %s rules" %
(sg1.security_group.uuid, len(sg1_rules)))
sg2_rules = test_lib.lib_get_sg_rule(sg2.security_group.uuid)
if len(sg2_rules) != 200:
test_util.test_fail(
"Did not find 200 SG rules for SG2: %s. We only catch %s rules" %
(sg2.security_group.uuid, len(sg2_rules)))
time.sleep(3)
#need regularlly clean up log files in virtual router when doing stress test
test_lib.lib_check_cleanup_vr_logs_by_vm(vm1.vm)
#clean up all vm and sg
test_lib.lib_robot_cleanup(test_obj_dict)
test_util.test_pass('Create/Destroy VM with VR successfully')
def test():
global test_obj_dict
test_util.test_dsc("Create 1 VMs with vlan VR L3 network for SG testing.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm1.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm1_ip = test_lib.lib_get_vm_nic_by_l3(vr_vm, l3_uuid).ip
target_ip_prefix = '10.10.10.'
rule_list = []
for j in range(rule_num):
target_ip = '%s%s' % (target_ip_prefix, str(1+j))
rule = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, target_ip)
rule_list.append(rule)
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg1.add_rule(rule_list)
sg_vm.attach(sg1, [vm_nics])
rule_list = []
for j in range(rule_num):
target_ip = '%s%s' % (target_ip_prefix, str(1+j))
rule = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.EGRESS, target_ip)
rule_list.append(rule)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg2.add_rule(rule_list)
sg_vm.attach(sg2, [vm_nics])
sg1_rules = test_lib.lib_get_sg_rule(sg1.security_group.uuid)
if len(sg1_rules) != 200:
test_util.test_fail("Did not find 200 SG rules for SG1: %s. We only catch %s rules" % (sg1.security_group.uuid, len(sg1_rules)))
sg2_rules = test_lib.lib_get_sg_rule(sg2.security_group.uuid)
if len(sg2_rules) != 200:
test_util.test_fail("Did not find 200 SG rules for SG2: %s. We only catch %s rules" % (sg2.security_group.uuid, len(sg2_rules)))
time.sleep(3)
#need regularlly clean up log files in virtual router when doing stress test
test_lib.lib_check_cleanup_vr_logs_by_vm(vm1.vm)
#clean up all vm and sg
test_lib.lib_robot_cleanup(test_obj_dict)
test_util.test_pass('Create/Destroy VM with VR successfully')
def test():
global test_obj_dict
test_util.test_dsc("Create 1 VMs with vlan VR L3 network for SG testing.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm1.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm1_ip = test_lib.lib_get_vm_nic_by_l3(vr_vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
sg1.add_rule([rule1, rule2, rule3, rule4, rule5])
sg_vm.attach(sg1, [vm_nics])
time.sleep(3)
#need regularlly clean up log files in virtual router when doing stress test
test_lib.lib_check_cleanup_vr_logs_by_vm(vm1.vm)
#clean up all vm and sg
test_lib.lib_robot_cleanup(test_obj_dict)
test_util.test_pass('Create/Destroy VM with VR successfully')
def test():
global test_obj_dict
vm = test_stub.create_vm()
test_obj_dict.add_vm(vm)
vm.check()
# This is very basic and raw SG testing. The formal test should use the functions in test_lib.
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg = test_sg_header.ZstackTestSecurityGroup()
sg_creation_option = test_util.SecurityGroupOption()
sg_creation_option.set_name('test_sg')
sg_creation_option.set_description('test sg description')
sg.set_creation_option(sg_creation_option)
sg.create()
test_obj_dict.add_sg(sg.security_group.uuid)
rule = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, '10.0.101.10')
sg.add_rule([rule])
sg_vm.attach(sg, [(vm.vm.vmNics[0].uuid, vm)])
sg_vm.check()
sg_vm.detach(sg, vm.vm.vmNics[0].uuid)
sg_vm.attach(sg, [(vm.vm.vmNics[0].uuid, vm)])
sg_vm.check()
sg_vm.delete_sg(sg)
sg_vm.check()
test_obj_dict.rm_sg(sg.security_group.uuid)
vm.destroy()
sg_vm.check()
test_util.test_pass('Create VM with simple Security Group Test Success')
def test():
global test_obj_dict
vm = test_stub.create_vm()
test_obj_dict.add_vm(vm)
vm.check()
# This is very basic and raw SG testing. The formal test should use the functions in test_lib.
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg = test_sg_header.ZstackTestSecurityGroup()
sg_creation_option = test_util.SecurityGroupOption()
sg_creation_option.set_name("test_sg")
sg_creation_option.set_description("test sg description")
sg.set_creation_option(sg_creation_option)
sg.create()
test_obj_dict.add_sg(sg.security_group.uuid)
rule = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, "10.0.101.10")
sg.add_rule([rule])
sg_vm.attach(sg, [(vm.vm.vmNics[0].uuid, vm)])
sg_vm.check()
sg_vm.detach(sg, vm.vm.vmNics[0].uuid)
sg_vm.attach(sg, [(vm.vm.vmNics[0].uuid, vm)])
sg_vm.check()
sg_vm.delete_sg(sg)
sg_vm.check()
test_obj_dict.rm_sg(sg.security_group.uuid)
vm.destroy()
sg_vm.check()
test_util.test_pass("Create VM with simple Security Group Test Success")
def test():
'''
Since VR ip address is assigned by zstack, so we need to use VR to test
PF rules' connectibility.
PF test needs at least 3 VR existence. The PF VM's VR is for set PF
rule. The PF rule will add VIP for PF_VM. Besides of PF_VM's VR, there
are needed another 2 VR VMs. 1st VR public IP address will be set as
allowedCidr. The 1st VR VM should be able to access PF_VM. So the 2nd VR
VM should not be able to access PF_VM.
In this test, will also add SG rules to check the coexistence between
PF and SG. SG rule will be added onto PF_VM's internal IP.
'''
global eip_snatInboundTraffic_default_value
global pf_snatInboundTraffic_default_value
#enable snatInboundTraffic and save global config value
eip_snatInboundTraffic_default_value = \
conf_ops.change_global_config('eip', 'snatInboundTraffic', 'false')
pf_snatInboundTraffic_default_value = \
conf_ops.change_global_config('portForwarding', \
'snatInboundTraffic', 'false')
pf_vm = test_stub.create_dnat_vm()
test_obj_dict.add_vm(pf_vm)
l3_name = os.environ.get('l3VlanNetworkName1')
vr1 = test_stub.create_vr_vm(test_obj_dict, l3_name)
l3_name = os.environ.get('l3NoVlanNetworkName1')
vr2 = test_stub.create_vr_vm(test_obj_dict, l3_name)
vr1_pub_ip = test_lib.lib_find_vr_pub_ip(vr1)
vr2_pub_ip = test_lib.lib_find_vr_pub_ip(vr2)
pf_vm.check()
vm_nic = pf_vm.vm.vmNics[0]
vm_nic_uuid = vm_nic.uuid
pri_l3_uuid = vm_nic.l3NetworkUuid
vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr)
l3_uuid = vr_pub_nic.l3NetworkUuid
vip = test_stub.create_vip('pf_sg_test', l3_uuid)
test_obj_dict.add_vip(vip)
vip_uuid = vip.get_vip().uuid
pf_creation_opt = PfRule.generate_pf_rule_option(
vr1_pub_ip,
protocol=inventory.TCP,
vip_target_rule=Port.rule1_ports,
private_target_rule=Port.rule1_ports,
vip_uuid=vip_uuid,
vm_nic_uuid=vm_nic_uuid)
test_pf = zstack_pf_header.ZstackTestPortForwarding()
test_pf.set_creation_option(pf_creation_opt)
test_pf.create(pf_vm)
vip.attach_pf(test_pf)
pf_vm.check()
#Ignore this check, since it has been checked many times in other PF cases.
#test_pf.check()
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = zstack_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vm_nics = (vm_nic_uuid, pf_vm)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vr1_pub_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vr2_pub_ip)
sg1.add_rule([rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc(
"PF rule is allowed, since VR1's IP is granted by SG Rule1.")
sg_vm.attach(sg1, [vm_nics])
vip.check()
test_util.test_dsc("Remove rule1 from security group 1.")
test_util.test_dsc("PF rule is still allowed")
sg1.delete_rule([rule1])
vip.check()
test_util.test_dsc("Add rule2")
test_util.test_dsc(
"PF rule is not allowed, since rule2 only allowed the ingress from VR2, but VR2 can't pass PF rule. "
)
sg1.add_rule([rule2])
vip.check()
test_util.test_dsc("Delete SG")
sg_vm.delete_sg(sg1)
test_util.test_dsc("PF rule is allowed")
vip.check()
pf_vm.destroy()
test_obj_dict.rm_vm(pf_vm)
vip.check()
test_pf.delete()
vip.delete()
test_obj_dict.rm_vip(vip)
conf_ops.change_global_config('eip', 'snatInboundTraffic', \
eip_snatInboundTraffic_default_value )
conf_ops.change_global_config('portForwarding', 'snatInboundTraffic', \
pf_snatInboundTraffic_default_value)
test_util.test_pass("Test Port Forwarding TCP Rule Successfully")
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 2 VMs with IPv6 L3 network and using VR image.")
image_name = os.environ.get('ipv6ImageName')
vm1 = test_stub.create_vm(l3_name = "%s,%s" %(os.environ.get('l3PublicNetworkName1'), os.environ.get('l3PublicNetworkName')), vm_name = 'IPv6 2 stack test ipv4 and ipv6', image_name = image_name)
vm2 = test_stub.create_vm(l3_name = os.environ.get('l3PublicNetworkName1'), vm_name = 'IPv6 2 stack test ipv6', image_name = image_name)
time.sleep(60) #waiting for vm bootup
vm1_nic1 = vm1.get_vm().vmNics[0].ip
vm1_nic2 = vm1.get_vm().vmNics[1].ip
vm2_nic1 = vm2.get_vm().vmNics[0].ip
for ip in (vm1_nic1, vm1_nic2):
if "." in ip:
ipv4 = ip
print "vm1_nic1 : %s, vm1_nic2: %s, vm2_nic1 :%s, ipv4 :%s." %(vm1_nic1, vm1_nic2, vm2_nic1,ipv4)
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg(ipVersion = 6)
sg2 = test_stub.create_sg(ipVersion = 6)
sg3 = test_stub.create_sg(ipVersion = 6)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
nic_uuid = vm2.get_vm().vmNics[0].uuid
vm_nics = (nic_uuid, vm2)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm2_nic1, ipVersion = 6)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm2_nic1, ipVersion = 6)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm2_nic1, ipVersion = 6)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.INGRESS, vm2_nic1, ipVersion = 6)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.INGRESS, vm2_nic1, ipVersion = 6)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ports: %s" % Port.get_ports(Port.rule1_ports))
sg_vm.attach(sg1, [vm_nics])
test_util.test_dsc("Remove nic from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.target_ports)
sg_vm.detach(sg1, nic_uuid)
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
test_util.test_dsc("Add nic to security group 1 again.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg1, [vm_nics])
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
test_util.test_dsc("Add rule2, rule3 back to security group 1.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg1.add_rule([rule2, rule3])
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
#add sg2
test_util.test_dsc("Add nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm_nics])
#add sg3
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule2+rul3+rule4+rule5): %s" % tmp_allowed_ports)
sg_vm.attach(sg3, [vm_nics])
#detach nic from sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule3+rule4+rule5): %s" % tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid)
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ports (rule1): %s" % test_stub.rule1_ports)
sg_vm.delete_sg(sg3)
test_obj_dict.rm_sg(sg3.security_group.uuid)
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
vm1.destroy()
vm2.destroy()
test_util.test_pass('Security Group Vlan VirtualRouter VMs Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc(
"Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vm_internalId = test_lib.lib_get_vm_internal_id(vm1.vm)
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.UDP,
inventory.INGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP,
inventory.INGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.UDP,
inventory.EGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.UDP,
inventory.EGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.UDP,
inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.check()
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#
test_util.test_dsc("Remove nic from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.target_ports)
sg_vm.detach(sg1, nic_uuid)
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add nic to security group 1 again.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#can't directly remove rule1, as it will block vr ssh connection.
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2
test_util.test_dsc("Add nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule2+rul3+rule4+rule5): %s" %
tmp_allowed_ports)
sg_vm.attach(sg3, [vm_nics])
sg_vm.check()
#detach nic from sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule3+rule4+rule5): %s" %
tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ports (rule1): %s" % test_stub.rule1_ports)
sg_vm.delete_sg(sg3)
sg_vm.check()
test_obj_dict.rm_sg(sg3.security_group.uuid)
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass(
'Security Group UDP Vlan VirtualRouter VMs Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vm1_ip = vm1.vm.vmNics[0].ip
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
nic_uuid = vm2.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm2)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.EGRESS, vm1_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm1_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.EGRESS, vm1_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.EGRESS, vm1_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.EGRESS, vm1_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm1)
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ports: %s" % Port.get_ports(Port.rule1_ports))
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
test_util.test_dsc("Remove nic from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.target_ports)
sg_vm.detach(sg1, nic_uuid)
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add nic to security group 1 again.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add rule2, rule3 back to security group 1.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg1.add_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2
test_util.test_dsc("Add nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule2+rul3+rule4+rule5): %s" % tmp_allowed_ports)
sg_vm.attach(sg3, [vm_nics])
sg_vm.check()
#detach nic from sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule3+rule4+rule5): %s" % tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ports (rule1): %s" % test_stub.rule1_ports)
sg_vm.delete_sg(sg3)
sg_vm.check()
test_obj_dict.rm_sg(sg3.security_group.uuid)
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.check()
vm2.check()
vm1.destroy()
vm2.destroy()
test_util.test_pass('Security Group Vlan VirtualRouter VMs Test Success')
def test():
'''
Since VR ip address is assigned by zstack, so we need to use VR to test
PF rules' connectibility.
PF test needs at least 3 VR existence. The PF VM's VR is for set PF
rule. The PF rule will add VIP for PF_VM. Besides of PF_VM's VR, there
are needed another 2 VR VMs. 1st VR public IP address will be set as
allowedCidr. The 1st VR VM should be able to access PF_VM. So the 2nd VR
VM should not be able to access PF_VM.
In this test, will also add SG rules to check the coexistence between
PF and SG. SG rule will be added onto PF_VM's internal IP.
'''
pf_vm = test_stub.create_vr_vm('migrate_pf_sg_vm1', 'imageName_net', 'l3VlanNetwork2')
test_obj_dict.add_vm(pf_vm)
l3_name = os.environ.get('l3VlanNetworkName1')
vr1_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr1_l3_uuid)
temp_vm1 = None
if not vrs:
#create temp_vm1 for getting vlan1's vr for test pf_vm portforwarding
temp_vm1 = test_stub.create_vr_vm('migrate_temp_vm1', 'imageName_net', 'l3VlanNetworkName1')
test_obj_dict.add_vm(temp_vm1)
vr1 = test_lib.lib_find_vr_by_vm(temp_vm1.vm)[0]
else:
vr1 = vrs[0]
l3_name = os.environ.get('l3VlanNetwork3')
vr2_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr2_l3_uuid)
temp_vm2 = None
if not vrs:
#create temp_vm2 for getting novlan's vr for test pf_vm portforwarding
temp_vm2 = test_stub.create_vr_vm('migrate_temp_vm2', 'imageName_net', 'l3VlanNetwork3')
test_obj_dict.add_vm(temp_vm2)
vr2 = test_lib.lib_find_vr_by_vm(temp_vm2.vm)[0]
else:
vr2 = vrs[0]
vr1_pub_ip = test_lib.lib_find_vr_pub_ip(vr1)
vr2_pub_ip = test_lib.lib_find_vr_pub_ip(vr2)
pf_vm.check()
vm_nic = pf_vm.vm.vmNics[0]
vm_nic_uuid = vm_nic.uuid
pri_l3_uuid = vm_nic.l3NetworkUuid
vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr)
l3_uuid = vr_pub_nic.l3NetworkUuid
vip_option = test_util.VipOption()
vip_option.set_l3_uuid(l3_uuid)
vip_uuid = net_ops.create_vip(vip_option).uuid
pf_creation_opt = PfRule.generate_pf_rule_option(vr1_pub_ip, protocol=inventory.TCP, vip_target_rule=Port.rule1_ports, private_target_rule=Port.rule1_ports, vip_uuid=vip_uuid, vm_nic_uuid=vm_nic_uuid)
test_pf = zstack_pf_header.ZstackTestPortForwarding()
test_pf.set_creation_option(pf_creation_opt)
test_pf.create(pf_vm)
pf_vm.check()
#Ignore this check, since it has been checked many times in other PF cases.
#test_pf.check()
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = zstack_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vm_nics = (vm_nic_uuid, pf_vm)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vr1_pub_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vr2_pub_ip)
sg1.add_rule([rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("PF rule is allowed, since VR1's IP is granted by SG Rule1.")
sg_vm.attach(sg1, [vm_nics])
test_pf.check()
test_stub.migrate_vm_to_random_host(pf_vm)
test_util.test_dsc("Remove rule1 from security group 1.")
test_util.test_dsc("PF rule is still allowed")
sg1.delete_rule([rule1])
test_pf.check()
test_util.test_dsc("Add rule2")
test_util.test_dsc("PF rule is not allowed, since rule2 only allowed the ingress from VR2, but VR2 can't pass PF rule. ")
sg1.add_rule([rule2])
test_pf.check()
test_util.test_dsc("Delete SG")
sg_vm.delete_sg(sg1)
test_util.test_dsc("PF rule is allowed")
test_pf.check()
if temp_vm1:
temp_vm1.destroy()
test_obj_dict.rm_vm(temp_vm1)
if temp_vm2:
temp_vm2.destroy()
test_obj_dict.rm_vm(temp_vm2)
test_pf.delete()
pf_vm.destroy()
test_obj_dict.rm_vm(pf_vm)
net_ops.delete_vip(vip_uuid)
test_util.test_pass("Test Port Forwarding TCP Rule Successfully")
def test():
vm1 = test_stub.create_vr_vm('migrate_vm1', 'imageName_s', 'l3VlanNetwork3')
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_vr_vm('migrate_vm2', 'imageName_s', 'l3VlanNetwork3')
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_vr_vm('migrate_vm3', 'imageName_s', 'l3VlanNetwork3')
test_obj_dict.add_vm(vm3)
vm1.check()
vm2.check()
vm3.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm3_ip = test_lib.lib_get_vm_nic_by_l3(vm3.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg_vm.add_stub_vm(l3_uuid, vm3)
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.attach(sg2, [vm1_nics, vm2_nics])
test_stub.migrate_vm_to_random_host(vm1)
test_stub.migrate_vm_to_random_host(vm2)
test_stub.migrate_vm_to_random_host(vm3)
vm1.check()
vm2.check()
vm3.check()
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vm3.destroy()
test_obj_dict.rm_vm(vm3)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
test_util.test_pass('Migrate SG VM Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm1.check()
vm2.check()
vm3.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm3_ip = test_lib.lib_get_vm_nic_by_l3(vm3.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
sg1.add_rule([rule1])
sg_vm.add_stub_vm(l3_uuid, vm3)
sg_vm.check()
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
#test_stub.lib_add_sg_rules(sg1.uuid, [rule0, rule1])
test_util.test_dsc("Add vm 1 nic to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm1_nics])
sg_vm.check()
test_util.test_dsc("Detach security group 1 from vm1's l3 network.")
test_util.test_dsc("VM1 nic will be automatically removed from SG1")
sg_vm.detach_l3(sg1, l3_uuid)
sg_vm.check()
test_util.test_dsc("Add vm 1 & vm 2 nics to security group 1.")
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Detach security group 1 from vm1's l3 network. It will cause both vm1 and vm2 nics are detached from sg1.")
sg_vm.detach_l3(sg1, l3_uuid)
sg_vm.check()
#Reboot Vm1 and check sg again.
vm1.reboot()
vm1.check()
sg_vm.check()
test_util.test_dsc("Add vm 1 & vm 2 nics to security group 1.")
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Detach security group 1 from vm1's l3 network. It will cause both vm1 and vm2 nics are detached from sg1.")
sg_vm.detach_l3(sg1, l3_uuid)
sg_vm.check()
#delete sg1
test_util.test_dsc("Delete security group 1.")
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
#Cleanup
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vm3.destroy()
test_obj_dict.rm_vm(vm3)
test_util.test_pass('Security Group Detach from L3 network with 2 VMs on virtual router Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc")
for vpc_name in vpc_name_list:
vr_list.append(test_stub.create_vpc_vrouter(vpc_name))
for vr, l3_list in izip(vr_list, vpc_l3_list):
test_stub.attach_l3_to_vpc_vr(vr, l3_list)
test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format(VLAN1_NAME, VLAN2_NAME))
vm1 = test_stub.create_vm_with_random_offering(vm_name='vpc_vm_{}'.format(VLAN1_NAME), l3_name=VLAN1_NAME)
test_obj_dict.add_vm(vm1)
vm1.check()
vm2 = test_stub.create_vm_with_random_offering(vm_name='vpc_vm_{}'.format(VLAN2_NAME), l3_name=VLAN2_NAME)
test_obj_dict.add_vm(vm2)
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm2.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ports: %s" % Port.get_ports(Port.rule1_ports))
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
test_util.test_dsc("Remove nic from security group 1.")
sg_vm.detach(sg1, nic_uuid)
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add nic to security group 1 again.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add rule2, rule3 back to security group 1.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg1.add_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2
test_util.test_dsc("Add nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule2+rul3+rule4+rule5): %s" % tmp_allowed_ports)
sg_vm.attach(sg3, [vm_nics])
sg_vm.check()
#detach nic from sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule3+rule4+rule5): %s" % tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ports (rule1): %s" % test_stub.rule1_ports)
sg_vm.delete_sg(sg3)
sg_vm.check()
test_obj_dict.rm_sg(sg3.security_group.uuid)
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.check()
vm2.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass('Security Group Vlan VirtualRouter VMs Test Success')
test_lib.lib_error_cleanup(test_obj_dict)
test_stub.remove_all_vpc_vrouter()
vm3.destroy()
test_obj_dict.rm_vm(vm3)
# create security group and add rule
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg = test_sg_header.ZstackTestSecurityGroup()
sg_creation_option = test_util.SecurityGroupOption()
sg_creation_option.set_name('test_sg')
sg_creation_option.set_description('test sg description')
sg.set_creation_option(sg_creation_option)
sg.create()
test_obj_dict.add_sg(sg.security_group.uuid)
# create SG rule1: allow icmp to vm2
rule1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.EGRESS, vm2_ip)
# create SG rule2: allow icmp from vm2
rule2 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm2_ip)
sg.add_rule([rule1, rule2])
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.check()
# vm binding security group
sg_vm.attach(sg, [(vm.get_vm().vmNics[0].uuid, vm)])
sg_vm.check()
# change vm_ip
cmd = 'ifconfig eth0 %s' %new_vm_ip
try:
def test():
vm1 = test_stub.create_vr_vm('migrate_vm1', 'imageName_net',
'l3VlanNetwork3')
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_vr_vm('migrate_vm2', 'imageName_net',
'l3VlanNetwork3')
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_vr_vm('migrate_vm3', 'imageName_net',
'l3VlanNetwork3')
test_obj_dict.add_vm(vm3)
vm1.check()
vm2.check()
vm3.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
if not test_lib.lib_find_vr_by_vm(vm1.vm)[0]:
test_util.test_skip("skip the test for no vr found in the env.")
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm3_ip = test_lib.lib_get_vm_nic_by_l3(vm3.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg_vm.add_stub_vm(l3_uuid, vm3)
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.attach(sg2, [vm1_nics, vm2_nics])
test_stub.migrate_vm_to_random_host(vm1)
test_stub.migrate_vm_to_random_host(vm2)
test_stub.migrate_vm_to_random_host(vm3)
vm1.check()
vm2.check()
vm3.check()
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vm3.destroy()
test_obj_dict.rm_vm(vm3)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
test_util.test_pass('Migrate SG VM Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc(
"Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm1_ip = vm1.vm.vmNics[0].ip
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm2_ip = vm2.vm.vmNics[0].ip
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vm1_nic_uuid = vm1.vm.vmNics[0].uuid
vm2_nic_uuid = vm2.vm.vmNics[0].uuid
#Attach security group to l3 network
net_ops.attach_security_group_to_l3(sg1.security_group.uuid, l3_uuid)
net_ops.attach_security_group_to_l3(sg2.security_group.uuid, l3_uuid)
#Add vm1 nic to security group
sg_vm.attach(sg1, [(vm1_nic_uuid, vm1)])
sg_vm.check()
sg_vm.attach(sg2, [(vm2_nic_uuid, vm2)])
sg_vm.check()
rule1_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vm2_ip)
rule1_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule1_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP,
inventory.INGRESS, vm2_ip)
sg1.add_rule([rule1_1, rule1_2, rule1_3], [sg2.security_group.uuid])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.check()
sg_vm.delete_stub_vm(l3_uuid)
rule2_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vm1_ip)
rule2_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule2_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP,
inventory.INGRESS, vm1_ip)
sg2.add_rule([rule2_1, rule2_2, rule2_3], [sg1.security_group.uuid])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm1)
#sg_vm.check()
try:
test_lib.lib_open_vm_listen_ports(vm1.vm,
Port.ports_range_dict['rule1_ports'],
l3_uuid)
test_lib.lib_open_vm_listen_ports(vm2.vm,
Port.ports_range_dict['rule1_ports'],
l3_uuid)
test_lib.lib_check_vm_ports_in_a_command(
vm1.vm, vm2.vm, Port.ports_range_dict['rule1_ports'], [])
except:
test_util.test_fail(
'Security Group Meets Failure When Checking Ingress Rule. ')
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass(
'Security Group Vlan VirtualRouter 2 VMs Group Ingress Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc(
"Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
sg_vm = test_sg_vm_header.ZstackTestSgVm()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.add_stub_vm(l3_uuid, vm2)
#add sg1
test_util.test_dsc("Add VM1 nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1")
vm1.stop()
#remove vm1 nic from sg1
test_util.test_dsc("Remove nic from security group 1 to stopped vm1.")
sg_vm.detach(sg1, nic_uuid)
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
sg_vm.check()
vm1.destroy()
vm2.destroy()
sg_vm.delete_sg(sg1)
test_util.test_pass(
'Detach stopped VM NIC from Security Group Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc("Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
#test_util.test_dsc("Create SG rule6: allow connection from VR to port 0~65535 to make VR can connect VMs to do testing")
#rule6 = inventory.SecurityGroupRuleAO()
#rule6.allowedCidr = '%s/32' % vr_internal_ip
#rule6.protocol = inventory.TCP
#rule6.startPort = 0
#rule6.endPort = 65535
#rule6.type = inventory.INGRESS
#test_util.test_dsc("Create SG rule7: allow connection from VR to port 0~65535 to make VR can connect VMs to do testing")
#rule7 = inventory.SecurityGroupRuleAO()
#rule7.allowedCidr = '%s/32' % vr_internal_ip
#rule7.protocol = inventory.ICMP
#rule7.startPort = -1
#rule7.endPort = -1
#rule7.type = inventory.EGRESS
#test_stub.lib_add_sg_rules(sg1.uuid, [rule1, rule6, rule7])
#add sg1
test_util.test_dsc("Add VM1 nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1")
vm1.stop()
sg_vm.check()
#add sg2
test_util.test_dsc("Add VM1 nic to security group 2 to stopped vm1.")
sg_vm.attach(sg2, [vm_nics])
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports(rules1 + rule2 + rule3): %s" % tmp_allowed_ports)
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1 again")
vm1.stop()
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3 to stopped vm1.")
sg_vm.attach(sg3, [vm_nics])
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1 again")
vm1.stop()
sg_vm.check()
test_util.test_dsc("remove rule2 from sg2 and rule4 from sg3")
sg2.delete_rule([rule2])
sg3.delete_rule([rule4])
sg_vm.check()
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
sg_vm.check()
sg_vm.delete_sg(sg3)
test_obj_dict.rm_sg(sg3.security_group.uuid)
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
test_util.test_pass('Security Group Vlan VirtualRouter VM Add/Remove rules to stopped VM Test Success')
def test():
'''
Since VR ip address is assigned by zstack, so we need to use VR to test
PF rules' connectibility.
PF test needs at least 3 VR existence. The PF VM's VR is for set PF
rule. The PF rule will add VIP for PF_VM. Besides of PF_VM's VR, there
are needed another 2 VR VMs. 1st VR public IP address will be set as
allowedCidr. The 1st VR VM should be able to access PF_VM. So the 2nd VR
VM should not be able to access PF_VM.
In this test, will also add SG rules to check the coexistence between
PF and SG. SG rule will be added onto PF_VM's internal IP.
'''
global eip_snatInboundTraffic_default_value
global pf_snatInboundTraffic_default_value
#enable snatInboundTraffic and save global config value
eip_snatInboundTraffic_default_value = \
conf_ops.change_global_config('eip', 'snatInboundTraffic', 'false')
pf_snatInboundTraffic_default_value = \
conf_ops.change_global_config('portForwarding', \
'snatInboundTraffic', 'false')
pf_vm = test_stub.create_dnat_vm()
test_obj_dict.add_vm(pf_vm)
l3_name = os.environ.get('l3VlanNetworkName1')
vr1 = test_stub.create_vr_vm(test_obj_dict, l3_name)
l3_name = os.environ.get('l3NoVlanNetworkName1')
vr2 = test_stub.create_vr_vm(test_obj_dict, l3_name)
vr1_pub_ip = test_lib.lib_find_vr_pub_ip(vr1)
vr2_pub_ip = test_lib.lib_find_vr_pub_ip(vr2)
pf_vm.check()
vm_nic = pf_vm.vm.vmNics[0]
vm_nic_uuid = vm_nic.uuid
pri_l3_uuid = vm_nic.l3NetworkUuid
vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr)
l3_uuid = vr_pub_nic.l3NetworkUuid
vip = test_stub.create_vip('pf_sg_test', l3_uuid)
test_obj_dict.add_vip(vip)
vip_uuid = vip.get_vip().uuid
pf_creation_opt = PfRule.generate_pf_rule_option(vr1_pub_ip, protocol=inventory.TCP, vip_target_rule=Port.rule1_ports, private_target_rule=Port.rule1_ports, vip_uuid=vip_uuid, vm_nic_uuid=vm_nic_uuid)
test_pf = zstack_pf_header.ZstackTestPortForwarding()
test_pf.set_creation_option(pf_creation_opt)
test_pf.create(pf_vm)
vip.attach_pf(test_pf)
pf_vm.check()
#Ignore this check, since it has been checked many times in other PF cases.
#test_pf.check()
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = zstack_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vm_nics = (vm_nic_uuid, pf_vm)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vr1_pub_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vr2_pub_ip)
sg1.add_rule([rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("PF rule is allowed, since VR1's IP is granted by SG Rule1.")
sg_vm.attach(sg1, [vm_nics])
vip.check()
test_util.test_dsc("Remove rule1 from security group 1.")
test_util.test_dsc("PF rule is still allowed")
sg1.delete_rule([rule1])
vip.check()
test_util.test_dsc("Add rule2")
test_util.test_dsc("PF rule is not allowed, since rule2 only allowed the ingress from VR2, but VR2 can't pass PF rule. ")
sg1.add_rule([rule2])
vip.check()
test_util.test_dsc("Delete SG")
sg_vm.delete_sg(sg1)
test_util.test_dsc("PF rule is allowed")
vip.check()
pf_vm.destroy()
test_obj_dict.rm_vm(pf_vm)
vip.check()
test_pf.delete()
vip.delete()
test_obj_dict.rm_vip(vip)
conf_ops.change_global_config('eip', 'snatInboundTraffic', \
eip_snatInboundTraffic_default_value )
conf_ops.change_global_config('portForwarding', 'snatInboundTraffic', \
pf_snatInboundTraffic_default_value)
test_util.test_pass("Test Port Forwarding TCP Rule Successfully")
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm1.check()
vm2.check()
vm3.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm3_ip = test_lib.lib_get_vm_nic_by_l3(vm3.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.add_stub_vm(l3_uuid, vm3)
sg_vm.check()
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
#vm_nics = [nic_uuid1, nic_uuid2]
#test_util.test_dsc("Create SG rule0: allow connection from vr to port 0~100. This is for enabling ssh connection from vr")
#rule0 = inventory.SecurityGroupRuleAO()
#rule0.allowedCidr = '%s/32' % vr_internal_ip
#rule0.protocol = inventory.TCP
#rule0.startPort = 0
#rule0.endPort = 100
#rule0.type = inventory.INGRESS
#test_stub.lib_add_sg_rules(sg1.uuid, [rule0, rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Remove nic from security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.target_ports)
sg_vm.detach(sg1, nic_uuid1)
sg_vm.detach(sg1, nic_uuid2)
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add nic to security group 1 again.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ingress ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg2.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2 to vm1
test_util.test_dsc("Add vm1 nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ingress ports for vm1 from vm3: %s" % tmp_allowed_ports)
test_util.test_dsc("Allowed ingress ports for vm1 from vm3: %s" % test_stub.rule1_ports)
test_util.test_dsc("Allowed ingress ports for vm2: %s" % test_stub.rule1_ports)
sg_vm.attach(sg2, [vm1_nics])
sg_vm.check()
#add sg2 to vm2
test_util.test_dsc("Add vm2 nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ingress ports for vm1/vm2: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm2_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add vm1/vm2 nics to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ingress ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg3, [vm1_nics, vm2_nics])
sg_vm.check()
#remove sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ingress ports: %s" % tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid1)
sg_vm.detach(sg2, nic_uuid2)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ingress ports: %s" % test_stub.rule1_ports)
sg_vm.delete_sg(sg3)
test_obj_dict.rm_sg(sg3.security_group.uuid)
sg_vm.check()
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vm3.destroy()
test_obj_dict.rm_vm(vm3)
test_util.test_pass('Security Group Vlan VirtualRouter 2 VMs Group Ingress Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc("Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
#test_util.test_dsc("Create SG rule6: allow connection from vr to port 0~65535")
#rule6 = inventory.SecurityGroupRuleAO()
#rule6.allowedCidr = '%s/32' % vr_internal_ip
#rule6.protocol = inventory.TCP
#rule6.startPort = 0
#rule6.endPort = 65535
#rule6.type = inventory.INGRESS
#test_stub.lib_add_sg_rules(sg1.uuid, [rule1, rule6])
#add sg1
test_util.test_dsc("Attach security group 1 to [nic:] %s L3." % nic_uuid)
test_util.test_dsc("Add nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#add sg2
test_util.test_dsc("Attach security group 2 to [nic:] %s L3." % nic_uuid)
test_util.test_dsc("Add nic to security group 2.")
sg_vm.attach(sg2, [vm_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Attach security group 3 to [nic:] %s L3." % nic_uuid)
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg3, [vm_nics])
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1")
vm1.stop()
sg_vm.check()
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
test_util.test_dsc("Restart VM1")
vm1.reboot()
vm1.check()
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
test_util.test_dsc("Destroy VM1. All its SG rules should be removed.")
vm_internalId = test_lib.lib_get_vm_internal_id(vm1.vm)
vm1.destroy()
test_obj_dict.rm_vm(vm1)
if linux.wait_callback_success(do_check, (vm1.vm, "vnic%s.0-in" % vm_internalId), 5, 0.2):
test_util.test_logger('[vm:] %s SG INGRESS rules are removed, after it is destroyed.' % vm1.vm.uuid)
else:
test_util.test_fail('[vm:] %s SG INGRESS rules are not removed, after it is destroyed 5 seconds. ' % vm1.vm.uuid)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
sg_vm.delete_sg(sg3)
test_obj_dict.rm_sg(sg3.security_group.uuid)
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
test_util.test_pass('Security Group Vlan VirtualRouter VM Start/Stop/Reboot/Destroy Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm4 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm4)
vm5 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm5)
vm1.check()
vm2.check()
vm3.check()
vm4.check()
vm5.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg4 = test_stub.create_sg()
test_obj_dict.add_sg(sg4.security_group.uuid)
sg5 = test_stub.create_sg()
test_obj_dict.add_sg(sg5.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vr_internal_ip = test_lib.lib_find_vr_private_ip(vr_vm)
vm1_ip = vm1.vm.vmNics[0].ip
vm2_ip = vm2.vm.vmNics[0].ip
vm3_ip = vm3.vm.vmNics[0].ip
vm4_ip = vm4.vm.vmNics[0].ip
vm5_ip = vm5.vm.vmNics[0].ip
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
nic_uuid3 = vm3.vm.vmNics[0].uuid
nic_uuid4 = vm4.vm.vmNics[0].uuid
nic_uuid5 = vm5.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
vm3_nics = (nic_uuid3, vm3)
vm4_nics = (nic_uuid4, vm4)
vm5_nics = (nic_uuid5, vm5)
vm_group1_nics = [vm1_nics, vm2_nics]
vm_group2_nics = [vm3_nics, vm4_nics]
#vms_nics = vm_group1_nics + vm_group1_nics + [vm5_nics]
vms_nics = vm_group1_nics + vm_group2_nics
test_util.test_dsc("Open some ports in 5 VMs for testing.")
for vm in vm1,vm2,vm3,vm4,vm5:
test_lib.lib_open_vm_listen_ports(vm.vm, test_stub.target_ports)
rule_ai1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vr_internal_ip)
rule_ae1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.EGRESS, vm5_ip)
rule_v3i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule_v3e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule_v3e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule_v3i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule_v4i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm4_ip)
rule_v4e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm4_ip)
rule_v1i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm1_ip)
rule_v1e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm1_ip)
rule_v2i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule_v2e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
rule_v1i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm1_ip)
rule_v1e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.EGRESS, vm1_ip)
sg1.add_rule([rule_ai1, rule_ae1])
sg2.add_rule([rule_v3i_2, rule_v4i_2, rule_v3e_2, rule_v4e_2])
sg3.add_rule([rule_v1i_2, rule_v2i_2, rule_v1e_2, rule_v2e_2])
sg4.add_rule([rule_v1i_3, rule_v1e_3])
sg5.add_rule([rule_v3e_3, rule_v3i_3])
sg_vm.add_stub_vm(l3_uuid, vm5)
sg_vm.check()
##add all vm1 vm2 vm3 vm4 vm5 to sg1.
test_util.test_dsc("Add all VMs to security group 1.")
test_util.test_dsc("Allowed ingress and egress [ports:] %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, vms_nics)
#add vm1 vm2 to SG2.
test_util.test_dsc("Add VM1 and VM2 to SG2.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM3 and VM4" % test_stub.rule2_ports)
test_util.test_dsc("Allowed egress [ports:] %s to VM3 and VM4" % test_stub.rule2_ports)
test_util.test_dsc("Since VM1/VM2 are in same SG group, VM1/VM2 can connect rule2 ports :%s each other." % test_stub.rule2_ports)
sg_vm.attach(sg2, vm_group1_nics)
sg_vm.check()
test_util.test_dsc("Since VM3/VM4 didn't open rule2 ports for VM1/VM2, VM1/VM2 can't connect to VM3/VM4 rule2 ports :%s." % test_stub.rule2_ports)
test_lib.lib_check_vm_ports(vm3.vm, vm1.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm3.vm, vm2.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm4.vm, vm1.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm4.vm, vm2.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(vm1.vm, [vm3.vm, vm4.vm], test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_util.test_dsc("Add rule2 ports to VM3 and VM4.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM1/VM2 to VM3/VM4" % (test_stub.rule1_ports + test_stub.rule2_ports))
test_util.test_dsc("Allowed egress [ports:] %s to VM1 and VM2" % test_stub.rule2_ports)
sg_vm.attach(sg3, vm_group2_nics)
test_lib.lib_check_vm_group_ports(vm4.vm, [vm1.vm, vm2.vm], (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(vm2.vm, [vm3.vm, vm4.vm], (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
sg_vm.check()
test_util.test_dsc("Add VM3 and VM4 to SG4.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM1" % test_stub.rule3_ports)
test_util.test_dsc("But due to VM1 didn't open related ports, connection will be denied for [ports:] %s from VM1 to VM3 " % test_stub.rule3_ports)
test_util.test_dsc("The enabled connections for VM1/VM3 are still [ports:] %s " % (test_stub.rule1_ports + test_stub.rule2_ports))
sg_vm.attach(sg4, vm_group2_nics)
test_lib.lib_check_vm_ports(vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_util.test_dsc("As VM3/VM4 are in same SG group, rule1+rule2+rule3 [ports:] %s are opened between VM4 and VM3 " % (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports))
sg_vm.check()
test_util.test_dsc("Add VM1 and VM2 to SG5.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM3" % test_stub.rule3_ports)
test_util.test_dsc("Connection between VM1 and VM3, between VM1 and VM2, between VM3 and VM4 are enabled for [ports:] %s" % (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports))
sg_vm.attach(sg5, vm_group1_nics)
test_lib.lib_check_vm_ports(vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports), (test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm3.vm, vm1.vm, (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports), (test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm4.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports), (test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_util.test_dsc("Connection from VM2 to VM3 are enabled for [ports:]" % (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports))
test_lib.lib_check_vm_ports(vm2.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm4.vm, vm2.vm, (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
#test_util.test_dsc("VM5 was not granted with rule2 and rule3 ports, so only rule1 [ports:] %s are allowned to connect to other VMs." % test_stub.rule1_ports)
#test_lib.lib_check_vm_ports(vm5.vm, vm3.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
#clean up.
for sg in sg1,sg2,sg3,sg4,sg5:
sg_vm.delete_sg(sg)
test_obj_dict.rm_sg(sg.security_group.uuid)
for vm in vm1,vm2,vm3,vm4,vm5:
vm.destroy()
test_obj_dict.rm_vm(vm)
test_util.test_pass('Security Group Vlan VirtualRouter VM complex testing with 2 Groups 5 VMs Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
image_name = os.environ.get('ipv6ImageName')
ipv4_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3PublicNetworkName')).uuid
ipv6_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3PublicNetworkName1')).uuid
print "ipv4_net_uuid is : %s , ipv6_net_uuid is : %s" %(ipv4_net_uuid, ipv6_net_uuid)
vm1 = test_stub.create_vm(l3_name = os.environ.get('l3PublicNetworkName'), vm_name = 'vm_1 IPv6 2 stack test', system_tags = ["dualStackNic::%s::%s" %(ipv4_net_uuid, ipv6_net_uuid)], image_name = image_name)
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_vm(l3_name = os.environ.get('l3PublicNetworkName'), vm_name = 'vm_2 IPv6 2 stack test', system_tags = ["dualStackNic::%s::%s" %(ipv4_net_uuid, ipv6_net_uuid)], image_name = image_name)
test_obj_dict.add_vm(vm2)
time.sleep(120) #waiting for vm bootup
vm1_ip1 = vm1.get_vm().vmNics[0].usedIps[0].ip
vm1_ip2 = vm1.get_vm().vmNics[0].usedIps[1].ip
vm2_ip1 = vm2.get_vm().vmNics[0].usedIps[0].ip
vm2_ip2 = vm2.get_vm().vmNics[0].usedIps[1].ip
if "172.20" in vm1_ip1:
vm1_ipv4 = vm1_ip1
vm1_ipv6 = vm1_ip2
else:
vm1_ipv4 = vm1_ip2
vm1_ipv6 = vm1_ip1
if "172.20" in vm2_ip1:
vm2_ipv4 = vm2_ip1
vm2_ipv6 = vm2_ip2
else:
vm2_ipv4 = vm2_ip2
vm2_ipv6 = vm2_ip1
print "vm1_ipv6 : %s, vm1_ipv4: %s, vm2_ipv6 :%s,vm2_ipv4 :%s, ipv4 :%s, ipv6 :%s." %(vm1_ipv6, vm1_ipv4, vm2_ipv6, vm2_ipv4, vm2_ipv4, vm2_ipv6)
cmd = "ping6 -c 4 %s" %(vm2_ipv6)
(retcode, output, erroutput) = ssh.execute(cmd, vm1_ipv4, "root", "password", True, 22)
cmd1 = "ping -c 4 %s" %(vm2_ipv4)
(retcode1, output1, erroutput1) = ssh.execute(cmd1, vm1_ipv4, "root", "password", True, 22)
print "retcode is: %s; output is : %s.; erroutput is: %s" %(retcode, output , erroutput)
print "retcode1 is: %s; output1 is : %s.; erroutput1 is: %s" %(retcode1, output1 , erroutput1)
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg(ipVersion = 6)
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg(ipVersion = 6)
test_obj_dict.add_sg(sg2.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
l3_uuid = ipv6_net_uuid
vm1_nic_uuid = vm1.get_vm().vmNics[0].uuid
vm2_nic_uuid = vm2.get_vm().vmNics[0].uuid
print "vm1_nic_uuid :%s, vm2_nic_uuid :%s ."%(vm1_nic_uuid, vm2_nic_uuid)
#Attach security group to l3 network
net_ops.attach_security_group_to_l3(sg1.security_group.uuid, l3_uuid)
net_ops.attach_security_group_to_l3(sg2.security_group.uuid, l3_uuid)
#Add vm1 nic to security group
sg_vm.attach(sg1, [(vm1_nic_uuid, vm1)], ipv6 = "ipv6")
sg_vm.attach(sg2, [(vm2_nic_uuid, vm2)], ipv6 = "ipv6")
rule1_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm2_ipv6, ipVersion = 6)
rule1_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm2_ipv6, ipVersion = 6)
rule1_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP, inventory.INGRESS, vm2_ipv6, ipVersion = 6)
sg1.add_rule([rule1_1,rule1_2,rule1_3], [sg2.security_group.uuid])
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.delete_stub_vm(l3_uuid)
rule2_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm1_ipv6, ipVersion = 6)
rule2_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm1_ipv6, ipVersion = 6)
rule2_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP, inventory.INGRESS, vm1_ipv6, ipVersion = 6)
sg2.add_rule([rule2_1,rule2_2,rule2_3], [sg1.security_group.uuid])
sg_vm.add_stub_vm(l3_uuid, vm1)
try:
test_lib.lib_open_vm_listen_ports(vm1.vm, Port.ports_range_dict['rule1_ports'], l3_uuid, target_ip = vm1_ipv4, target_ipv6 = vm1_ipv6)
test_lib.lib_open_vm_listen_ports(vm2.vm, Port.ports_range_dict['rule1_ports'], l3_uuid, target_ip = vm2_ipv4, target_ipv6 = vm2_ipv6)
test_lib.lib_check_vm_ports_in_a_command(vm1.vm, vm2.vm, Port.ports_range_dict['rule1_ports'], [], target_ipv6 = vm2_ipv6)
except:
test_util.test_fail('Security Group Meets Failure When Checking Ingress Rule. ')
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass('Security Group Vlan VirtualRouter 2 VMs Group Ingress Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("create vpc vrouter and attach vpc l3 to vpc")
for vpc_name in vpc_name_list:
vr_list.append(test_stub.create_vpc_vrouter(vpc_name))
for vr, l3_list in izip(vr_list, vpc_l3_list):
test_stub.attach_l3_to_vpc_vr(vr, l3_list)
test_util.test_dsc("create two vm, vm1 in l3 {}, vm2 in l3 {}".format(
VLAN1_NAME, VLAN2_NAME))
vm1 = test_stub.create_vm_with_random_offering(
vm_name='vpc_vm_{}'.format(VLAN1_NAME), l3_name=VLAN1_NAME)
test_obj_dict.add_vm(vm1)
vm1.check()
vm2 = test_stub.create_vm_with_random_offering(
vm_name='vpc_vm_{}'.format(VLAN2_NAME), l3_name=VLAN2_NAME)
test_obj_dict.add_vm(vm2)
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm2.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed ports: %s" % Port.get_ports(Port.rule1_ports))
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
test_util.test_dsc("Remove nic from security group 1.")
sg_vm.detach(sg1, nic_uuid)
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add nic to security group 1 again.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add rule2, rule3 back to security group 1.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg1.add_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2
test_util.test_dsc("Add nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule2+rul3+rule4+rule5): %s" %
tmp_allowed_ports)
sg_vm.attach(sg3, [vm_nics])
sg_vm.check()
#detach nic from sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports (rule1+rule3+rule4+rule5): %s" %
tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ports (rule1): %s" % test_stub.rule1_ports)
sg_vm.delete_sg(sg3)
sg_vm.check()
test_obj_dict.rm_sg(sg3.security_group.uuid)
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.check()
vm2.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass('Security Group Vlan VirtualRouter VMs Test Success')
test_lib.lib_error_cleanup(test_obj_dict)
test_stub.remove_all_vpc_vrouter()
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc("Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
vr_internal_ip = test_lib.lib_find_vr_private_ip(vr_vm)
test_util.test_dsc("Create SG rule1: allow connection to vm2 port 0~100")
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
test_util.test_dsc("Create SG rule2: allow connection from vm2 to port 9000~10000")
rule2 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
test_util.test_dsc("Create SG rule3: allow connection from VR to port 0~65535 to make VR can connect VMs to do testing")
rule3 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vr_internal_ip)
test_util.test_dsc("Create SG rule4: allow ICMP connection to VR")
rule4 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.EGRESS, vr_internal_ip)
test_util.test_dsc("Create SG rule5: allow icmp from vm2")
rule5 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm2_ip)
test_util.test_dsc("Create SG rule6: allow icmp to vm2")
rule6 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1, rule2, rule3, rule4])
sg2.add_rule([rule5])
sg3.add_rule([rule6])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.check()
#add sg1
test_util.test_dsc("Add VM1 nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail('Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.' % (vm1.vm.uuid, vr_internal_ip))
#add sg2
test_util.test_dsc("Add VM1 nic to security group 2.")
sg_vm.attach(sg2, [vm_nics])
test_util.test_dsc("Allowed ports egress rules1: %s, ingress rule2: %s" % (test_stub.rule1_ports, test_stub.rule2_ports))
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail('Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.' % (vm1.uuid, vr_internal_ip))
#add sg3
test_util.test_dsc("Add nic to security group 3 to stopped vm1.")
sg_vm.attach(sg3, [vm_nics])
test_util.test_dsc("Allowed ports egress rules1: %s, ingress rule2: %s" % (test_stub.rule1_ports, test_stub.rule2_ports))
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail('Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.' % (vm1.uuid, vr_internal_ip))
test_util.test_dsc("remove rule5 from sg2")
sg2.delete_rule([rule5])
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail('Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.' % (vm1.uuid, vr_internal_ip))
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
sg_vm.check()
sg1.delete()
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg2.delete()
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.check()
sg3.delete()
test_obj_dict.rm_sg(sg3.security_group.uuid)
test_util.test_pass('Security Group Vlan VirtualRouter VM ICMP rules Test Success')
def test():
"""
Since VR ip address is assigned by zstack, so we need to use VR to test
PF rules' connectibility.
PF test needs at least 3 VR existence. The PF VM's VR is for set PF
rule. The PF rule will add VIP for PF_VM. Besides of PF_VM's VR, there
are needed another 2 VR VMs. 1st VR public IP address will be set as
allowedCidr. The 1st VR VM should be able to access PF_VM. So the 2nd VR
VM should not be able to access PF_VM.
In this test, will also add SG rules to check the coexistence between
PF and SG. SG rule will be added onto PF_VM's internal IP.
"""
global eip_snatInboundTraffic_default_value
global pf_snatInboundTraffic_default_value
# enable snatInboundTraffic and save global config value
eip_snatInboundTraffic_default_value = conf_ops.change_global_config("eip", "snatInboundTraffic", "false")
pf_snatInboundTraffic_default_value = conf_ops.change_global_config("portForwarding", "snatInboundTraffic", "false")
pf_vm1 = test_stub.create_dnat_vm()
test_obj_dict.add_vm(pf_vm1)
pf_vm2 = test_stub.create_dnat_vm()
test_obj_dict.add_vm(pf_vm2)
l3_name = os.environ.get("l3VlanNetworkName1")
vr1 = test_stub.create_vr_vm(test_obj_dict, l3_name)
l3_name = os.environ.get("l3NoVlanNetworkName1")
vr2 = test_stub.create_vr_vm(test_obj_dict, l3_name)
vr1_pub_ip = test_lib.lib_find_vr_pub_ip(vr1)
vr2_pub_ip = test_lib.lib_find_vr_pub_ip(vr2)
pf_vm1.check()
vm_nic1 = pf_vm1.vm.vmNics[0]
vm_nic_uuid1 = vm_nic1.uuid
pri_l3_uuid = vm_nic1.l3NetworkUuid
vm_nic2 = pf_vm2.vm.vmNics[0]
vm_nic_uuid2 = vm_nic2.uuid
vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr)
l3_uuid = vr_pub_nic.l3NetworkUuid
vip = test_stub.create_vip("pf_sg_test", l3_uuid)
test_obj_dict.add_vip(vip)
vip_uuid = vip.get_vip().uuid
pf_creation_opt1 = PfRule.generate_pf_rule_option(
vr1_pub_ip,
protocol=inventory.TCP,
vip_target_rule=Port.rule1_ports,
private_target_rule=Port.rule1_ports,
vip_uuid=vip_uuid,
vm_nic_uuid=vm_nic_uuid1,
)
test_pf1 = zstack_pf_header.ZstackTestPortForwarding()
test_pf1.set_creation_option(pf_creation_opt1)
test_pf1.create(pf_vm1)
vip.attach_pf(test_pf1)
pf_creation_opt2 = PfRule.generate_pf_rule_option(
vr2_pub_ip,
protocol=inventory.TCP,
vip_target_rule=Port.rule2_ports,
private_target_rule=Port.rule2_ports,
vip_uuid=vip_uuid,
vm_nic_uuid=vm_nic_uuid2,
)
test_pf2 = zstack_pf_header.ZstackTestPortForwarding()
test_pf2.set_creation_option(pf_creation_opt2)
test_pf2.create(pf_vm2)
vip.attach_pf(test_pf2)
pf_vm1.check()
pf_vm2.check()
vip.check()
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = zstack_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vm_nics = (vm_nic_uuid1, pf_vm1)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vr1_pub_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vr2_pub_ip)
sg1.add_rule([rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc(
"PF1 rule is allowed, since VR1's IP is granted by SG Rule1. PF2 rule is allowed, since VM2's ip is not controlld by SG."
)
sg_vm.attach(sg1, [vm_nics])
vip.check()
test_util.test_dsc("Remove rule1 from security group 1.")
test_util.test_dsc("PF rules are still allowed")
sg1.delete_rule([rule1])
vip.check()
test_util.test_dsc("Add rule2")
test_util.test_dsc(
"PF1 rule is not allowed, since SG rule2 only allowed the ingress from VR2, but VR2 can't pass PF rule. PF2 rule is still allowed, since its vmnic is not controlled by SG."
)
sg1.add_rule([rule2])
vip.check()
test_util.test_dsc("Delete SG")
sg_vm.delete_sg(sg1)
test_util.test_dsc("All PFs rule are allowed")
vip.check()
test_pf1.delete()
test_pf2.delete()
pf_vm1.destroy()
test_obj_dict.rm_vm(pf_vm1)
pf_vm2.destroy()
test_obj_dict.rm_vm(pf_vm2)
vip.delete()
test_obj_dict.rm_vip(vip)
conf_ops.change_global_config("eip", "snatInboundTraffic", eip_snatInboundTraffic_default_value)
conf_ops.change_global_config("portForwarding", "snatInboundTraffic", pf_snatInboundTraffic_default_value)
test_util.test_pass("Test 2 Port Forwarding Rules with same VIP assigned to different vmnic Successfully.")
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc(
"Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
vr_internal_ip = test_lib.lib_find_vr_private_ip(vr_vm)
test_util.test_dsc("Create SG rule1: allow connection to vm2 port 0~100")
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
test_util.test_dsc(
"Create SG rule2: allow connection from vm2 to port 9000~10000")
rule2 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
test_util.test_dsc(
"Create SG rule3: allow connection from VR to port 0~65535 to make VR can connect VMs to do testing"
)
rule3 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vr_internal_ip)
test_util.test_dsc("Create SG rule4: allow ICMP connection to VR")
rule4 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.EGRESS, vr_internal_ip)
test_util.test_dsc("Create SG rule5: allow icmp from vm2")
rule5 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vm2_ip)
test_util.test_dsc("Create SG rule6: allow icmp to vm2")
rule6 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1, rule2, rule3, rule4])
sg2.add_rule([rule5])
sg3.add_rule([rule6])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.check()
#add sg1
test_util.test_dsc("Add VM1 nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail(
'Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.'
% (vm1.vm.uuid, vr_internal_ip))
#add sg2
test_util.test_dsc("Add VM1 nic to security group 2.")
sg_vm.attach(sg2, [vm_nics])
test_util.test_dsc("Allowed ports egress rules1: %s, ingress rule2: %s" %
(test_stub.rule1_ports, test_stub.rule2_ports))
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail(
'Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.'
% (vm1.uuid, vr_internal_ip))
#add sg3
test_util.test_dsc("Add nic to security group 3 to stopped vm1.")
sg_vm.attach(sg3, [vm_nics])
test_util.test_dsc("Allowed ports egress rules1: %s, ingress rule2: %s" %
(test_stub.rule1_ports, test_stub.rule2_ports))
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail(
'Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.'
% (vm1.uuid, vr_internal_ip))
test_util.test_dsc("remove rule5 from sg2")
sg2.delete_rule([rule5])
sg_vm.check()
if not test_lib.lib_check_ping(vm1.vm, vr_internal_ip, no_exception=True):
test_util.test_fail(
'Exception: [vm:] %s ping [vr:] %s fail. But it should ping successfully.'
% (vm1.uuid, vr_internal_ip))
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
sg_vm.check()
sg1.delete()
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg2.delete()
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.check()
sg3.delete()
test_obj_dict.rm_sg(sg3.security_group.uuid)
test_util.test_pass(
'Security Group Vlan VirtualRouter VM ICMP rules Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc(
"Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm4 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm4)
vm5 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm5)
vm1.check()
vm2.check()
vm3.check()
vm4.check()
vm5.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg4 = test_stub.create_sg()
test_obj_dict.add_sg(sg4.security_group.uuid)
sg5 = test_stub.create_sg()
test_obj_dict.add_sg(sg5.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vr_internal_ip = test_lib.lib_find_vr_private_ip(vr_vm)
vm1_ip = vm1.vm.vmNics[0].ip
vm2_ip = vm2.vm.vmNics[0].ip
vm3_ip = vm3.vm.vmNics[0].ip
vm4_ip = vm4.vm.vmNics[0].ip
vm5_ip = vm5.vm.vmNics[0].ip
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
nic_uuid3 = vm3.vm.vmNics[0].uuid
nic_uuid4 = vm4.vm.vmNics[0].uuid
nic_uuid5 = vm5.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
vm3_nics = (nic_uuid3, vm3)
vm4_nics = (nic_uuid4, vm4)
vm5_nics = (nic_uuid5, vm5)
vm_group1_nics = [vm1_nics, vm2_nics]
vm_group2_nics = [vm3_nics, vm4_nics]
#vms_nics = vm_group1_nics + vm_group1_nics + [vm5_nics]
vms_nics = vm_group1_nics + vm_group2_nics
test_util.test_dsc("Open some ports in 5 VMs for testing.")
for vm in vm1, vm2, vm3, vm4, vm5:
test_lib.lib_open_vm_listen_ports(vm.vm, test_stub.target_ports)
rule_ai1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vr_internal_ip)
rule_ae1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, vm5_ip)
rule_v3i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule_v3e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm3_ip)
rule_v3e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm3_ip)
rule_v3i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule_v4i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm4_ip)
rule_v4e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm4_ip)
rule_v1i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule_v1e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm1_ip)
rule_v2i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule_v2e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule_v1i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule_v1e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm1_ip)
sg1.add_rule([rule_ai1, rule_ae1])
sg2.add_rule([rule_v3i_2, rule_v4i_2, rule_v3e_2, rule_v4e_2])
sg3.add_rule([rule_v1i_2, rule_v2i_2, rule_v1e_2, rule_v2e_2])
sg4.add_rule([rule_v1i_3, rule_v1e_3])
sg5.add_rule([rule_v3e_3, rule_v3i_3])
sg_vm.add_stub_vm(l3_uuid, vm5)
sg_vm.check()
##add all vm1 vm2 vm3 vm4 vm5 to sg1.
test_util.test_dsc("Add all VMs to security group 1.")
test_util.test_dsc("Allowed ingress and egress [ports:] %s" %
test_stub.rule1_ports)
sg_vm.attach(sg1, vms_nics)
#add vm1 vm2 to SG2.
test_util.test_dsc("Add VM1 and VM2 to SG2.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM3 and VM4" %
test_stub.rule2_ports)
test_util.test_dsc("Allowed egress [ports:] %s to VM3 and VM4" %
test_stub.rule2_ports)
test_util.test_dsc(
"Since VM1/VM2 are in same SG group, VM1/VM2 can connect rule2 ports :%s each other."
% test_stub.rule2_ports)
sg_vm.attach(sg2, vm_group1_nics)
sg_vm.check()
test_util.test_dsc(
"Since VM3/VM4 didn't open rule2 ports for VM1/VM2, VM1/VM2 can't connect to VM3/VM4 rule2 ports :%s."
% test_stub.rule2_ports)
test_lib.lib_check_vm_ports(
vm3.vm, vm1.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm3.vm, vm2.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm1.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm2.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(
vm1.vm, [vm3.vm, vm4.vm], test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_util.test_dsc("Add rule2 ports to VM3 and VM4.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM1/VM2 to VM3/VM4" %
(test_stub.rule1_ports + test_stub.rule2_ports))
test_util.test_dsc("Allowed egress [ports:] %s to VM1 and VM2" %
test_stub.rule2_ports)
sg_vm.attach(sg3, vm_group2_nics)
test_lib.lib_check_vm_group_ports(
vm4.vm, [vm1.vm, vm2.vm],
(test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(
vm2.vm, [vm3.vm, vm4.vm],
(test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
sg_vm.check()
test_util.test_dsc("Add VM3 and VM4 to SG4.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM1" %
test_stub.rule3_ports)
test_util.test_dsc(
"But due to VM1 didn't open related ports, connection will be denied for [ports:] %s from VM1 to VM3 "
% test_stub.rule3_ports)
test_util.test_dsc(
"The enabled connections for VM1/VM3 are still [ports:] %s " %
(test_stub.rule1_ports + test_stub.rule2_ports))
sg_vm.attach(sg4, vm_group2_nics)
test_lib.lib_check_vm_ports(
vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
test_util.test_dsc(
"As VM3/VM4 are in same SG group, rule1+rule2+rule3 [ports:] %s are opened between VM4 and VM3 "
% (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports))
sg_vm.check()
test_util.test_dsc("Add VM1 and VM2 to SG5.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM3" %
test_stub.rule3_ports)
test_util.test_dsc(
"Connection between VM1 and VM3, between VM1 and VM2, between VM3 and VM4 are enabled for [ports:] %s"
% (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports))
sg_vm.attach(sg5, vm_group1_nics)
test_lib.lib_check_vm_ports(
vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports),
(test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm3.vm, vm1.vm, (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports),
(test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports),
(test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_util.test_dsc("Connection from VM2 to VM3 are enabled for [ports:]" %
(test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports))
test_lib.lib_check_vm_ports(
vm2.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm2.vm, (test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
#test_util.test_dsc("VM5 was not granted with rule2 and rule3 ports, so only rule1 [ports:] %s are allowned to connect to other VMs." % test_stub.rule1_ports)
#test_lib.lib_check_vm_ports(vm5.vm, vm3.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
#clean up.
for sg in sg1, sg2, sg3, sg4, sg5:
sg_vm.delete_sg(sg)
test_obj_dict.rm_sg(sg.security_group.uuid)
for vm in vm1, vm2, vm3, vm4, vm5:
vm.destroy()
test_obj_dict.rm_vm(vm)
test_util.test_pass(
'Security Group Vlan VirtualRouter VM complex testing with 2 Groups 5 VMs Test Success'
)
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
global test_obj_dict
test_util.test_dsc(
"Create 2 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
nic_uuid = vm1.vm.vmNics[0].uuid
vm_nics = (nic_uuid, vm1)
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm2_ip = test_lib.lib_get_vm_nic_by_l3(vm2.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
#test_util.test_dsc("Create SG rule6: allow connection from VR to port 0~65535 to make VR can connect VMs to do testing")
#rule6 = inventory.SecurityGroupRuleAO()
#rule6.allowedCidr = '%s/32' % vr_internal_ip
#rule6.protocol = inventory.TCP
#rule6.startPort = 0
#rule6.endPort = 65535
#rule6.type = inventory.INGRESS
#test_util.test_dsc("Create SG rule7: allow connection from VR to port 0~65535 to make VR can connect VMs to do testing")
#rule7 = inventory.SecurityGroupRuleAO()
#rule7.allowedCidr = '%s/32' % vr_internal_ip
#rule7.protocol = inventory.ICMP
#rule7.startPort = -1
#rule7.endPort = -1
#rule7.type = inventory.EGRESS
#test_stub.lib_add_sg_rules(sg1.uuid, [rule1, rule6, rule7])
#add sg1
test_util.test_dsc("Add VM1 nic to security group 1.")
sg_vm.attach(sg1, [vm_nics])
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1")
vm1.stop()
sg_vm.check()
#add sg2
test_util.test_dsc("Add VM1 nic to security group 2 to stopped vm1.")
sg_vm.attach(sg2, [vm_nics])
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed ports(rules1 + rule2 + rule3): %s" %
tmp_allowed_ports)
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1 again")
vm1.stop()
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3 to stopped vm1.")
sg_vm.attach(sg3, [vm_nics])
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
#shutdown vm1
test_util.test_dsc("Shutdown VM1 again")
vm1.stop()
sg_vm.check()
test_util.test_dsc("remove rule2 from sg2 and rule4 from sg3")
sg2.delete_rule([rule2])
sg3.delete_rule([rule4])
sg_vm.check()
test_util.test_dsc("Start VM1")
vm1.start()
vm1.check()
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed ports: %s" % tmp_allowed_ports)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
sg_vm.check()
sg_vm.delete_sg(sg3)
test_obj_dict.rm_sg(sg3.security_group.uuid)
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
test_util.test_pass(
'Security Group Vlan VirtualRouter VM Add/Remove rules to stopped VM Test Success'
)
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm1.check()
vm2.check()
vm3.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vm3_ip = test_lib.lib_get_vm_nic_by_l3(vm3.vm, l3_uuid).ip
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule4 = test_lib.lib_gen_sg_rule(Port.rule4_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule5 = test_lib.lib_gen_sg_rule(Port.rule5_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
sg1.add_rule([rule1])
sg2.add_rule([rule1, rule2, rule3])
sg3.add_rule([rule3, rule4, rule5])
sg_vm.add_stub_vm(l3_uuid, vm3)
sg_vm.check()
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
#vm_nics = [nic_uuid1, nic_uuid2]
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Remove nic from security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.target_ports)
sg_vm.detach(sg1, nic_uuid1)
sg_vm.detach(sg1, nic_uuid2)
sg_vm.check()
test_util.test_dsc("Remove rule1 from security group 1.")
sg1.delete_rule([rule1])
test_util.test_dsc("Add nic to security group 1 again.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.target_ports)
sg_vm.attach(sg1, [vm1_nics, vm2_nics])
sg_vm.check()
test_util.test_dsc("Add rule1, rule2, rule3 to security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.target_ports)
sg1.add_rule([rule1, rule2, rule3])
sg_vm.check()
#can't directly remove rule1, as it will block vr ssh connection.
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Add rule2, rule3 back to security group 1.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed egress ports: %s" % tmp_allowed_ports)
sg1.add_rule([rule2, rule3])
sg_vm.check()
test_util.test_dsc("Remove rule2/3 from security group 1.")
test_util.test_dsc("Allowed egress ports: %s" % test_stub.rule1_ports)
sg1.delete_rule([rule2, rule3])
sg_vm.check()
#add sg2 to vm1
test_util.test_dsc("Add vm 1 nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed egress ports for vm1 to vm3: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm1_nics])
sg_vm.check()
#add sg2 to vm2
test_util.test_dsc("Add vm 2 nic to security group 2.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports
test_util.test_dsc("Allowed egress ports for vm1 and vm2: %s" % tmp_allowed_ports)
sg_vm.attach(sg2, [vm2_nics])
sg_vm.check()
#add sg3
test_util.test_dsc("Add nic to security group 3.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed egress ports: %s" % tmp_allowed_ports)
sg_vm.attach(sg3, [vm1_nics, vm2_nics])
sg_vm.check()
#remove sg2
test_util.test_dsc("Remove security group 2 for nic.")
tmp_allowed_ports = test_stub.rule1_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports
test_util.test_dsc("Allowed egress ports: %s" % tmp_allowed_ports)
sg_vm.detach(sg2, nic_uuid1)
sg_vm.detach(sg2, nic_uuid2)
sg_vm.check()
#delete sg3
test_util.test_dsc("Delete security group 3.")
test_util.test_dsc("Allowed ports: %s" % test_stub.rule1_ports)
sg3.delete()
test_obj_dict.rm_sg(sg3.security_group.uuid)
sg_vm.check()
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
vm3.destroy()
test_obj_dict.rm_vm(vm3)
test_util.test_pass('Security Group Vlan VirtualRouter 2 VMs Group Egress Test Success')
def test():
global eip_snatInboundTraffic_default_value
global pf_snatInboundTraffic_default_value
vm = test_stub.create_dnat_vm()
test_obj_dict.add_vm(vm)
#disable snatInboundTraffic and save global config value
eip_snatInboundTraffic_default_value = \
conf_ops.change_global_config('eip', 'snatInboundTraffic', 'false')
pf_snatInboundTraffic_default_value = \
conf_ops.change_global_config('portForwarding', \
'snatInboundTraffic', 'false')
l3_name = os.environ.get('l3VlanNetworkName1')
vr1_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr1_l3_uuid)
temp_vm1 = None
if not vrs:
#create temp_vm1 for getting vlan1's vr for test vm portforwarding
temp_vm1 = test_stub.create_vlan_vm()
test_obj_dict.add_vm(temp_vm1)
vr1 = test_lib.lib_find_vr_by_vm(temp_vm1.vm)[0]
else:
vr1 = vrs[0]
l3_name = os.environ.get('l3NoVlanNetworkName1')
vr2_l3_uuid = test_lib.lib_get_l3_by_name(l3_name).uuid
vrs = test_lib.lib_find_vr_by_l3_uuid(vr2_l3_uuid)
temp_vm2 = None
if not vrs:
#create temp_vm2 for getting novlan's vr for test vm portforwarding
temp_vm2 = test_stub.create_user_vlan_vm()
test_obj_dict.add_vm(temp_vm2)
vr2 = test_lib.lib_find_vr_by_vm(temp_vm2.vm)[0]
else:
vr2 = vrs[0]
if temp_vm1:
temp_vm1.destroy()
test_obj_dict.rm_vm(temp_vm1)
if temp_vm2:
temp_vm2.destroy()
test_obj_dict.rm_vm(temp_vm2)
vr1_pub_ip = test_lib.lib_find_vr_pub_ip(vr1)
vr2_pub_ip = test_lib.lib_find_vr_pub_ip(vr2)
vm.check()
vm_nic = vm.vm.vmNics[0]
vm_nic_uuid = vm_nic.uuid
pri_l3_uuid = vm_nic.l3NetworkUuid
vr = test_lib.lib_find_vr_by_l3_uuid(pri_l3_uuid)[0]
vr_pub_nic = test_lib.lib_find_vr_pub_nic(vr)
l3_uuid = vr_pub_nic.l3NetworkUuid
vip = test_stub.create_vip('eip_sg_test', l3_uuid)
test_obj_dict.add_vip(vip)
vip_uuid = vip.get_vip().uuid
eip = test_stub.create_eip('eip sg test', vip_uuid, vm_nic_uuid, vm)
vip.attach_eip(eip)
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg_vm = zstack_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vm_nics = (vm_nic_uuid, vm)
rule1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vr1_pub_ip)
rule2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vr2_pub_ip)
sg1.add_rule([rule1])
test_util.test_dsc("Add nic to security group 1.")
test_util.test_dsc("EIP connection is allowed from VR1, but denied from VR2.")
sg_vm.attach(sg1, [vm_nics])
vip.check()
test_util.test_dsc("Remove rule1 from security group 1.")
test_util.test_dsc("EIP is still allowed from all VR")
sg1.delete_rule([rule1])
vip.check()
test_util.test_dsc("Add rule2")
test_util.test_dsc("EIP is not allowed by VR2, VR1 is allowed. ")
sg1.add_rule([rule2])
vip.check()
test_util.test_dsc("Delete SG")
sg_vm.delete_sg(sg1)
test_util.test_dsc("PF rule is allowed")
vip.check()
vm.destroy()
test_obj_dict.rm_vm(vm)
vip.check()
eip.delete()
vip.delete()
test_obj_dict.rm_vip(vip)
conf_ops.change_global_config('eip', 'snatInboundTraffic', \
eip_snatInboundTraffic_default_value )
conf_ops.change_global_config('portForwarding', 'snatInboundTraffic', \
pf_snatInboundTraffic_default_value)
test_util.test_pass("Test EIP and SG coexistance Successfully")
