summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-05-17 08:09:28 +0000
committerGerrit Code Review <review@openstack.org>2018-05-17 08:09:28 +0000
commit9b2d1d53c8bb43d1fd9bf9f2c929fa42cdc9c626 (patch)
tree780e9750f9423eda1edff18d46cbf6f92b3a36fe
parent37bf4889ba8713f12c97cdb3f8246ad39555b047 (diff)
parent1658e353c336d666ec43f725bd2c87633b43571d (diff)
Merge "Fullstack: Add using multiple security groups"
-rw-r--r--neutron/tests/fullstack/test_securitygroup.py193
1 files changed, 150 insertions, 43 deletions
diff --git a/neutron/tests/fullstack/test_securitygroup.py b/neutron/tests/fullstack/test_securitygroup.py
index 0bf0dc5..a53ecb1 100644
--- a/neutron/tests/fullstack/test_securitygroup.py
+++ b/neutron/tests/fullstack/test_securitygroup.py
@@ -100,6 +100,8 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
100 'l2_agent_type': constants.AGENT_TYPE_LINUXBRIDGE, 100 'l2_agent_type': constants.AGENT_TYPE_LINUXBRIDGE,
101 'num_hosts': 2})] 101 'num_hosts': 2})]
102 102
103 index_to_sg = [0, 0, 1, 2]
104
103 # NOTE(toshii): As a firewall_driver can interfere with others, 105 # NOTE(toshii): As a firewall_driver can interfere with others,
104 # the recommended way to add test is to expand this method, not 106 # the recommended way to add test is to expand this method, not
105 # adding another. 107 # adding another.
@@ -116,50 +118,13 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
116 8. test other protocol functionality by using SCTP protocol 118 8. test other protocol functionality by using SCTP protocol
117 9. test two vms with same mac on the same host in different 119 9. test two vms with same mac on the same host in different
118 networks 120 networks
121 10. test using multiple security groups
119 """ 122 """
120 index_to_sg = [0, 0, 1, 2]
121 if self.firewall_driver == 'iptables_hybrid':
122 # The iptables_hybrid driver lacks isolation between agents
123 index_to_host = [0] * 4
124 else:
125 index_to_host = [0, 1, 1, 0]
126 123
127 tenant_uuid = uuidutils.generate_uuid() 124 tenant_uuid = uuidutils.generate_uuid()
128 125 subnet_cidr = '20.0.0.0/24'
129 network = self.safe_client.create_network(tenant_uuid) 126 vms, ports, sgs, network, index_to_host = self._create_resources(
130 self.safe_client.create_subnet( 127 tenant_uuid, subnet_cidr)
131 tenant_uuid, network['id'], '20.0.0.0/24')
132
133 sgs = [self.safe_client.create_security_group(tenant_uuid)
134 for i in range(3)]
135 ports = [
136 self.safe_client.create_port(tenant_uuid, network['id'],
137 self.environment.hosts[host].hostname,
138 security_groups=[],
139 port_security_enabled=False)
140 for host in index_to_host]
141
142 self.safe_client.create_security_group_rule(
143 tenant_uuid, sgs[0]['id'],
144 remote_group_id=sgs[0]['id'], direction='ingress',
145 ethertype=constants.IPv4,
146 protocol=constants.PROTO_NAME_TCP,
147 port_range_min=3333, port_range_max=3333)
148
149 vms = [
150 self.useFixture(
151 machine.FakeFullstackMachine(
152 self.environment.hosts[host],
153 network['id'],
154 tenant_uuid,
155 self.safe_client,
156 neutron_port=ports[port],
157 use_dhcp=True))
158 for port, host in enumerate(index_to_host)]
159
160 for vm in vms:
161 vm.block_until_boot()
162 vm.block_until_dhcp_config_done()
163 128
164 # 0. check that traffic is allowed when port security is disabled 129 # 0. check that traffic is allowed when port security is disabled
165 self.assert_connection( 130 self.assert_connection(
@@ -173,7 +138,7 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
173 net_helpers.assert_ping(vms[1].namespace, vms[2].ip) 138 net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
174 139
175 # Apply security groups to the ports 140 # Apply security groups to the ports
176 for port, sg in zip(ports, index_to_sg): 141 for port, sg in zip(ports, self.index_to_sg):
177 self.safe_client.client.update_port( 142 self.safe_client.client.update_port(
178 port['id'], 143 port['id'],
179 body={'port': {'port_security_enabled': True, 144 body={'port': {'port_security_enabled': True,
@@ -232,7 +197,7 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
232 # 6. check if an established connection stops by deleting 197 # 6. check if an established connection stops by deleting
233 # the supporting SG rule. 198 # the supporting SG rule.
234 index_to_host.append(index_to_host[2]) 199 index_to_host.append(index_to_host[2])
235 index_to_sg.append(1) 200 self.index_to_sg.append(1)
236 ports.append( 201 ports.append(
237 self.safe_client.create_port(tenant_uuid, network['id'], 202 self.safe_client.create_port(tenant_uuid, network['id'],
238 self.environment.hosts[ 203 self.environment.hosts[
@@ -306,6 +271,148 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
306 # 9. test two vms with same mac on the same host in different networks 271 # 9. test two vms with same mac on the same host in different networks
307 self._test_overlapping_mac_addresses() 272 self._test_overlapping_mac_addresses()
308 273
274 # 10. Check using multiple security groups
275 self._test_using_multiple_security_groups()
276
277 def _test_using_multiple_security_groups(self):
278 """Test using multiple security groups.
279
280 This test will do following things:
281 1. Create three vms with two security groups. vm0, vm1 in sg0;
282 vm2 in sg1.
283 2. Add SSH and ICMP rules in sg0. vm0 and vm1 can ping and ssh
284 for each other, but can not access between vm0 and vm2.
285 3. Using multiple security groups(sg0, sg1) for vm0, and sg1
286 have rules allowed sg0 access(ICMP), so vm0 and vm1 can
287 ping vm2.
288 4. Then remove sg0 from vm0, we removed ICMP and SSH rules.
289 vm0 and vm1 can not ping and ssh for each other.
290 """
291
292 tenant_uuid = uuidutils.generate_uuid()
293 subnet_cidr = '30.0.0.0/24'
294 vms, ports, sgs, _, _ = self._create_resources(tenant_uuid,
295 subnet_cidr)
296
297 # Apply security groups to the ports
298 for port, sg in zip(ports, self.index_to_sg):
299 self.safe_client.client.update_port(
300 port['id'],
301 body={'port': {'port_security_enabled': True,
302 'security_groups': [sgs[sg]['id']]}})
303
304 # Traffic not explicitly allowed (eg. SSH, ICMP) is blocked
305 self.verify_no_connectivity_between_vms(
306 vms[1], vms[0], net_helpers.NetcatTester.TCP, 22)
307
308 net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip)
309 net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip)
310 net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip)
311
312 # Add SSH and ICMP allowed in the same security group
313 self.safe_client.create_security_group_rule(
314 tenant_uuid, sgs[0]['id'],
315 remote_group_id=sgs[0]['id'], direction='ingress',
316 ethertype=constants.IPv4,
317 protocol=constants.PROTO_NAME_TCP,
318 port_range_min=22, port_range_max=22)
319
320 self.verify_connectivity_between_vms(
321 vms[1], vms[0], net_helpers.NetcatTester.TCP, 22)
322
323 self.verify_no_connectivity_between_vms(
324 vms[2], vms[0], net_helpers.NetcatTester.TCP, 22)
325
326 self.safe_client.create_security_group_rule(
327 tenant_uuid, sgs[0]['id'],
328 remote_group_id=sgs[0]['id'], direction='ingress',
329 ethertype=constants.IPv4,
330 protocol=constants.PROTO_NAME_ICMP)
331
332 net_helpers.assert_ping(vms[1].namespace, vms[0].ip)
333 net_helpers.assert_no_ping(vms[2].namespace, vms[0].ip)
334
335 # Update vm0 to use two security groups
336 # Add security group rules(ICMP) in another security group
337 self.safe_client.client.update_port(
338 ports[0]['id'],
339 body={'port': {'security_groups': [sgs[0]['id'],
340 sgs[1]['id']]}})
341
342 self.safe_client.create_security_group_rule(
343 tenant_uuid, sgs[1]['id'],
344 remote_group_id=sgs[0]['id'], direction='ingress',
345 ethertype=constants.IPv4,
346 protocol=constants.PROTO_NAME_ICMP)
347
348 net_helpers.assert_ping(vms[0].namespace, vms[2].ip)
349 net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
350 net_helpers.assert_no_ping(vms[2].namespace, vms[0].ip)
351 net_helpers.assert_no_ping(vms[2].namespace, vms[1].ip)
352
353 self.verify_connectivity_between_vms(
354 vms[1], vms[0], net_helpers.NetcatTester.TCP, 22)
355
356 self.verify_no_connectivity_between_vms(
357 vms[2], vms[0], net_helpers.NetcatTester.TCP, 22)
358
359 # Remove first security group from port
360 self.safe_client.client.update_port(
361 ports[0]['id'],
362 body={'port': {'security_groups': [sgs[1]['id']]}})
363
364 net_helpers.assert_ping(vms[0].namespace, vms[2].ip)
365 net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
366 net_helpers.assert_no_ping(vms[2].namespace, vms[0].ip)
367 net_helpers.assert_no_ping(vms[2].namespace, vms[1].ip)
368
369 self.verify_no_connectivity_between_vms(
370 vms[1], vms[0], net_helpers.NetcatTester.TCP, 22)
371
372 # NOTE: This can be used after refactor other tests to
373 # one scenario one test.
374 def _create_resources(self, tenant_uuid, subnet_cidr):
375 if self.firewall_driver == 'iptables_hybrid':
376 # The iptables_hybrid driver lacks isolation between agents
377 index_to_host = [0] * 4
378 else:
379 index_to_host = [0, 1, 1, 0]
380
381 network = self.safe_client.create_network(tenant_uuid)
382 self.safe_client.create_subnet(
383 tenant_uuid, network['id'], subnet_cidr)
384
385 sgs = [self.safe_client.create_security_group(tenant_uuid)
386 for i in range(3)]
387 ports = [
388 self.safe_client.create_port(tenant_uuid, network['id'],
389 self.environment.hosts[host].hostname,
390 security_groups=[],
391 port_security_enabled=False)
392 for host in index_to_host]
393
394 self.safe_client.create_security_group_rule(
395 tenant_uuid, sgs[0]['id'],
396 remote_group_id=sgs[0]['id'], direction='ingress',
397 ethertype=constants.IPv4,
398 protocol=constants.PROTO_NAME_TCP,
399 port_range_min=3333, port_range_max=3333)
400
401 vms = [
402 self.useFixture(
403 machine.FakeFullstackMachine(
404 self.environment.hosts[host],
405 network['id'],
406 tenant_uuid,
407 self.safe_client,
408 neutron_port=ports[port],
409 use_dhcp=True))
410 for port, host in enumerate(index_to_host)]
411 map(lambda vm: vm.block_until_boot(), vms)
412 map(lambda vm: vm.block_until_dhcp_config_done(), vms)
413
414 return vms, ports, sgs, network, index_to_host
415
309 def _create_vm_on_host( 416 def _create_vm_on_host(
310 self, project_id, network_id, sg_id, host, mac_address=None): 417 self, project_id, network_id, sg_id, host, mac_address=None):
311 if mac_address: 418 if mac_address: