x
/
fuel-plugin-vmware-dvs
Code Issues Proposed changes

Add new test with remote sg rules. 

-dvs_remote_sg_simple
-dvs_remote_ip_prefix

Change-Id: Ibe859ad484aca579db688eb60b30c8027a928155
This commit is contained in:
otsvigun 2016-03-25 12:03:00 +02:00
parent 2ba6f4b7eb
commit a30f715e2c
3 changed files with 422 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
plugin_test/helpers/openstack.py
View File

@ -12,6 +12,7 @@ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
"""
import time
from devops.error import TimeoutError
@ -124,30 +125,26 @@ def check_connection_vms(os_conn, fip, remote, command='pingv4',
"pingv6": "ping6 -c 5 {}",
"arping": "sudo arping -I eth0 {}"}
if not destination_ip:
ip_pair = [
(ip_1, ip_2)
for ip_1 in fip
for ip_2 in fip
if ip_1 != ip_2]
else:
ip_pair = [
(ip_1, ip_2)
for ip_1 in fip
for ip_2 in destination_ip]
for ips in ip_pair:
logger.info("Connect to VM {0}".format(ips[0]))
command_result = os_conn.execute_through_host(
remote, ips[0],
commands[command].format(ips[1]), instance_creds)
ip_pair = dict.fromkeys(fip)
for key in ip_pair:
if destination_ip:
ip_pair[key] = destination_ip
else:
ip_pair[key] = [value for value in fip if key != value]
for ip_from in ip_pair:
logger.info("Connect to VM {0}".format(ip_from))
for ip_to in ip_pair[ip_from]:
command_result = os_conn.execute_through_host(
remote, ip_from,
commands[command].format(ip_to), instance_creds)
assert_true(
result_of_command == command_result['exit_code'],
" Command {0} from Vm {1},"
" executed with code {2}".format(
commands[command].format(ips[1]),
ips[0], command_result)
)
assert_true(
result_of_command == command_result['exit_code'],
" Command {0} from Vm {1},"
" executed with code {2}".format(
commands[command].format(ip_to),
ip_to, command_result)
)
def create_and_assign_floating_ips(os_conn, instances_list):
@ -161,7 +158,7 @@ def create_and_assign_floating_ips(os_conn, instances_list):
ip = os_conn.assign_floating_ip(
instance).ip
fips.append(ip)
wait(lambda: icmp_ping(ip), timeout=60 * 3, interval=5)
wait(lambda: icmp_ping(ip), timeout=60 * 5, interval=5)
return fips
@ -183,21 +180,32 @@ def get_ssh_connection(ip, username, userpassword, timeout=30, port=22):
return ssh
def remote_execute_command(instance1_ip, instance2_ip, command):
def remote_execute_command(instance1_ip, instance2_ip, command, wait=30):
"""Check execute remote command.
:param instance1: string, instance ip connect from
:param instance2: string, instance ip connect to
:param command: string, remote command
:param wait: integer, time to wait available ip of instances
"""
ssh = get_ssh_connection(instance1_ip, instance_creds[0],
instance_creds[1], timeout=30)
interm_transp = ssh.get_transport()
logger.info("Opening channel to VM")
interm_chan = interm_transp.open_channel('direct-tcpip',
(instance2_ip, 22),
(instance1_ip, 0))
try:
logger.info("Opening channel between VMs {0} and {1}".format(
instance1_ip, instance2_ip))
interm_chan = interm_transp.open_channel('direct-tcpip',
(instance2_ip, 22),
(instance1_ip, 0))
except Exception as e:
logger.info(
"{}. Wait to update sg rules and try to open channel again".format(
e))
time.sleep(wait)
interm_chan = interm_transp.open_channel('direct-tcpip',
(instance2_ip, 22),
(instance1_ip, 0))
logger.info("Opening paramiko transport")
transport = paramiko.Transport(interm_chan)
logger.info("Starting client")

4
plugin_test/helpers/vmrun.py
View File

@ -15,10 +15,10 @@ under the License.
import subprocess
from proboscis.asserts import assert_true
from fuelweb_test import logger
from proboscis.asserts import assert_true
class Vmrun(object):
"""Vmrun utilite wrapper."""

420
plugin_test/tests/test_plugin_vmware_dvs_system.py
View File

@ -65,6 +65,25 @@ class TestDVSSystem(TestBasic):
instance_creds = (
openstack.get_defaults()['os_credentials']['cirros']['user'],
openstack.get_defaults()['os_credentials']['cirros']['password'])
# security group rules
tcp = {
"security_group_rule":
{"direction": "ingress",
"port_range_min": "22",
"ethertype": "IPv4",
"port_range_max": "22",
"protocol": "TCP",
"security_group_id": "",
"remote_group_id": None,
"remote_ip_prefix": None}}
icmp = {
"security_group_rule":
{"direction": "ingress",
"ethertype": "IPv4",
"protocol": "icmp",
"security_group_id": "",
"remote_group_id": None,
"remote_ip_prefix": None}}
@test(depends_on=[SetupEnvironment.prepare_slaves_5],
groups=["dvs_vcenter_systest_setup", 'dvs_vcenter_system'])
@ -424,21 +443,8 @@ class TestDVSSystem(TestBasic):
Duration: 30 min
"""
# security group rules
tcp = {
"security_group_rule":
{"direction": "ingress",
"port_range_min": "22",
"ethertype": "IPv4",
"port_range_max": "22",
"protocol": "TCP",
"security_group_id": ""}}
icmp = {
"security_group_rule":
{"direction": "ingress",
"ethertype": "IPv4",
"protocol": "icmp",
"security_group_id": ""}}
# constants
wait_to_update_rules_on_dvs_ports = 30
self.show_step(1)
self.env.revert_snapshot("dvs_vcenter_systest_setup")
@ -499,19 +505,18 @@ class TestDVSSystem(TestBasic):
os_conn.goodbye_security()
self.show_step(5)
sec_name = ['SG1', 'SG2']
sg1 = os_conn.nova.security_groups.create(
sec_name[0], "descr")
'SG1', "descr")
self.show_step(6)
tcp["security_group_rule"]["security_group_id"] = sg1.id
os_conn.neutron.create_security_group_rule(tcp)
self.tcp["security_group_rule"]["security_group_id"] = sg1.id
os_conn.neutron.create_security_group_rule(self.tcp)
self.show_step(7)
sg2 = os_conn.nova.security_groups.create(
sec_name[1], "descr")
'SG2', "descr")
self.show_step(8)
icmp["security_group_rule"]["security_group_id"] = sg2.id
os_conn.neutron.create_security_group_rule(icmp)
self.icmp["security_group_rule"]["security_group_id"] = sg2.id
os_conn.neutron.create_security_group_rule(self.icmp)
logger.info("""Attach SG_1 and SG2 to instances""")
for srv in srv_list:
@ -540,8 +545,6 @@ class TestDVSSystem(TestBasic):
openstack.remote_execute_command(ips[0], ips[1], ' ')
self.show_step(11)
sg_rules = os_conn.neutron.list_security_group_rules()[
'security_group_rules']
sg_rules = [
sg_rule for sg_rule
in os_conn.neutron.list_security_group_rules()[
@ -550,6 +553,8 @@ class TestDVSSystem(TestBasic):
for rule in sg_rules:
os_conn.neutron.delete_security_group_rule(rule['id'])
time.sleep(wait_to_update_rules_on_dvs_ports)
self.show_step(12)
for ip in floating_ip:
try:
@ -560,16 +565,16 @@ class TestDVSSystem(TestBasic):
logger.info('{}'.format(e))
self.show_step(13)
tcp["security_group_rule"]["security_group_id"] = sg2.id
os_conn.neutron.create_security_group_rule(tcp)
tcp["security_group_rule"]["direction"] = "egress"
os_conn.neutron.create_security_group_rule(tcp)
self.tcp["security_group_rule"]["security_group_id"] = sg2.id
os_conn.neutron.create_security_group_rule(self.tcp)
self.tcp["security_group_rule"]["direction"] = "egress"
os_conn.neutron.create_security_group_rule(self.tcp)
time.sleep(wait_to_update_rules_on_dvs_ports)
self.show_step(14)
for ips in ip_pair:
wait(
lambda: openstack.remote_execute_command(
ips[0], ips[1], ' '), timeout=30, interval=5)
openstack.remote_execute_command(ips[0], ips[1], ' ')
self.show_step(15)
openstack.check_connection_vms(
@ -577,12 +582,14 @@ class TestDVSSystem(TestBasic):
command='pingv4', result_of_command=1)
self.show_step(16)
icmp["security_group_rule"]["security_group_id"] = sg1.id
os_conn.neutron.create_security_group_rule(icmp)
icmp["security_group_rule"]["direction"] = "egress"
os_conn.neutron.create_security_group_rule(icmp)
logger.info(
"Add Ingress and egress rules for ICMP protocol to SG_1")
self.icmp["security_group_rule"]["security_group_id"] = sg1.id
os_conn.neutron.create_security_group_rule(self.icmp)
self.icmp["security_group_rule"]["direction"] = "egress"
os_conn.neutron.create_security_group_rule(self.icmp)
time.sleep(30) # need wait to update rules on dvs ports
time.sleep(wait_to_update_rules_on_dvs_ports)
self.show_step(17)
openstack.check_connection_vms(
os_conn, floating_ip, remote=ssh_contr,
@ -597,7 +604,8 @@ class TestDVSSystem(TestBasic):
for srv in srv_list:
srv.add_security_group('default')
time.sleep(30) # need wait to update rules on dvs ports
time.sleep(wait_to_update_rules_on_dvs_ports)
self.show_step(23)
openstack.check_connection_vms(
os_conn, floating_ip, remote=ssh_contr,
@ -1480,3 +1488,341 @@ class TestDVSSystem(TestBasic):
"Timeout is reached. Current state of stack is {}".format(
current_state)
)
@test(depends_on=[dvs_vcenter_systest_setup],
groups=["dvs_remote_sg_simple"])
@log_snapshot_after_test
def dvs_remote_sg_simple(self):
"""Simple remote security group rules.
Verify that network traffic is allowed/prohibited to instances
according security groups rules.
Scenario:
1. Setup for system tests.
2. Create net_1: net01__subnet, 192.168.1.0/24, and attach it to
the router01.
3. Create security groups: SG1, SG2
4. Delete all defaults egress rules of SG1 and SG2.
5. Add icmp rule to SG1:
Ingress rule with ip protocol 'icmp ', port range any, SG group
'SG1'
Egress rule with ip protocol 'icmp ', port range any, SG group
'SG1'
6. Add icmp rule to SG2:
Ingress rule with ip protocol 'icmp ', port range any, SG group
'SG2'
Egress rule with ip protocol 'icmp ', port range any, SG group
'SG2'
7. Launch 2 instance of vcenter az with SG1 in net1.
Launch 2 instance of nova az with SG1 in net1.
8. Launch 2 instance of vcenter az with SG2 in net1.
Launch 2 instance of nova az with SG2 in net1.
9. Verify that icmp ping is enabled between VMs from SG1.
10. Verify that icmp ping is enabled between instances from SG2.
11. Verify that icmp ping is not enabled between instances from SG1
and VMs from SG2.
"""
self.show_step(1)
self.env.revert_snapshot("dvs_vcenter_systest_setup")
cluster_id = self.fuel_web.get_last_created_cluster()
os_ip = self.fuel_web.get_public_vip(cluster_id)
admin = os_actions.OpenStackActions(
os_ip, SERVTEST_USERNAME,
SERVTEST_PASSWORD,
SERVTEST_TENANT)
tenant = admin.get_tenant(SERVTEST_TENANT)
# create security group with rules for ssh and ping
security_group = admin.create_sec_group_for_ssh()
self.show_step(2)
network = admin.create_network(
network_name=self.net_data[0].keys()[0],
tenant_id=tenant.id)['network']
subnet = admin.create_subnet(
subnet_name=network['name'],
network_id=network['id'],
cidr=self.net_data[0][self.net_data[0].keys()[0]],
ip_version=4)
# Check that network are created.
assert_true(
admin.get_network(network['name'])['id'] == network['id']
)
# Create Router_01, set gateway and add interface
# to external network.
router_1 = admin.create_router(
'router_1',
tenant=tenant)
# Add net_1 to router_1
admin.add_router_interface(
router_id=router_1["id"],
subnet_id=subnet["id"])
self.show_step(3)
sg1 = admin.nova.security_groups.create(
'SG1', "descr")
sg2 = admin.nova.security_groups.create(
'SG2', "descr")
self.show_step(4)
sg_rules = [
sg_rule for sg_rule
in admin.neutron.list_security_group_rules()[
'security_group_rules']
if sg_rule['security_group_id'] in [sg1.id, sg2.id]]
for rule in sg_rules:
admin.neutron.delete_security_group_rule(rule['id'])
self.show_step(5)
self.show_step(6)
for sg in [sg1, sg2]:
for rule in [self.icmp, self.tcp]:
rule["security_group_rule"]["security_group_id"] = sg.id
rule["security_group_rule"]["remote_group_id"] = sg.id
rule["security_group_rule"]["direction"] = "ingress"
admin.neutron.create_security_group_rule(rule)
rule["security_group_rule"]["direction"] = "egress"
admin.neutron.create_security_group_rule(rule)
# create access_point to instances from SG1 and SG2
access_point, access_point_ip = openstack.create_access_point(
os_conn=admin, nics=[{'net-id': network['id']}],
security_groups=[security_group.name, sg1.name, sg2.name])
self.show_step(7)
istances_sg1 = openstack.create_instances(
os_conn=admin, nics=[{'net-id': network['id']}],
vm_count=1,
security_groups=[sg1.name])
self.show_step(8)
istances_sg2 = openstack.create_instances(
os_conn=admin, nics=[{'net-id': network['id']}],
vm_count=1,
security_groups=[sg2.name])
openstack.verify_instance_state(admin)
# Get private ips of instances
ips = {}
ips['SG1'] = [
admin.get_nova_instance_ip(instance, net_name=network['name'])
for instance in istances_sg1]
ips['SG2'] = [
admin.get_nova_instance_ip(instance, net_name=network['name'])
for instance in istances_sg2]
self.show_step(9)
self.show_step(10)
for group in ips:
for ip_1 in ips[group]:
for ip_2 in ips[group]:
if ip_2 != ip_1:
ping_result = openstack.remote_execute_command(
access_point_ip, ip_1, "ping -c 5 {}".format(ip_2),
wait=60 * 4)
assert_true(
ping_result['exit_code'] == 0,
"Ping isn't available from {0} to {1}".format(
ip_1, ip_2)
)
self.show_step(11)
for ip_1 in ips['SG1']:
for ip_2 in ips['SG2']:
ping_result = openstack.remote_execute_command(
access_point_ip, ip_1, "ping -c 5 {}".format(ip_2))
assert_true(
ping_result['exit_code'] == 1,
"Ping is available from {0} to {1}".format(ip_1, ip_2)
)
@test(depends_on=[dvs_vcenter_systest_setup],
groups=["dvs_remote_ip_prefix"])
@log_snapshot_after_test
def dvs_remote_ip_prefix(self):
"""Security group rules with remote ip prefix.
Check connection between instances,
according security group rules with remote ip prefix.
Scenario:
1. Setup for system tests.
2. Create net_1: net01__subnet, 192.168.1.0/24, and attach it to
the router01.
3. Create instance 'VM1' of any availability zone in the
default internal network. Associate floating ip.
4. Create instance 'VM2' of any availability zone in the
default internal network. Associate floating ip.
5. Create security groups: SG1 SG2
6. Delete all defaults egress rules of SG1 and SG2.
7. Add icmp rule to SG1:
Ingress rule with ip protocol 'icmp ', port range any,
remote ip prefix <floating ip of VM1>
Egress rule with ip protocol 'icmp ', port range any,
remote ip prefix <floating ip of VM1>
8. Add ssh rule to SG2:
Ingress rule with ip protocol tcp ', port range any,
<internal ip of VM2>
Egress rule with ip protocol 'tcp ', port range any,
<internal ip of VM2>
9. Launch 2 instance 'VM3' and 'VM4' of vcenter az with SG1 and
SG2 in net1.
Launch 2 instance 'VM5' and 'VM6' of nova az with SG1 and SG2
in net1.
10. Verify that icmp ping is enabled from 'VM3', 'VM4', 'VM5' and
'VM6' to VM1 and vice versa.
11. Verify that icmp ping is blocked between 'VM3', 'VM4', 'VM5'
and 'VM6' and vice versa.
12. Verify that ssh is enabled from 'VM3', 'VM4', 'VM5' and 'VM6'
to VM2 and vice versa.
13. Verify that ssh is blocked between 'VM3', 'VM4', 'VM5' and
'VM6' and vice versa.
"""
self.show_step(1)
self.env.revert_snapshot("dvs_vcenter_systest_setup")
cluster_id = self.fuel_web.get_last_created_cluster()
os_ip = self.fuel_web.get_public_vip(cluster_id)
admin = os_actions.OpenStackActions(
os_ip, SERVTEST_USERNAME,
SERVTEST_PASSWORD,
SERVTEST_TENANT)
tenant = admin.get_tenant(SERVTEST_TENANT)
# create security group with rules for ssh and ping
security_group = admin.create_sec_group_for_ssh()
self.show_step(2)
network = admin.create_network(
network_name=self.net_data[0].keys()[0],
tenant_id=tenant.id)['network']
subnet = admin.create_subnet(
subnet_name=network['name'],
network_id=network['id'],
cidr=self.net_data[0][self.net_data[0].keys()[0]],
ip_version=4)
# Check that network are created.
assert_true(
admin.get_network(network['name'])['id'] == network['id']
)
# Create Router_01, set gateway and add interface
# to external network.
router_1 = admin.create_router(
'router_1',
tenant=tenant)
# Add net_1 to router_1
admin.add_router_interface(
router_id=router_1["id"],
subnet_id=subnet["id"])
self.show_step(5)
sg1 = admin.nova.security_groups.create(
'SG1', "descr")
sg2 = admin.nova.security_groups.create(
'SG2', "descr")
self.show_step(3)
access_point_1, access_point_ip_1 = openstack.create_access_point(
os_conn=admin, nics=[{'net-id': network['id']}],
security_groups=[security_group.name, sg1.name])
self.show_step(4)
access_point_2, access_point_ip_2 = openstack.create_access_point(
os_conn=admin, nics=[{'net-id': network['id']}],
security_groups=[security_group.name, sg2.name])
self.show_step(6)
sg_rules = [
sg_rule for sg_rule
in admin.neutron.list_security_group_rules()[
'security_group_rules']
if sg_rule['security_group_id'] in [sg1.id, sg2.id]]
for rule in sg_rules:
admin.neutron.delete_security_group_rule(rule['id'])
self.show_step(7)
for rule in [self.icmp, self.tcp]:
rule["security_group_rule"]["security_group_id"] = sg1.id
rule["security_group_rule"]["remote_ip_prefix"] = access_point_ip_1
rule["security_group_rule"]["direction"] = "ingress"
admin.neutron.create_security_group_rule(rule)
rule["security_group_rule"]["direction"] = "egress"
admin.neutron.create_security_group_rule(rule)
# get private ip of access_point_2
private_ip = admin.get_nova_instance_ip(
access_point_2, net_name=network['name'])
self.show_step(8)
self.tcp["security_group_rule"]["security_group_id"] = sg2.id
self.tcp["security_group_rule"]["remote_ip_prefix"] = private_ip
admin.neutron.create_security_group_rule(self.tcp)
self.tcp["security_group_rule"]["direction"] = "ingress"
admin.neutron.create_security_group_rule(self.tcp)
self.show_step(9)
istances_sg1 = openstack.create_instances(
os_conn=admin, nics=[{'net-id': network['id']}],
vm_count=1,
security_groups=[sg1.name])
istances_sg2 = openstack.create_instances(
os_conn=admin, nics=[{'net-id': network['id']}],
vm_count=1,
security_groups=[sg2.name])
openstack.verify_instance_state(admin)
# Get private ips of instances
ips = {}
ips['SG1'] = [
admin.assign_floating_ip(instance).ip
for instance in istances_sg1]
ips['SG2'] = [
admin.get_nova_instance_ip(instance, net_name=network['name'])
for instance in istances_sg2]
self.show_step(10)
for ip in ips['SG1']:
ping_result = openstack.remote_execute_command(
access_point_ip_1, ip, "ping -c 5 {}".format(
access_point_ip_1), wait=60 * 4)
assert_true(
ping_result['exit_code'] == 0,
"Ping isn't available from {0} to {1}".format(
ip, access_point_ip_1)
)
self.show_step(11)
for ip_1 in ips['SG1']:
for ip_2 in ips['SG1']:
if ip_1 != ip_2:
ping_result = openstack.remote_execute_command(
access_point_ip_1, ip_1, "ping -c 5 {}".format(ip_2))
assert_true(
ping_result['exit_code'] == 1,
"Ping is available from {0} to {1}".format(
ip_1, ip_2)
)
self.show_step(12)
self.show_step(13)
for ip_1 in ips['SG2']:
for ip_2 in ips['SG2']:
if ip_1 != ip_2:
try:
openstack.remote_execute_command(
access_point_ip_2, ip_1,
" ")
except Exception as e:
logger.info('{}'.format(e))