x
/
group-based-policy
Code Issues Proposed changes
group-based-policy/gbpservice/neutron/tests/unit/services/grouppolicy/test_apic_mapping.py

5979 lines
277 KiB
Python
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import copy
import hashlib
import re
import sys
import mock
import netaddr
import webob.exc
from apic_ml2.neutron.db import port_ha_ipaddress_binding as ha_ip_db
from apic_ml2.neutron.tests.unit.ml2.drivers.cisco.apic import (
test_cisco_apic_common as mocked)
from apicapi import apic_mapper
from neutron.agent import securitygroups_rpc as sg_cfg
from neutron.common import rpc as n_rpc
from neutron import context
from neutron.db import api as db_api
from neutron.db import db_base_plugin_v2 as n_db
from neutron.db import model_base
from neutron.extensions import portbindings
from neutron import manager
from opflexagent import constants as ocst
from oslo_config import cfg
from oslo_serialization import jsonutils
from gbpservice.neutron.plugins.ml2.drivers.grouppolicy.apic import driver
from gbpservice.neutron.services.grouppolicy import (
group_policy_context as p_context)
from gbpservice.neutron.services.grouppolicy import config
from gbpservice.neutron.services.grouppolicy.drivers.cisco.apic import (
apic_mapping as amap)
from gbpservice.neutron.services.grouppolicy.drivers.cisco.apic import (
apic_mapping_lib as alib)
from gbpservice.neutron.services.l3_router import l3_apic
from gbpservice.neutron.tests.unit.services.grouppolicy import (
test_resource_mapping as test_rmd)
APIC_L2_POLICY = 'l2_policy'
APIC_L3_POLICY = 'l3_policy'
APIC_POLICY_RULE_SET = 'policy_rule_set'
APIC_POLICY_TARGET_GROUP = 'policy_target_group'
APIC_POLICY_RULE = 'policy_rule'
APIC_EXTERNAL_RID = '1.0.0.1'
APIC_EXTERNAL_EPG = 'ext-epg'
APIC_PRE_L3OUT_TENANT = 'common'
APIC_SINGLE_TENANT_NAME = 'common1'
APIC_PRE_VRF_TENANT = APIC_PRE_L3OUT_TENANT
APIC_PRE_VRF = 'pre-vrf'
AGENT_TYPE = ocst.AGENT_TYPE_OPFLEX_OVS
AGENT_CONF = {'alive': True, 'binary': 'somebinary',
'topic': 'sometopic', 'agent_type': AGENT_TYPE,
'configurations': {'opflex_networks': None,
'bridge_mappings': {'physnet1': 'br-eth1'}}}
AGENT_TYPE_DVS = driver.AGENT_TYPE_DVS
AGENT_CONF_DVS = {'alive': True, 'binary': 'somebinary',
'topic': 'sometopic', 'agent_type': AGENT_TYPE_DVS,
'configurations': {'opflex_networks': None}}
BOOKED_PORT_VALUE = 'myBookedPort'
def echo(context, string, prefix=''):
return prefix + string
class MockCallRecorder(mock.Mock):
recorded_call_set = set()
def __call__(self, *args, **kwargs):
self.recorded_call_set.add(self.generate_entry(*args, **kwargs))
return mock.Mock()
def call_happened_with(self, *args, **kwargs):
return self.generate_entry(*args, **kwargs) in self.recorded_call_set
def generate_entry(self, *args, **kwargs):
return args, tuple((x, kwargs[x]) for x in sorted(kwargs.keys()))
class ApicMappingTestCase(
test_rmd.ResourceMappingTestCase,
mocked.ControllerMixin, mocked.ConfigMixin):
_extension_drivers = ['apic_segmentation_label', 'apic_allowed_vm_name',
'apic_reuse_bd']
_extension_path = None
def setUp(self, sc_plugin=None, nat_enabled=True,
pre_existing_l3out=False, default_agent_conf=True,
ml2_options=None, single_tenant_mode=False):
self.saved_apicapi = sys.modules["apicapi"]
sys.modules["apicapi"] = mock.Mock()
if default_agent_conf:
self.agent_conf = AGENT_CONF
cfg.CONF.register_opts(sg_cfg.security_group_opts, 'SECURITYGROUP')
config.cfg.CONF.set_override('enable_security_group', False,
group='SECURITYGROUP')
if not cfg.CONF.group_policy.extension_drivers:
config.cfg.CONF.set_override('extension_drivers',
self._extension_drivers,
group='group_policy')
if self._extension_path:
config.cfg.CONF.set_override(
'api_extensions_path', self._extension_path)
n_rpc.create_connection = mock.Mock()
amap.ApicMappingDriver.get_apic_manager = mock.Mock(
return_value=mock.MagicMock(
name_mapper=mock.Mock(),
ext_net_dict={},
per_tenant_nat_epg=False))
self.set_up_mocks()
ml2_opts = ml2_options or {
'mechanism_drivers': ['apic_gbp'],
'type_drivers': ['opflex'],
'tenant_network_types': ['opflex']
}
mock.patch('gbpservice.neutron.services.grouppolicy.drivers.cisco.'
'apic.apic_mapping.ApicMappingDriver.'
'_setup_rpc_listeners').start()
nova_client = mock.patch(
'gbpservice.neutron.services.grouppolicy.drivers.cisco.'
'apic.nova_client.NovaClient.get_server').start()
vm = mock.Mock()
vm.name = 'someid'
nova_client.return_value = vm
super(ApicMappingTestCase, self).setUp(
policy_drivers=['implicit_policy', 'apic', 'chain_mapping'],
ml2_options=ml2_opts, sc_plugin=sc_plugin)
engine = db_api.get_engine()
model_base.BASEV2.metadata.create_all(engine)
plugin = manager.NeutronManager.get_plugin()
plugin.remove_networks_from_down_agents = mock.Mock()
plugin.is_agent_down = mock.Mock(return_value=False)
self.driver = manager.NeutronManager.get_service_plugins()[
'GROUP_POLICY'].policy_driver_manager.policy_drivers['apic'].obj
self.l3plugin = l3_apic.ApicGBPL3ServicePlugin()
amap.ApicMappingDriver.get_base_synchronizer = mock.Mock()
self.driver.name_mapper.name_mapper = mock.Mock()
self.driver.name_mapper.name_mapper.tenant = echo
self.driver.name_mapper.name_mapper.l2_policy = echo
self.driver.name_mapper.name_mapper.l3_policy = echo
self.driver.name_mapper.name_mapper.policy_rule_set = echo
self.driver.name_mapper.name_mapper.policy_rule = echo
self.driver.name_mapper.name_mapper.app_profile.return_value = (
mocked.APIC_AP)
self.driver.name_mapper.name_mapper.policy_target_group = echo
self.driver.name_mapper.name_mapper.external_policy = echo
self.driver.name_mapper.name_mapper.external_segment = echo
self.driver.name_mapper.name_mapper.pre_existing = echo
self.driver.apic_manager.apic.transaction = self.fake_transaction
self.driver.notifier = mock.Mock()
self.driver.apic_manager.ext_net_dict = {}
amap.apic_manager.TENANT_COMMON = 'common'
amap.apic_manager.CP_ENTRY = 'os-entry'
self.common_tenant = amap.apic_manager.TENANT_COMMON
self.nat_enabled = nat_enabled
self.driver.l3out_vlan_alloc = mock.Mock()
self.pre_l3out = pre_existing_l3out
self.non_apic_network = False
def echo2(string):
return string
if self.pre_l3out:
self.orig_query_l3out_info = self.driver._query_l3out_info
self.driver._query_l3out_info = mock.Mock()
self.driver._query_l3out_info.return_value = {
'l3out_tenant': apic_mapper.ApicName(APIC_PRE_L3OUT_TENANT),
'vrf_name': APIC_PRE_VRF,
'vrf_tenant': APIC_PRE_VRF_TENANT,
# fake l3out response from APIC for testing purpose only
'l3out': ([{u'l3extExtEncapAllocator': {}},
{u'l3extInstP': {}},
{u'l3extRtBDToOut': {}},
{u'l3extRsOutToBDPublicSubnetHolder': {}},
{u'l3extRsNdIfPol': {u'tDn': u'',
u'tnNdIfPolName': u''}},
{u'l3extRsDampeningPol':
{u'tDn': u'', u'tnRtctrlProfileName': u''}},
{u'ospfRsIfPol': {u'tDn': u'',
u'tnOspfIfPolName': u''}},
{u'l3extRsEngressQosDppPol':
{u'tDn': u'', u'tnQosDppPolName': u''}},
{u'bfdRsIfPol': {u'tDn': u'',
u'tnBfdIfPolName': u''}},
{u'bgpRsPeerPfxPol': {u'tDn': u'',
u'tnBgpPeerPfxPolName': u''}},
{u'eigrpRsIfPol': {u'tDn': u'',
u'tnEigrpIfPolName': u''}},
{u'l3extLNodeP': {u'attributes':
{u'dn': u'uni/tn-common/out-supported/lnodep-Leaf3-4_NP',
u'lcOwn': u'local', u'name': u'Leaf3-4_NP',
u'targetDscp': u'unspecified', u'configIssues': u'',
u'stateQual': u'', u'tCl': u'', u'tContextDn': u'',
u'tRn': u'', u'type': u'', u'rType': u'', u'state': u'',
u'forceResolve': u'', u'tag': u'yellow-green',
u'monPolDn': u'', u'modTs': u'', u'uid': u'15374',
u'encap': u'unknown', u'addr': u'0.0.0.0'},
u'children': [{u'l3extLIfP':
{u'children': [{u'l3extRsPathL3OutAtt':
{u'attributes':
{u'encap': u'vlan-3101',
u'ifInstT': u'sub-interface'
}}}]}}
]}},
{u'l3extRsEctx':
{u'attributes':
{u'dn': u'uni/tn-common/out-supported/rsectx',
u'tDn': u'', u'tnFvCtxName': u'default'}}}])}
self.trimmed_l3out = [{}, {}, {}, {},
{u'l3extRsNdIfPol':
{u'tnNdIfPolName': u''}},
{u'l3extRsDampeningPol':
{u'tnRtctrlProfileName': u''}},
{u'ospfRsIfPol': {u'tnOspfIfPolName': u''}},
{u'l3extRsEngressQosDppPol':
{u'tnQosDppPolName': u''}},
{u'bfdRsIfPol': {u'tnBfdIfPolName': u''}},
{u'bgpRsPeerPfxPol': {u'tnBgpPeerPfxPolName': u''}},
{u'eigrpRsIfPol': {u'tnEigrpIfPolName': u''}},
{u'l3extLNodeP':
{u'attributes':
{u'dn': u'uni/tn-test-tenant/out-Shd-Sub/lnodep-Leaf3-4_NP'},
u'children': [{u'l3extLIfP':
{u'children': [{u'l3extRsPathL3OutAtt':
{u'attributes':
{u'ifInstT':
u'sub-interface',
u'encap': 'vlan-999'
}}}]}}]}},
{u'l3extRsEctx':
{u'attributes':
{u'dn': u'uni/tn-test-tenant/out-Shd-Sub/rsectx',
u'tnFvCtxName': u'myl3p'}}}]
self.driver.apic_manager.apic.fvTenant.rn = echo2
self.driver.apic_manager.apic.l3extOut.rn = echo2
self.driver.l3out_vlan_alloc.reserve_vlan.return_value = 999
self.driver.apic_manager.apic.fvTenant.name = echo2
self.driver.apic_manager.apic.fvCtx.name = echo2
self.real_get_gbp_details = self.driver.get_gbp_details
self.driver.get_gbp_details = self._get_gbp_details
self.driver.enable_metadata_opt = True
self.driver.enable_dhcp_opt = True
self._db_plugin = n_db.NeutronDbPluginV2()
self.single_tenant_mode = single_tenant_mode
if single_tenant_mode:
self.driver.single_tenant_mode = True
self.driver.single_tenant_name = APIC_SINGLE_TENANT_NAME
def tearDown(self):
sys.modules["apicapi"] = self.saved_apicapi
super(ApicMappingTestCase, self).tearDown()
def _tenant(self, tenant_id_hint, shared=False):
if self.single_tenant_mode:
return APIC_SINGLE_TENANT_NAME
if shared:
return self.common_tenant
return tenant_id_hint
def _get_gbp_details(self, context, **kwargs):
details = self.real_get_gbp_details(context, **kwargs)
# Verify that the answer is serializable
details = jsonutils.loads(jsonutils.dumps(details))
return details
def _get_pts_addresses(self, pts):
addresses = []
for pt in pts:
port = self._get_object('ports', pt['port_id'], self.api)['port']
addresses.extend([x['ip_address'] for x in port['fixed_ips']])
return addresses
def _build_external_dict(self, name, cidr_exposed, is_edge_nat=False):
ext_info = {
'enable_nat': 'True' if self.nat_enabled else 'False'
}
if self.pre_l3out:
ext_info['preexisting'] = 'True'
ext_info['external_epg'] = APIC_EXTERNAL_EPG
else:
ext_info.update({
'switch': mocked.APIC_EXT_SWITCH,
'port': mocked.APIC_EXT_MODULE + '/' + mocked.APIC_EXT_PORT,
'encap': mocked.APIC_EXT_ENCAP,
'router_id': APIC_EXTERNAL_RID,
'gateway_ip': str(netaddr.IPNetwork(cidr_exposed)[1]),
'cidr_exposed': cidr_exposed})
if is_edge_nat:
ext_info['edge_nat'] = 'true'
ext_info['vlan_range'] = '2000:2010'
return {name: ext_info}
def _mock_external_dict(self, data, is_edge_nat=False):
self.driver.apic_manager.ext_net_dict = {}
for x in data:
self.driver.apic_manager.ext_net_dict.update(
self._build_external_dict(x[0], x[1], is_edge_nat=is_edge_nat))
def _bind_port_to_host(self, port_id, host):
data = {'port': {'binding:host_id': host,
'device_owner': 'compute:',
'device_id': 'someid'}}
return super(ApicMappingTestCase, self)._bind_port_to_host(
port_id, host, data=data)
def _bind_dhcp_port_to_host(self, port_id, host):
data = {'port': {'binding:host_id': host,
'device_owner': 'network:dhcp',
'device_id': 'someid'}}
return super(ApicMappingTestCase, self)._bind_port_to_host(
port_id, host, data=data)
class ApicMappingVlanTestCase(ApicMappingTestCase):
def setUp(self, **kwargs):
config.cfg.CONF.set_override(
'network_vlan_ranges',
['physnet1:100:200', 'physnet2:20:30'], group='ml2_type_vlan')
kwargs['ml2_options'] = {
'mechanism_drivers': ['apic_gbp', 'openvswitch'],
'type_drivers': ['vlan'],
'tenant_network_types': ['vlan']
}
kwargs['default_agent_conf'] = False
super(ApicMappingVlanTestCase, self).setUp(**kwargs)
self.non_apic_network = True
self.agent_conf['configurations'][
'bridge_mappings']['physnet2'] = 'br-eth2'
def _get_ptg_shadow_net(self, ptg):
net = self._list_resource('networks', self.api,
tenant_id=ptg['tenant_id'],
name=self.driver._get_ptg_shadow_network_name(ptg))
net = net['networks']
if net:
return net[0]
def _get_ptg_shadow_subnet(self, ptg):
shadow_net = self._get_ptg_shadow_net(ptg)
if shadow_net:
return shadow_net['subnets'][0]
class TestPolicyTarget(ApicMappingTestCase):
def test_policy_target_port_deleted_on_apic(self):
ptg = self.create_policy_target_group()['policy_target_group']
subnet = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg) if self.non_apic_network
else ptg['subnets'][0],
self.api)
with self.port(subnet=subnet) as port:
self._bind_port_to_host(port['port']['id'], 'h1')
pt = self.create_policy_target(
policy_target_group_id=ptg['id'], port_id=port['port']['id'])
self.delete_policy_target(pt['policy_target']['id'])
self.assertTrue(self.driver.notifier.port_update.called)
def test_policy_target_delete_no_port(self):
ptg = self.create_policy_target_group()['policy_target_group']
subnet = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg) if self.non_apic_network
else ptg['subnets'][0],
self.api)
with self.port(subnet=subnet) as port:
self._bind_port_to_host(port['port']['id'], 'h1')
pt = self.create_policy_target(
policy_target_group_id=ptg['id'], port_id=port['port']['id'])
res = self.new_delete_request('ports', port['port']['id'],
self.fmt).get_response(self.api)
self.assertEqual(webob.exc.HTTPNoContent.code, res.status_int)
self.delete_policy_target(pt['policy_target']['id'],
expected_res_status=404)
def test_delete_policy_target_notification_no_apic_network(self):
ptg = self.create_policy_target_group(
name="ptg1")['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
# Implicit port will be deleted with the PT
self.delete_policy_target(pt1['id'], expected_res_status=204)
# No notification needed
self.assertFalse(self.driver.notifier.port_update.called)
self.driver.notifier.port_update.reset_mock()
subnet = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg) if self.non_apic_network
else ptg['subnets'][0],
self.api)
with self.port(subnet=subnet) as port:
# Create EP with bound port
port = self._bind_port_to_host(port['port']['id'], 'h1')
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'], port_id=port['port']['id'])
# Explicit port won't be deleted with PT
self.delete_policy_target(pt1['policy_target']['id'],
expected_res_status=204)
# Issue notification for the agent
self.assertTrue(self.driver.notifier.port_update.called)
def test_get_vrf_details(self):
l3p = self.create_l3_policy(name='myl3')['l3_policy']
details = self.driver.get_vrf_details(
context.get_admin_context(),
vrf_id=l3p['id'], host='h1')
self.assertEqual(l3p['id'], details['l3_policy_id'])
pool = set([l3p['ip_pool']])
if 'proxy_ip_pool' in l3p:
pool.add(l3p['proxy_ip_pool'])
self.assertEqual(pool, set(details['vrf_subnets']))
if self.single_tenant_mode:
self.assertEqual(APIC_SINGLE_TENANT_NAME, details['vrf_tenant'])
else:
self.assertEqual(l3p['tenant_id'], details['vrf_tenant'])
self.assertEqual(l3p['id'], details['vrf_name'])
def _do_test_get_gbp_details(self):
if self.single_tenant_mode and self.driver.per_tenant_nat_epg:
return
self._mock_external_dict([('supported', '192.168.0.2/24')])
self.driver.apic_manager.ext_net_dict[
'supported']['host_pool_cidr'] = '192.168.200.1/24'
es = self.create_external_segment(name='supported',
cidr='192.168.0.2/24',
expected_res_status=201, shared=True)['external_segment']
self.create_nat_pool(external_segment_id=es['id'],
ip_pool='20.20.20.0/24')
l3p = self.create_l3_policy(name='myl3',
external_segments={es['id']: ['']})['l3_policy']
l2p = self.create_l2_policy(name='myl2',
l3_policy_id=l3p['id'])['l2_policy']
nsp = self.create_network_service_policy(
network_service_params=[
{"type": "ip_pool", "value": "nat_pool", "name": "test"}]
)['network_service_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p['id'],
network_service_policy_id=nsp['id'])['policy_target_group']
segmentation_labels = ['label1', 'label2']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'],
segmentation_labels=segmentation_labels)['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
mapping = self.driver.get_gbp_details(context.get_admin_context(),
device='tap%s' % pt1['port_id'], host='h1')
if 'apic_segmentation_label' in self._extension_drivers:
self.assertItemsEqual(segmentation_labels,
mapping['segmentation_labels'])
req_mapping = self.driver.request_endpoint_details(
context.get_admin_context(),
request={'device': 'tap%s' % pt1['port_id'], 'host': 'h1',
'timestamp': 0, 'request_id': 'request_id'})
self.assertEqual(mapping, req_mapping['gbp_details'])
self.assertEqual(pt1['port_id'], mapping['port_id'])
self.assertEqual(ptg['id'], mapping['endpoint_group_name'])
self.assertEqual('someid', mapping['vm-name'])
self.assertTrue(mapping['enable_dhcp_optimization'])
self.assertEqual(1, len(mapping['subnets']))
subnet = self._get_object('subnets', ptg['subnets'][0], self.api)
self.assertEqual(subnet['subnet']['cidr'],
mapping['subnets'][0]['cidr'])
self.assertEqual(1, len(mapping['floating_ip']))
fip = mapping['floating_ip'][0]
self.assertEqual(pt1['port_id'], fip['port_id'])
self.assertEqual("NAT-epg-%s" % es['id'], fip['nat_epg_name'])
ptne_tenant_id = self.common_tenant
if self.driver.per_tenant_nat_epg:
ptne_tenant_id = es['tenant_id']
elif self.single_tenant_mode:
ptne_tenant_id = APIC_SINGLE_TENANT_NAME
self.assertEqual(ptne_tenant_id, fip['nat_epg_tenant'])
if self.single_tenant_mode:
self.assertEqual(APIC_SINGLE_TENANT_NAME, mapping['vrf_tenant'])
else:
self.assertEqual(l3p['tenant_id'], mapping['vrf_tenant'])
self.assertEqual(l3p['id'], mapping['vrf_name'])
if 'proxy_ip_pool' in l3p:
self.assertEqual([l3p['ip_pool'], l3p['proxy_ip_pool']],
mapping['vrf_subnets'])
else:
self.assertEqual([l3p['ip_pool']], mapping['vrf_subnets'])
self.assertEqual(1, len(mapping['host_snat_ips']))
self.assertEqual(es['name'],
mapping['host_snat_ips'][0]['external_segment_name'])
self.assertEqual("192.168.200.1",
mapping['host_snat_ips'][0]['gateway_ip'])
self.assertEqual("192.168.200.2",
mapping['host_snat_ips'][0]['host_snat_ip'])
self.assertEqual(24, mapping['host_snat_ips'][0]['prefixlen'])
# Verify Neutron details
self.assertEqual(pt1['port_id'],
req_mapping['neutron_details']['port_id'])
# Create event on a second host to verify that the SNAT
# port gets created for this second host
pt2 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt2['port_id'], 'h1')
mapping = self.driver.get_gbp_details(context.get_admin_context(),
device='tap%s' % pt2['port_id'], host='h2')
self.assertEqual(pt2['port_id'], mapping['port_id'])
self.assertEqual(1, len(mapping['host_snat_ips']))
self.assertEqual(es['name'],
mapping['host_snat_ips'][0]['external_segment_name'])
self.assertEqual("192.168.200.1",
mapping['host_snat_ips'][0]['gateway_ip'])
self.assertEqual("192.168.200.3",
mapping['host_snat_ips'][0]['host_snat_ip'])
self.assertEqual(24, mapping['host_snat_ips'][0]['prefixlen'])
def test_get_gbp_details(self):
self._do_test_get_gbp_details()
def test_get_gbp_details_ptne(self):
self.driver.per_tenant_nat_epg = True
self._do_test_get_gbp_details()
def test_get_snat_ip_for_vrf(self):
TEST_VRF1 = 'testvrf1'
TEST_VRF2 = 'testvrf2'
self._mock_external_dict([('supported', '192.168.0.2/24')])
self.driver.apic_manager.ext_net_dict[
'supported']['host_pool_cidr'] = '192.168.200.1/24'
es = self.create_external_segment(name='supported',
cidr='192.168.0.2/24',
expected_res_status=201, shared=False)['external_segment']
self.create_nat_pool(external_segment_id=es['id'],
ip_pool='20.20.20.0/24')
l3p = self.create_l3_policy(name='myl3',
external_segments={es['id']: ['']})['l3_policy']
l2p = self.create_l2_policy(name='myl2',
l3_policy_id=l3p['id'])['l2_policy']
nsp = self.create_network_service_policy(
network_service_params=[
{"type": "ip_pool", "value": "nat_pool", "name": "test"}])[
'network_service_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p['id'],
network_service_policy_id=nsp['id'])['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
subnet = self._db_plugin.get_subnet(context.get_admin_context(),
es['subnet_id'])
network = self._db_plugin.get_network(context.get_admin_context(),
subnet['network_id'])
details = self.driver.get_snat_ip_for_vrf(context.get_admin_context(),
TEST_VRF1, network, es_name=es['name'])
self.assertEqual(es['name'],
details['external_segment_name'])
self.assertEqual("192.168.200.1",
details['gateway_ip'])
self.assertEqual("192.168.200.2",
details['host_snat_ip'])
self.assertEqual(24, details['prefixlen'])
# Verify that the same VRF returns the same SNAT IP
details2 = self.driver.get_snat_ip_for_vrf(context.get_admin_context(),
TEST_VRF1, network, es_name=es['name'])
self.assertEqual(details, details2)
# Create event on a second VRF to verify that the SNAT
# port gets created for this second VRF
pt2 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt2['port_id'], 'h1')
details = self.driver.get_snat_ip_for_vrf(context.get_admin_context(),
TEST_VRF2, network, es_name=es['name'])
self.assertEqual(es['name'],
details['external_segment_name'])
self.assertEqual("192.168.200.1",
details['gateway_ip'])
self.assertEqual("192.168.200.3",
details['host_snat_ip'])
self.assertEqual(24, details['prefixlen'])
def test_get_gbp_details_extra_ips_explicit_eoc(self):
ptg = self.create_policy_target_group(
name="ptg1")['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
ptg2 = self.create_policy_target_group(
name="ptg2",
description='opflex_eoc:' + pt1['port_id'],
is_admin_context=True)['policy_target_group']
pt2 = self.create_policy_target(
policy_target_group_id=ptg2['id'])['policy_target']
mapping = self.driver.get_gbp_details(context.get_admin_context(),
device='tap%s' % pt1['port_id'], host='h2')
# Extra ip set for pt2
ips = self._get_pts_addresses([pt2])
self.assertEqual(set(ips), set(mapping['extra_ips']))
def test_snat_pool_subnet_deletion(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
self.driver.apic_manager.ext_net_dict[
'supported']['host_pool_cidr'] = '192.168.200.1/24'
es = self.create_external_segment(name='supported',
cidr='192.168.0.2/24',
expected_res_status=201, shared=False)['external_segment']
admin_ctx = context.get_admin_context()
ext_net_id = self._db_plugin.get_subnet(
admin_ctx, es['subnet_id'])['network_id']
l3p = self.create_l3_policy(name='myl3',
external_segments={es['id']: ['']})['l3_policy']
l2p = self.create_l2_policy(name='myl2',
l3_policy_id=l3p['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p['id'])['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
mapping = self.driver.get_gbp_details(context.get_admin_context(),
device='tap%s' % pt1['port_id'], host='h1')
self.assertEqual(pt1['port_id'], mapping['port_id'])
self.assertEqual(1, len(mapping['host_snat_ips']))
self.assertEqual(es['name'],
mapping['host_snat_ips'][0]['external_segment_name'])
self.assertEqual("192.168.200.1",
mapping['host_snat_ips'][0]['gateway_ip'])
self.assertEqual("192.168.200.2",
mapping['host_snat_ips'][0]['host_snat_ip'])
self.assertEqual(24, mapping['host_snat_ips'][0]['prefixlen'])
self.update_l3_policy(l3p['id'], external_segments={},
expected_res_status=200)
subnet_filter = {'name': [amap.HOST_SNAT_POOL],
'network_id': [ext_net_id]}
internal_subnets = self._db_plugin.get_subnets(
admin_ctx, filters=subnet_filter)
self.assertEqual(1, len(internal_subnets))
self.delete_external_segment(es['id'],
expected_res_status=webob.exc.HTTPNoContent.code)
internal_subnets = self._db_plugin.get_subnets(
admin_ctx, filters=subnet_filter)
self.assertEqual(0, len(internal_subnets))
def test_snat_port_ip_loss(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
self.driver.apic_manager.ext_net_dict[
'supported']['host_pool_cidr'] = '192.168.200.1/24'
es = self.create_external_segment(name='supported',
cidr='192.168.0.2/24', shared=False)['external_segment']
admin_ctx = context.get_admin_context()
ext_net_id = self._db_plugin.get_subnet(
admin_ctx, es['subnet_id'])['network_id']
l3p = self.create_l3_policy(name='myl3',
external_segments={es['id']: ['']})['l3_policy']
l2p = self.create_l2_policy(name='myl2',
l3_policy_id=l3p['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p['id'])['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
mapping = self.driver.get_gbp_details(admin_ctx,
device='tap%s' % pt1['port_id'], host='h1')
self.assertEqual(1, len(mapping['host_snat_ips']))
snat_ports = self._db_plugin.get_ports(admin_ctx,
filters={'name': [amap.HOST_SNAT_POOL_PORT],
'network_id': [ext_net_id],
'device_id': ['h1']})
self._db_plugin.update_port(admin_ctx,
snat_ports[0]['id'], {'port': {'fixed_ips': []}})
mapping = self.driver.get_gbp_details(admin_ctx,
device='tap%s' % pt1['port_id'], host='h1')
self.assertEqual(0, len(mapping['host_snat_ips']))
def test_ip_address_owner_update(self):
l3p = self.create_l3_policy(name='myl3')['l3_policy']
l2p = self.create_l2_policy(name='myl2',
l3_policy_id=l3p['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p['id'])['policy_target_group']
net_id = (self._get_ptg_shadow_net(ptg)['id']
if self.non_apic_network else l2p['network_id'])
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
pt2 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
self._bind_port_to_host(pt2['port_id'], 'h2')
ip_owner_info = {'port': pt1['port_id'], 'ip_address_v4': '1.2.3.4'}
self.driver._notify_port_update = mock.Mock()
# set new owner
self.driver.ip_address_owner_update(context.get_admin_context(),
ip_owner_info=ip_owner_info, host='h1')
obj = self.driver.ha_ip_handler.get_port_for_ha_ipaddress(
'1.2.3.4', net_id)
self.assertEqual(pt1['port_id'], obj['port_id'])
self.driver._notify_port_update.assert_called_with(mock.ANY,
pt1['port_id'])
# update existing owner
self.driver._notify_port_update.reset_mock()
ip_owner_info['port'] = pt2['port_id']
self.driver.ip_address_owner_update(context.get_admin_context(),
ip_owner_info=ip_owner_info, host='h2')
obj = self.driver.ha_ip_handler.get_port_for_ha_ipaddress(
'1.2.3.4', net_id)
self.assertEqual(pt2['port_id'], obj['port_id'])
exp_calls = [
mock.call(mock.ANY, pt1['port_id']),
mock.call(mock.ANY, pt2['port_id'])]
self._check_call_list(exp_calls,
self.driver._notify_port_update.call_args_list)
def test_enhanced_subnet_options(self):
self.driver.enable_metadata_opt = False
l3p = self.create_l3_policy(name='myl3',
ip_pool='192.168.0.0/16')['l3_policy']
l2p = self.create_l2_policy(name='myl2',
l3_policy_id=l3p['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p['id'])['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
sub = self._get_object('subnets', ptg['subnets'][0],
self.api)
with self.port(subnet=sub, device_owner='network:dhcp',
tenant_id='onetenant') as dhcp:
if self.non_apic_network:
shadow_sub = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg), self.api)
with self.port(subnet=shadow_sub, tenant_id='onetenant',
device_owner='network:dhcp'):
pass
dhcp = dhcp['port']
details = self.driver.get_gbp_details(
context.get_admin_context(),
device='tap%s' % pt1['port_id'], host='h1')
self.assertEqual(1, len(details['subnets']))
# Verify that DNS nameservers are correctly set
self.assertEqual([dhcp['fixed_ips'][0]['ip_address']],
details['subnets'][0]['dns_nameservers'])
# Verify Default route via GW
self.assertTrue({'destination': '0.0.0.0/0',
'nexthop': '192.168.0.1'} in
details['subnets'][0]['host_routes'])
# Verify Metadata route via DHCP
self.assertTrue(
{'destination': '169.254.169.254/16',
'nexthop': dhcp['fixed_ips'][0]['ip_address']} in
details['subnets'][0]['host_routes'])
# Verify no extra routes are leaking inside
self.assertEqual(2, len(details['subnets'][0]['host_routes']))
self.assertEqual([dhcp['fixed_ips'][0]['ip_address']],
details['subnets'][0]['dhcp_server_ips'])
def test_update_l2p_inject_default_route_false(self):
self.driver.enable_metadata_opt = False
l3p = self.create_l3_policy(name='myl3',
ip_pool='192.168.0.0/16')['l3_policy']
l2p = self.create_l2_policy(name='myl2',
l3_policy_id=l3p['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p['id'])['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
sub = self._get_object('subnets', ptg['subnets'][0],
self.api)
# Add one more host_route to the subnet
more_host_routes = [{'destination': '172.16.0.0/24',
'nexthop': '10.0.2.2'}]
data = {'subnet': {'host_routes': more_host_routes}}
req = self.new_update_request('subnets', data, sub['subnet']['id'])
res = self.deserialize(self.fmt, req.get_response(self.api))
self.assertEqual(sorted(res['subnet']['host_routes']),
sorted(more_host_routes))
with self.port(subnet=sub, device_owner='network:dhcp',
tenant_id='onetenant') as dhcp:
if self.non_apic_network:
shadow_sub = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg), self.api)
with self.port(subnet=shadow_sub, tenant_id='onetenant',
device_owner='network:dhcp'):
pass
dhcp = dhcp['port']
details = self.driver.get_gbp_details(
context.get_admin_context(),
device='tap%s' % pt1['port_id'], host='h1')
self.assertEqual(1, len(details['subnets']))
# Verify that DNS nameservers are correctly set
self.assertEqual([dhcp['fixed_ips'][0]['ip_address']],
details['subnets'][0]['dns_nameservers'])
# Verify Default route via GW
self.assertTrue({'destination': '0.0.0.0/0',
'nexthop': '192.168.0.1'} in
details['subnets'][0]['host_routes'])
# Verify Metadata route via DHCP
self.assertTrue(
{'destination': '169.254.169.254/16',
'nexthop': dhcp['fixed_ips'][0]['ip_address']} in
details['subnets'][0]['host_routes'])
# Verify additional host_routes are also added:
# GW + Metadata + 1 additional route = 3
self.assertEqual(3, len(details['subnets'][0]['host_routes']))
self.assertEqual([dhcp['fixed_ips'][0]['ip_address']],
details['subnets'][0]['dhcp_server_ips'])
# Verify gateway_ip is set
self.assertTrue('gateway_ip' in details['subnets'][0])
data = {'l2_policy': {'inject_default_route': False}}
res = self.new_update_request('l2_policies', data, l2p['id'],
self.fmt).get_response(self.ext_api)
pt2 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt2['port_id'], 'h1')
with self.port(subnet=sub, tenant_id='onetenant'):
details = self.driver.get_gbp_details(
context.get_admin_context(),
device='tap%s' % pt2['port_id'], host='h1')
self.assertEqual(1, len(details['subnets']))
# Verify Default route via GW is not present
self.assertFalse({'destination': '0.0.0.0/0',
'nexthop': '192.168.0.1'} in
details['subnets'][0]['host_routes'])
# Verify Metadata route via DHCP is not present
self.assertFalse(
{'destination': '169.254.169.254/16',
'nexthop': dhcp['fixed_ips'][0]['ip_address']} in
details['subnets'][0]['host_routes'])
# Verify only extra route is present
self.assertEqual(1, len(details['subnets'][0]['host_routes']))
self.assertTrue(
{'destination': '172.16.0.0/24',
'nexthop': '10.0.2.2'} in
details['subnets'][0]['host_routes'])
self.assertEqual([dhcp['fixed_ips'][0]['ip_address']],
details['subnets'][0]['dhcp_server_ips'])
# Verify gateway_ip is not set
self.assertFalse('gateway_ip' in details['subnets'][0])
def test_create_l2p_inject_default_route_false(self):
self.driver.enable_metadata_opt = False
l3p = self.create_l3_policy(name='myl3',
ip_pool='192.168.0.0/16')['l3_policy']
l2p = self.create_l2_policy(name='myl2',
l3_policy_id=l3p['id'],
inject_default_route=False)['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p['id'])['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
sub = self._get_object('subnets', ptg['subnets'][0],
self.api)
# Add one more host_route to the subnet
more_host_routes = [{'destination': '172.16.0.0/24',
'nexthop': '10.0.2.2'}]
data = {'subnet': {'host_routes': more_host_routes}}
req = self.new_update_request('subnets', data, sub['subnet']['id'])
res = self.deserialize(self.fmt, req.get_response(self.api))
self.assertEqual(sorted(res['subnet']['host_routes']),
sorted(more_host_routes))
with self.port(subnet=sub, device_owner='network:dhcp',
tenant_id='onetenant') as dhcp:
if self.non_apic_network:
shadow_sub = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg), self.api)
with self.port(subnet=shadow_sub, tenant_id='onetenant',
device_owner='network:dhcp'):
pass
dhcp = dhcp['port']
details = self.driver.get_gbp_details(
context.get_admin_context(),
device='tap%s' % pt1['port_id'], host='h1')
self.assertEqual(1, len(details['subnets']))
# Verify that DNS nameservers are correctly set
self.assertEqual([dhcp['fixed_ips'][0]['ip_address']],
details['subnets'][0]['dns_nameservers'])
# Verify Default route via GW is not present
self.assertFalse({'destination': '0.0.0.0/0',
'nexthop': '192.168.0.1'} in
details['subnets'][0]['host_routes'])
# Verify Metadata route via DHCP is not present
self.assertFalse(
{'destination': '169.254.169.254/16',
'nexthop': dhcp['fixed_ips'][0]['ip_address']} in
details['subnets'][0]['host_routes'])
# Verify only extra route is present
self.assertEqual(1, len(details['subnets'][0]['host_routes']))
self.assertTrue(
{'destination': '172.16.0.0/24',
'nexthop': '10.0.2.2'} in
details['subnets'][0]['host_routes'])
self.assertEqual([dhcp['fixed_ips'][0]['ip_address']],
details['subnets'][0]['dhcp_server_ips'])
# Verify gateway_ip is not set
self.assertFalse('gateway_ip' in details['subnets'][0])
def test_get_gbp_details_error(self):
details = self.driver.get_gbp_details(
context.get_admin_context(), device='tap%s' % 'randomid',
host='h1')
req_details = self.driver.request_endpoint_details(
context.get_admin_context(),
request={'device': 'tap%s' % 'randomid', 'host': 'h1',
'timestamp': 0, 'request_id': 'request_id'})
# device was not found
self.assertTrue('port_id' not in details)
self.assertEqual(details, req_details['gbp_details'])
self.assertTrue('port_id' not in req_details['neutron_details'])
ptg = self.create_policy_target_group()['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
self.driver._get_owned_addresses = mock.Mock(side_effect=Exception)
details = self.driver.get_gbp_details(
context.get_admin_context(), device='tap%s' % pt1['port_id'],
host='h1')
req_details = self.driver.request_endpoint_details(
context.get_admin_context(),
request={'device': 'tap%s' % pt1['port_id'], 'host': 'h1',
'timestamp': 0, 'request_id': 'request_id'})
# An exception occurred
self.assertEqual({'device': 'tap%s' % pt1['port_id']}, details)
self.assertIsNone(req_details)
def test_get_gbp_proxy_details(self):
l3p_fake = self.create_l3_policy(name='myl3')['l3_policy']
l2p_fake = self.create_l2_policy(
name='myl2', l3_policy_id=l3p_fake['id'])['l2_policy']
ptg_fake = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_fake['id'])['policy_target_group']
# The PT below will be actually bound for a VM
pt_bound = self.create_policy_target(
policy_target_group_id=ptg_fake['id'])['policy_target']
l3p_real = self.create_l3_policy(name='myl3')['l3_policy']
l2p_real = self.create_l2_policy(
name='myl2', l3_policy_id=l3p_real['id'])['l2_policy']
ptg_real = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_real['id'])['policy_target_group']
# The PT below will never be bound
pt_unbound = self.create_policy_target(
policy_target_group_id=ptg_real['id'])['policy_target']
# Change description to link the ports. The bound on will point
# to the unbound one to get its info overridden
self.update_policy_target(
pt_bound['id'],
description=amap.PROXY_PORT_PREFIX + pt_unbound['port_id'])
port_unbound = self._get_object('ports', pt_unbound['port_id'],
self.api)['port']
# Bind the first port
self._bind_port_to_host(pt_bound['port_id'], 'h1')
# Get info on bound port
mapping = self.driver.get_gbp_details(context.get_admin_context(),
device='tap%s' % pt_bound['port_id'], host='h1')
# Bound port info
self.assertEqual(pt_bound['port_id'], mapping['port_id'])
self.assertEqual('tap%s' % pt_bound['port_id'], mapping['device'])
# APIC info are from the unbound port
self.assertEqual(ptg_real['id'], mapping['endpoint_group_name'])
if self.single_tenant_mode:
self.assertEqual(APIC_SINGLE_TENANT_NAME, mapping['vrf_tenant'])
else:
self.assertEqual(l3p_real['tenant_id'], mapping['vrf_tenant'])
self.assertEqual(l3p_real['id'], mapping['vrf_name'])
self.assertEqual(port_unbound['fixed_ips'], mapping['fixed_ips'])
def test_get_gbp_details_shadow(self):
l2p = self.create_l2_policy()['l2_policy']
network = self._get_object('networks', l2p['network_id'], self.api)
with self.subnet(network=network) as sub:
with self.port(subnet=sub) as port:
self._bind_port_to_host(port['port']['id'], 'h1')
mapping = self.driver.get_gbp_details(
context.get_admin_context(),
device='tap%s' % port['port']['id'], host='h1')
self.assertEqual(port['port']['id'], mapping['port_id'])
self.assertEqual(amap.SHADOW_PREFIX + l2p['id'],
mapping['endpoint_group_name'])
def test_explicit_port(self):
with self.network() as net:
with self.subnet(network=net) as sub:
l2p = self.create_l2_policy(
network_id=net['network']['id'])['l2_policy']
ptg = self.create_policy_target_group(
l2_policy_id=l2p['id'])['policy_target_group']
if self.non_apic_network:
sub = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg), self.api)
with self.port(subnet=sub) as port:
self._bind_port_to_host(port['port']['id'], 'h1')
self.create_policy_target(
port_id=port['port']['id'],
policy_target_group_id=ptg['id'])
self.assertTrue(self.driver.notifier.port_update.called)
def test_port_update_changed_ptg(self):
ptg = self.create_policy_target_group()['policy_target_group']
ptg2 = self.create_policy_target_group(
l2_policy_id=ptg['l2_policy_id'])['policy_target_group']
pt = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt['port_id'], 'h1')
if not self.non_apic_network:
self.driver.notifier.port_update.reset_mock()
self.update_policy_target(pt['id'],
policy_target_group_id=ptg2['id'])
self.assertTrue(self.driver.notifier.port_update.called)
else:
res = self.update_policy_target(pt['id'],
policy_target_group_id=ptg2['id'],
expected_res_status=400)
self.assertEqual('PTGChangeDisallowedWithNonOpFlexNetwork',
res['NeutronError']['type'])
def test_update_ptg_failed(self):
ptg = self.create_policy_target_group()['policy_target_group']
ptg2 = self.create_policy_target_group()['policy_target_group']
pt = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
res = self.update_policy_target(
pt['id'], policy_target_group_id=ptg2['id'],
expected_res_status=400)
exp = ('PTGChangeDisallowedWithNonOpFlexNetwork'
if self.non_apic_network else 'InvalidPortForPTG')
self.assertEqual(exp, res['NeutronError']['type'])
def test_port_notified_on_subnet_change(self):
ptg = self.create_policy_target_group()['policy_target_group']
pt = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self._bind_port_to_host(pt['port_id'], 'h1')
subnet = self._get_object('subnets', ptg['subnets'][0], self.api)
subnet2 = copy.deepcopy(subnet)
subnet2['subnet']['gateway_ip'] = '10.0.0.254'
subnet2['subnet']['allocation_pools'] = [{
'start': '10.0.0.2', 'end': '10.0.0.250'}]
self.driver.apic_manager.reset_mock()
self.driver.notifier.port_update.reset_mock()
self.driver.process_subnet_changed(context.get_admin_context(),
subnet['subnet'], subnet2['subnet'])
self.assertTrue(self.driver.notifier.port_update.called)
def test_get_gbp_proxy_address_ownership(self):
l3p_fake = self.create_l3_policy(name='myl3')['l3_policy']
l2p_fake = self.create_l2_policy(
name='myl2', l3_policy_id=l3p_fake['id'])['l2_policy']
ptg_fake = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_fake['id'])['policy_target_group']
# The PT below will be actually bound for a VM. They are in the same
# Network
pt_bound_1 = self.create_policy_target(
policy_target_group_id=ptg_fake['id'])['policy_target']
pt_bound_2 = self.create_policy_target(
policy_target_group_id=ptg_fake['id'])['policy_target']
pt_bound_3 = self.create_policy_target(
policy_target_group_id=ptg_fake['id'])['policy_target']
l3p_real = self.create_l3_policy(name='myl3')['l3_policy']
# Build 2 L2Ps in order to get 2 networks.
l2p_real_1 = self.create_l2_policy(
name='myl2', l3_policy_id=l3p_real['id'])['l2_policy']
l2p_real_2 = self.create_l2_policy(
name='myl2', l3_policy_id=l3p_real['id'])['l2_policy']
ptg_real_1 = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_real_1['id'])['policy_target_group']
ptg_real_2 = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_real_2['id'])['policy_target_group']
# The PTs below will never be bound. They are on different networks
pt_unbound_1 = self.create_policy_target(
policy_target_group_id=ptg_real_1['id'])['policy_target']
pt_unbound_2 = self.create_policy_target(
policy_target_group_id=ptg_real_2['id'])['policy_target']
pt_unbound_2_1 = self.create_policy_target(
policy_target_group_id=ptg_real_2['id'])['policy_target']
# Change description to link the ports. The bound one will point
# to the unbound one to get its info overridden
self.update_policy_target(
pt_bound_1['id'],
description=amap.PROXY_PORT_PREFIX + pt_unbound_1['port_id'])
self.update_policy_target(
pt_bound_2['id'],
description=amap.PROXY_PORT_PREFIX + pt_unbound_2['port_id'])
self.update_policy_target(
pt_bound_3['id'],
description=amap.PROXY_PORT_PREFIX + pt_unbound_2_1['port_id'])
# Set up address ownership on the bound ports, and verify that both
# entries exists
# Update address ownership on second port
self.driver.update_ip_owner({'port': pt_bound_1['port_id'],
'ip_address_v4': '1.1.1.1'})
# Same address owned by another port in a different subnet
self.driver.update_ip_owner({'port': pt_bound_2['port_id'],
'ip_address_v4': '1.1.1.1'})
# There are 2 ownership entries for the same address
entries = self.driver.ha_ip_handler.session.query(
ha_ip_db.HAIPAddressToPortAssocation).all()
self.assertEqual(2, len(entries))
self.assertEqual('1.1.1.1', entries[0].ha_ip_address)
self.assertEqual('1.1.1.1', entries[1].ha_ip_address)
self.driver.update_ip_owner({'port': pt_bound_3['port_id'],
'ip_address_v4': '1.1.1.1'})
entries = self.driver.ha_ip_handler.session.query(
ha_ip_db.HAIPAddressToPortAssocation).all()
self.assertEqual(2, len(entries))
self.assertEqual('1.1.1.1', entries[0].ha_ip_address)
self.assertEqual('1.1.1.1', entries[1].ha_ip_address)
def test_explicit_end_of_chain(self):
self.driver._notify_port_update = mock.Mock()
ptg = self.create_policy_target_group(
name="ptg1")['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
ptg2 = self.create_policy_target_group(
name="ptg2",
description='opflex_eoc:' + pt1['port_id'],
is_admin_context=True)['policy_target_group']
self.create_policy_target(policy_target_group_id=ptg2['id'])
# pt1 notified
self.driver._notify_port_update.assert_called_once_with(
mock.ANY, pt1['port_id'])
def test_explicit_end_of_chain_cluster(self):
self.driver._notify_port_update = mock.Mock()
ptg = self.create_policy_target_group(
name="ptg1")['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
# Same cluster
pt2 = self.create_policy_target(
policy_target_group_id=ptg['id'],
cluster_id=pt1['id'])['policy_target']
pt3 = self.create_policy_target(
policy_target_group_id=ptg['id'],
cluster_id=pt1['id'])['policy_target']
ptg2 = self.create_policy_target_group(
name="ptg2",
description='opflex_eoc:' + pt1['port_id'],
is_admin_context=True)['policy_target_group']
self.create_policy_target(policy_target_group_id=ptg2['id'])
# pt1, 2 and 3 notified
expected_calls = [
mock.call(mock.ANY, pt1['port_id']),
mock.call(mock.ANY, pt2['port_id']),
mock.call(mock.ANY, pt3['port_id'])]
self._check_call_list(
expected_calls, self.driver._notify_port_update.call_args_list)
def test_explicit_eoc_raises(self):
ptg = self.create_policy_target_group(
name="ptg1")['policy_target_group']
self.create_policy_target_group(
name="ptg2", description='opflex_eoc:', expected_res_status=400)
self.update_policy_target_group(
ptg['id'], description='opflex_eoc:', expected_res_status=400)
def test_cluster_id_notify(self):
ptg = self.create_policy_target_group(
name="ptg1")['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
# Same cluster
pt2 = self.create_policy_target(
policy_target_group_id=ptg['id'],
cluster_id=pt1['id'])['policy_target']
self.create_policy_target(
name='pt3', policy_target_group_id=ptg['id'], cluster_id=pt1['id'])
self._bind_port_to_host(pt2['port_id'], 'h1')
port = self.driver._get_port(context.get_admin_context(),
pt2['port_id'])
self.driver.notifier.port_update = mock.Mock()
self.driver._notify_port_update(context.get_admin_context(),
pt1['port_id'])
self.driver.notifier.port_update.assert_called_once_with(mock.ANY,
port)
# The above guarantees that pt3 wasn't notified
class TestPolicyTargetSingleTenant(TestPolicyTarget):
def setUp(self):
super(TestPolicyTargetSingleTenant, self).setUp(
single_tenant_mode=True)
class TestPolicyTargetVlanNetwork(ApicMappingVlanTestCase,
TestPolicyTarget):
def test_shadow_port(self):
ptg1 = self.create_policy_target_group(
name="ptg1")['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg1['id'])['policy_target']
shadow_port = self._get_object('ports', pt1['port_id'],
self.api)['port']
subnet = self._get_object('subnets', ptg1['subnets'][0], self.api)
ports = self._list_resource('ports',
self.api, network_id=subnet['subnet']['network_id'])['ports']
self.assertEqual(1, len(ports))
self.assertEqual(shadow_port['mac_address'], ports[0]['mac_address'])
self.assertEqual(len(shadow_port['fixed_ips']),
len(ports[0]['fixed_ips']))
self.assertEqual(shadow_port['fixed_ips'][0]['ip_address'],
ports[0]['fixed_ips'][0]['ip_address'])
self.assertEqual('apic:%s' % pt1['id'], ports[0]['device_owner'])
self.assertEqual('', ports[0]['device_id'])
# update device_id of shadow port
shadow_port = self._update('ports', shadow_port['id'],
{'port': {'device_id': 'comp1'}})['port']
l2p_port = self._get_object(
'ports', ports[0]['id'], self.api)['port']
self.assertEqual('comp1', l2p_port['device_id'])
self.delete_policy_target(pt1['id'])
self._get_object('ports', pt1['port_id'], self.api,
expected_res_status=404)
self._get_object('ports', ports[0]['id'], self.api,
expected_res_status=404)
def test_shadow_port_for_explicit_port(self):
ptg1 = self.create_policy_target_group()['policy_target_group']
shadow_subnet1 = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg1),
self.api)
subnet = self._get_object('subnets', ptg1['subnets'][0], self.api)
with self.port(subnet=shadow_subnet1, device_id='vm1') as p:
port1 = p['port']
pt1 = self.create_policy_target(policy_target_group_id=ptg1['id'],
port_id=port1['id'])['policy_target']
subnet = self._get_object('subnets', ptg1['subnets'][0], self.api)
ports = self._list_resource('ports',
self.api, network_id=subnet['subnet']['network_id'])['ports']
self.assertEqual(1, len(ports))
self.assertEqual(port1['mac_address'], ports[0]['mac_address'])
self.assertEqual(len(port1['fixed_ips']),
len(ports[0]['fixed_ips']))
self.assertEqual(port1['fixed_ips'][0]['ip_address'],
ports[0]['fixed_ips'][0]['ip_address'])
self.assertEqual('apic:%s' % pt1['id'], ports[0]['device_owner'])
self.assertEqual('vm1', ports[0]['device_id'])
# update device_id of explicit port
port1 = self._update('ports', port1['id'],
{'port': {'device_id': 'comp1'}})['port']
l2p_port = self._get_object(
'ports', ports[0]['id'], self.api)['port']
self.assertEqual('comp1', l2p_port['device_id'])
self.delete_policy_target(pt1['id'])
self._get_object('ports', pt1['port_id'], self.api,
expected_res_status=200)
self._get_object('ports', ports[0]['id'], self.api,
expected_res_status=404)
def test_dhcp_disable_in_shadow_network(self):
ptg1 = self.create_policy_target_group(
name="ptg1")['policy_target_group']
self.create_policy_target(
policy_target_group_id=ptg1['id'])['policy_target']
subnet = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg1),
self.api)
with self.port(subnet=subnet, device_owner='network:dhcp') as p:
port1 = p['port']
port1 = self._get_object('ports', port1['id'], self.api)['port']
self.assertFalse(port1['admin_state_up'])
port1 = self._update('ports', port1['id'],
{'port': {'admin_state_up': True}})['port']
port1 = self._get_object('ports', port1['id'], self.api)['port']
self.assertFalse(port1['admin_state_up'])
def test_explicit_port_wrong_network(self):
ptg1 = self.create_policy_target_group()['policy_target_group']
subnet = self._get_object('subnets', ptg1['subnets'][0], self.api)
with self.port(subnet=subnet) as port1:
res = self.create_policy_target(policy_target_group_id=ptg1['id'],
port_id=port1['port']['id'], expected_res_status=400)
self.assertEqual('ExplicitPortInWrongNetwork',
res['NeutronError']['type'])
def test_explicit_port_overlap_address(self):
ptg1 = self.create_policy_target_group(
name="ptg1")['policy_target_group']
subnet = self._get_object('subnets', ptg1['subnets'][0], self.api)
shadow_subnet1 = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg1),
self.api)
with self.port(subnet=shadow_subnet1) as p:
shadow_port1 = p
ips = shadow_port1['port']['fixed_ips']
ips[0].pop('subnet_id', None)
with self.port(subnet=subnet, fixed_ips=ips) as p:
res = self.create_policy_target(
policy_target_group_id=ptg1['id'],
port_id=shadow_port1['port']['id'], expected_res_status=400)
self.assertEqual('ExplicitPortOverlap',
res['NeutronError']['type'])
res = self.new_delete_request('ports', p['port']['id'],
self.fmt).get_response(self.api)
self.assertEqual(webob.exc.HTTPNoContent.code, res.status_int)
with self.port(subnet=subnet,
mac_address=shadow_port1['port']['mac_address']) as p:
res = self.create_policy_target(
policy_target_group_id=ptg1['id'],
port_id=shadow_port1['port']['id'], expected_res_status=400)
self.assertEqual('ExplicitPortOverlap',
res['NeutronError']['type'])
def test_path_static_binding_implicit_port(self):
mgr = self.driver.apic_manager
ptg1 = self.create_policy_target_group(
name="ptg1")['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg1['id'])['policy_target']
self._bind_port_to_host(pt1['port_id'], 'h1')
port_ctx = self.driver._core_plugin.get_bound_port_context(
context.get_admin_context(), pt1['port_id'])
seg_id = port_ctx.bottom_bound_segment['segmentation_id']
mgr.ensure_path_created_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h1', seg_id,
bd_name=ptg1['l2_policy_id'])
# move port to different host
mgr.ensure_path_created_for_port.reset_mock()
self._bind_port_to_host(pt1['port_id'], 'h2')
mgr.ensure_path_deleted_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h1')
mgr.ensure_path_created_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h2', seg_id,
bd_name=ptg1['l2_policy_id'])
# create another PT, bind to same host and then delete it
mgr.ensure_path_created_for_port.reset_mock()
mgr.ensure_path_deleted_for_port.reset_mock()
pt2 = self.create_policy_target(
policy_target_group_id=ptg1['id'])['policy_target']
self._bind_port_to_host(pt2['port_id'], 'h2')
mgr.ensure_path_created_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h2', seg_id,
bd_name=ptg1['l2_policy_id'])
self.delete_policy_target(pt2['id'])
mgr.ensure_path_deleted_for_port.assert_not_called()
# delete PT
mgr.ensure_path_deleted_for_port.reset_mock()
self.delete_policy_target(pt1['id'])
mgr.ensure_path_deleted_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h2')
def test_path_static_binding_explicit_port(self):
mgr = self.driver.apic_manager
ptg1 = self.create_policy_target_group(
name="ptg1")['policy_target_group']
shadow_subnet1 = self._get_object('subnets',
self._get_ptg_shadow_subnet(ptg1),
self.api)
with self.port(subnet=shadow_subnet1) as port:
port1 = port
port1 = self._bind_port_to_host(port1['port']['id'], 'h1')
port_ctx = self.driver._core_plugin.get_bound_port_context(
context.get_admin_context(), port1['port']['id'])
seg_id = port_ctx.bottom_bound_segment['segmentation_id']
mgr.ensure_path_created_for_port.assert_not_called()
# Assign port to a PT
pt1 = self.create_policy_target(
policy_target_group_id=ptg1['id'],
port_id=port1['port']['id'])['policy_target']
mgr.ensure_path_created_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h1', seg_id,
bd_name=ptg1['l2_policy_id'])
# move port to different host
mgr.ensure_path_created_for_port.reset_mock()
self._bind_port_to_host(pt1['port_id'], 'h2')
mgr.ensure_path_deleted_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h1')
mgr.ensure_path_created_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h2', seg_id,
bd_name=ptg1['l2_policy_id'])
# create another port & PT, bind to same host and then delete port
mgr.ensure_path_created_for_port.reset_mock()
mgr.ensure_path_deleted_for_port.reset_mock()
with self.port(subnet=shadow_subnet1) as port:
port2 = port
pt2 = self.create_policy_target(
policy_target_group_id=ptg1['id'],
port_id=port2['port']['id'])['policy_target']
self._bind_port_to_host(pt2['port_id'], 'h2')
mgr.ensure_path_created_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h2', seg_id,
bd_name=ptg1['l2_policy_id'])
res = self.new_delete_request('ports', port2['port']['id'],
self.fmt).get_response(self.api)
self.assertEqual(webob.exc.HTTPNoContent.code, res.status_int)
mgr.ensure_path_deleted_for_port.assert_not_called()
# Delete PT
mgr.ensure_path_deleted_for_port.reset_mock()
self.delete_policy_target(pt1['id'])
mgr.ensure_path_deleted_for_port.assert_called_once_with(
ptg1['tenant_id'], ptg1['id'], 'h2')
def test_path_static_binding_for_non_pt(self):
mgr = self.driver.apic_manager
ptg1 = self.create_policy_target_group(
name="ptg1")['policy_target_group']
subnet = self._get_object('subnets', ptg1['subnets'][0], self.api)
with self.port(subnet=subnet) as port:
port1 = port
with self.port(subnet=subnet) as port:
port2 = port
# bind first port
port1 = self._bind_port_to_host(port1['port']['id'], 'h1')
port_ctx = self.driver._core_plugin.get_bound_port_context(
context.get_admin_context(), port1['port']['id'])
seg_id = port_ctx.bottom_bound_segment['segmentation_id']
mgr.ensure_path_created_for_port.assert_called_once_with(
ptg1['tenant_id'], 'Shd-%s' % ptg1['l2_policy_id'], 'h1',
seg_id, bd_name=ptg1['l2_policy_id'])
# bind second port
mgr.ensure_path_created_for_port.reset_mock()
port2 = self._bind_port_to_host(port2['port']['id'], 'h1')
mgr.ensure_path_created_for_port.assert_called_once_with(
ptg1['tenant_id'], 'Shd-%s' % ptg1['l2_policy_id'], 'h1',
seg_id, bd_name=ptg1['l2_policy_id'])
# delete second port
res = self.new_delete_request('ports', port2['port']['id'],
self.fmt).get_response(self.api)
self.assertEqual(webob.exc.HTTPNoContent.code, res.status_int)
mgr.ensure_path_deleted_for_port.assert_not_called()
# delete first port
mgr.ensure_path_deleted_for_port.reset_mock()
res = self.new_delete_request('ports', port1['port']['id'],
self.fmt).get_response(self.api)
self.assertEqual(webob.exc.HTTPNoContent.code, res.status_int)
mgr.ensure_path_deleted_for_port.assert_called_once_with(
ptg1['tenant_id'], 'Shd-%s' % ptg1['l2_policy_id'], 'h1')
def test_fixed_ip(self):
ptg1 = self.create_policy_target_group(
name="ptg1")['policy_target_group']
subnet = self._get_object('subnets', ptg1['subnets'][0],
self.api)['subnet']
network = self._get_object('networks', subnet['network_id'],
self.api)
# create PT with specific IP-address
pt1 = self.create_policy_target(
policy_target_group_id=ptg1['id'],
fixed_ips=[{'ip_address': '10.0.0.42'}]
)['policy_target']
shadow_port = self._get_object('ports', pt1['port_id'],
self.api)['port']
self.assertEqual(1, len(shadow_port['fixed_ips']))
self.assertEqual('10.0.0.42',
shadow_port['fixed_ips'][0]['ip_address'])
implicit_port = self._list_resource('ports',
self.api, network_id=network['network']['id'])['ports'][0]
self.assertEqual(1, len(implicit_port['fixed_ips']))
self.assertEqual('10.0.0.42',
implicit_port['fixed_ips'][0]['ip_address'])
self.delete_policy_target(pt1['id'])
# create PT with specific IP-address and subnet
subnet2 = self._make_subnet(self.fmt, network, '20.0.0.1',
'20.0.0.0/28')['subnet']
pt2 = self.create_policy_target(
policy_target_group_id=ptg1['id'],
fixed_ips=[{'ip_address': '20.0.0.14',
'subnet_id': subnet2['id']}]
)['policy_target']
shadow_port = self._get_object('ports', pt2['port_id'],
self.api)['port']
self.assertEqual(1, len(shadow_port['fixed_ips']))
self.assertEqual('20.0.0.14',
shadow_port['fixed_ips'][0]['ip_address'])
implicit_port = self._list_resource('ports',
self.api, network_id=network['network']['id'])['ports'][0]
self.assertEqual(1, len(implicit_port['fixed_ips']))
self.assertEqual('20.0.0.14',
implicit_port['fixed_ips'][0]['ip_address'])
self.assertEqual(subnet2['id'],
implicit_port['fixed_ips'][0]['subnet_id'])
class FakeNetworkContext(object):
"""To generate network context for testing purposes only."""
def __init__(self, network, segments):
self._network = network
self._segments = segments
self._plugin_context = mock.Mock()
@property
def current(self):
return self._network
@property
def network_segments(self):
return self._segments
class FakePortContext(object):
"""To generate port context for testing purposes only."""
def __init__(self, port, network):
self._port = port
self._network = network
self._plugin = mock.Mock()
self._plugin_context = mock.Mock()
self._plugin.get_ports.return_value = []
if network.network_segments:
self._bound_segment = network.network_segments[0]
else:
self._bound_segment = None
self.current = self._port
self.original = self._port
self.network = self._network
self.top_bound_segment = self._bound_segment
self.bottom_bound_segment = self._bound_segment
self.host = self._port.get(portbindings.HOST_ID)
self.original_host = None
self._binding = mock.Mock()
self._binding.segment = self._bound_segment
def set_binding(self, segment_id, vif_type, cap_port_filter):
pass
class TestPolicyTargetDvs(ApicMappingTestCase):
def setUp(self):
super(TestPolicyTargetDvs, self).setUp()
self.driver.apic_manager.app_profile_name = mocked.APIC_AP
plugin = manager.NeutronManager.get_plugin()
self.ml2 = plugin.mechanism_manager.mech_drivers['apic_gbp'].obj
self.ml2._dvs_notifier = mock.MagicMock()
self.ml2.dvs_notifier.bind_port_call = mock.Mock(
return_value=BOOKED_PORT_VALUE)
mapper = self.driver.name_mapper
mapper.name_mapper.policy_taget_group.return_value = 'ptg1'
def _verify_dvs_notifier(self, notifier, port, host):
# can't use getattr() with mock, so use eval instead
try:
dvs_mock = eval('self.ml2.dvs_notifier.' + notifier)
except Exception:
self.assertTrue(False,
"The method " + notifier + " was not called")
return
self.assertTrue(dvs_mock.called)
a1, a2, a3, a4 = dvs_mock.call_args[0]
self.assertEqual(a1['id'], port['id'])
self.assertEqual(a2['id'], port['id'])
self.assertEqual(a4, host)
def _pg_name(self, project, profile, network):
return (str(project) + '|' + str(profile) + '|' + network)
def test_bind_port_dvs(self):
self.agent_conf = AGENT_CONF_DVS
l3p_fake = self.create_l3_policy(name='myl3')['l3_policy']
l2p_fake = self.create_l2_policy(
name='myl2', l3_policy_id=l3p_fake['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_fake['id'])['policy_target_group']
pt = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
newp1 = self._bind_port_to_host(pt['port_id'], 'h1')
vif_details = newp1['port']['binding:vif_details']
self.assertIsNotNone(vif_details.get('dvs_port_group_name'))
pg = self._pg_name(ptg['tenant_id'], mocked.APIC_AP, ptg['name'])
self.assertEqual(pg, vif_details.get('dvs_port_group_name'))
port_key = newp1['port']['binding:vif_details'].get('dvs_port_key')
self.assertIsNotNone(port_key)
self.assertEqual(port_key, BOOKED_PORT_VALUE)
self._verify_dvs_notifier('update_postcommit_port_call',
newp1['port'], 'h1')
net_ctx = FakeNetworkContext(mock.Mock(), [mock.Mock()])
port_ctx = FakePortContext(newp1['port'], net_ctx)
self.ml2.delete_port_postcommit(port_ctx)
self._verify_dvs_notifier('delete_port_call', newp1['port'], 'h1')
def test_bind_port_dvs_with_opflex_different_hosts(self):
l3p_fake = self.create_l3_policy(name='myl3')['l3_policy']
l2p_fake = self.create_l2_policy(
name='myl2', l3_policy_id=l3p_fake['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_fake['id'])['policy_target_group']
self.agent_conf = AGENT_CONF
pt2 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
newp2 = self._bind_port_to_host(pt2['port_id'], 'h2')
vif_details = newp2['port']['binding:vif_details']
self.assertIsNone(vif_details.get('dvs_port_group_name'))
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
self.agent_conf = AGENT_CONF_DVS
self.ml2._dvs_notifier.reset_mock()
newp1 = self._bind_port_to_host(pt1['port_id'], 'h2')
port_key = newp1['port']['binding:vif_details'].get('dvs_port_key')
self.assertIsNotNone(port_key)
self.assertEqual(port_key, BOOKED_PORT_VALUE)
vif_details = newp1['port']['binding:vif_details']
self.assertIsNotNone(vif_details.get('dvs_port_group_name'))
pg = self._pg_name(ptg['tenant_id'], mocked.APIC_AP, ptg['name'])
self.assertEqual(pg, vif_details.get('dvs_port_group_name'))
self._verify_dvs_notifier('update_postcommit_port_call',
newp1['port'], 'h2')
net_ctx = FakeNetworkContext(mock.Mock(), [mock.Mock()])
port_ctx = FakePortContext(newp1['port'], net_ctx)
self.ml2.delete_port_postcommit(port_ctx)
self._verify_dvs_notifier('delete_port_call', newp1['port'], 'h2')
def test_bind_ports_opflex_same_host(self):
l3p_fake = self.create_l3_policy(name='myl3')['l3_policy']
l2p_fake = self.create_l2_policy(
name='myl2', l3_policy_id=l3p_fake['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_fake['id'])['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
newp1 = self._bind_port_to_host(pt1['port_id'], 'h1')
vif_details = newp1['port']['binding:vif_details']
self.assertIsNone(vif_details.get('dvs_port_group_name'))
port_key = newp1['port']['binding:vif_details'].get('dvs_port_key')
self.assertIsNone(port_key)
dvs_mock = self.ml2.dvs_notifier.update_postcommit_port_call
dvs_mock.assert_not_called()
net_ctx = FakeNetworkContext(mock.Mock(), [mock.Mock()])
port_ctx = FakePortContext(newp1['port'], net_ctx)
self.ml2.delete_port_postcommit(port_ctx)
dvs_mock = self.ml2.dvs_notifier.delete_port_call
dvs_mock.assert_not_called()
self.ml2.dvs_notifier.reset_mock()
pt2 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
newp2 = self._bind_port_to_host(pt2['port_id'], 'h1')
vif_details = newp2['port']['binding:vif_details']
self.assertIsNone(vif_details.get('dvs_port_group_name'))
port_key = newp2['port']['binding:vif_details'].get('dvs_port_key')
self.assertIsNone(port_key)
dvs_mock.assert_not_called()
net_ctx = FakeNetworkContext(mock.Mock(), [mock.Mock()])
port_ctx = FakePortContext(newp2['port'], net_ctx)
self.ml2.delete_port_postcommit(port_ctx)
dvs_mock = self.ml2.dvs_notifier.delete_port_call
dvs_mock.assert_not_called()
def test_bind_ports_dvs_with_opflex_same_host(self):
self.agent_conf = AGENT_CONF_DVS
l3p_fake = self.create_l3_policy(name='myl3')['l3_policy']
l2p_fake = self.create_l2_policy(
name='myl2', l3_policy_id=l3p_fake['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_fake['id'])['policy_target_group']
pt1 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
newp1 = self._bind_port_to_host(pt1['port_id'], 'h1')
vif_details = newp1['port']['binding:vif_details']
self.assertIsNotNone(vif_details.get('dvs_port_group_name'))
port_key = newp1['port']['binding:vif_details'].get('dvs_port_key')
self.assertIsNotNone(port_key)
self.assertEqual(port_key, BOOKED_PORT_VALUE)
self._verify_dvs_notifier('update_postcommit_port_call',
newp1['port'], 'h1')
net_ctx = FakeNetworkContext(mock.Mock(), [mock.Mock()])
port_ctx = FakePortContext(newp1['port'], net_ctx)
self.ml2.delete_port_postcommit(port_ctx)
self._verify_dvs_notifier('delete_port_call', newp1['port'], 'h1')
self.ml2.dvs_notifier.reset_mock()
self.agent_conf = AGENT_CONF
pt2 = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
newp2 = self._bind_dhcp_port_to_host(pt2['port_id'], 'h1')
vif_details = newp2['port']['binding:vif_details']
self.assertIsNone(vif_details.get('dvs_port_group_name'))
port_key = newp2['port']['binding:vif_details'].get('dvs_port_key')
self.assertIsNone(port_key)
dvs_mock = self.ml2.dvs_notifier.update_postcommit_port_call
dvs_mock.assert_not_called()
net_ctx = FakeNetworkContext(mock.Mock(), [mock.Mock()])
port_ctx = FakePortContext(newp2['port'], net_ctx)
self.ml2.delete_port_postcommit(port_ctx)
dvs_mock = self.ml2.dvs_notifier.delete_port_call
dvs_mock.assert_not_called()
def test_bind_port_dvs_shared(self):
self.agent_conf = AGENT_CONF_DVS
ptg = self.create_policy_target_group(shared=True,
name="ptg1")['policy_target_group']
pt = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
newp1 = self._bind_port_to_host(pt['port_id'], 'h1')
vif_details = newp1['port']['binding:vif_details']
self.assertIsNotNone(vif_details.get('dvs_port_group_name'))
pg = self._pg_name(amap.apic_manager.TENANT_COMMON,
mocked.APIC_AP, ptg['name'])
self.assertEqual(pg, vif_details.get('dvs_port_group_name'))
port_key = newp1['port']['binding:vif_details'].get('dvs_port_key')
self.assertIsNotNone(port_key)
self.assertEqual(port_key, BOOKED_PORT_VALUE)
self._verify_dvs_notifier('update_postcommit_port_call',
newp1['port'], 'h1')
net_ctx = FakeNetworkContext(mock.Mock(), [mock.Mock()])
port_ctx = FakePortContext(newp1['port'], net_ctx)
self.ml2.delete_port_postcommit(port_ctx)
self._verify_dvs_notifier('delete_port_call', newp1['port'], 'h1')
def test_bind_port_with_allowed_vm_names(self):
allowed_vm_names = ['safe_vm*', '^secure_vm*']
l3p = self.create_l3_policy(name='myl3',
allowed_vm_names=allowed_vm_names)['l3_policy']
l2p = self.create_l2_policy(
name='myl2', l3_policy_id=l3p['id'])['l2_policy']
ptg = self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p['id'])['policy_target_group']
pt = self.create_policy_target(
policy_target_group_id=ptg['id'])['policy_target']
nova_client = mock.patch(
'gbpservice.neutron.services.grouppolicy.drivers.cisco.'
'apic.nova_client.NovaClient.get_server').start()
vm = mock.Mock()
vm.name = 'secure_vm1'
nova_client.return_value = vm
newp1 = self._bind_port_to_host(pt['port_id'], 'h1')
self.assertEqual(newp1['port']['binding:vif_type'], 'ovs')
# bind again
vm.name = 'bad_vm1'
newp1 = self._bind_port_to_host(pt['port_id'], 'h2')
self.assertEqual(newp1['port']['binding:vif_type'], 'binding_failed')
# update l3p with empty allowed_vm_names
l3p = self.update_l3_policy(l3p['id'], tenant_id=l3p['tenant_id'],
allowed_vm_names=[],
expected_res_status=200)['l3_policy']
newp1 = self._bind_port_to_host(pt['port_id'], 'h3')
self.assertEqual(newp1['port']['binding:vif_type'], 'ovs')
class TestPolicyTargetGroup(ApicMappingTestCase):
def _test_policy_target_group_created_on_apic(self, shared=False):
ptg = self.create_policy_target_group(
name="ptg1", shared=shared)['policy_target_group']
tenant = self._tenant(ptg['tenant_id'], shared)
mgr = self.driver.apic_manager
expected_calls = [
mock.call(tenant, ptg['id'], bd_name=ptg['l2_policy_id'],
bd_owner=tenant),
mock.call(tenant, amap.SHADOW_PREFIX + ptg['l2_policy_id'],
bd_name=ptg['l2_policy_id'], bd_owner=tenant,
transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.ensure_epg_created.call_args_list)
expected_calls = [
mock.call(mgr.apic.fvCtx, tenant, mock.ANY,
nameAlias='default'),
mock.call(mgr.apic.fvBD, tenant, ptg['l2_policy_id'],
nameAlias='ptg1'),
mock.call(mgr.apic.fvAEPg, tenant, mgr.app_profile_name,
amap.SHADOW_PREFIX + ptg['l2_policy_id'],
nameAlias=amap.SHADOW_PREFIX + 'ptg1'),
mock.call(mgr.apic.fvAEPg, tenant, mgr.app_profile_name,
ptg['id'], nameAlias='ptg1')]
self._check_call_list(expected_calls,
mgr.update_name_alias.call_args_list)
mgr.reset_mock()
self.update_policy_target_group(
ptg['id'], description='desc', expected_res_status=200)
self.assertFalse(mgr.update_name_alias.called)
self.update_policy_target_group(
ptg['id'], name='ptg1_1', expected_res_status=200)
mgr.update_name_alias.assert_called_once_with(
mgr.apic.fvAEPg, tenant, mgr.app_profile_name,
ptg['id'], nameAlias='ptg1_1')
def test_policy_target_group_created_on_apic(self):
self._test_policy_target_group_created_on_apic()
def test_policy_target_group_created_on_apic_shared(self):
self._test_policy_target_group_created_on_apic(shared=True)
def _test_ptg_policy_rule_set_created(self, provider=True, shared=False):
cntr = self.create_policy_rule_set(name='c',
shared=shared)['policy_rule_set']
l2p = self.create_l2_policy()['l2_policy']
mgr = self.driver.apic_manager
mgr.set_contract_for_epg.reset_mock()
if provider:
ptg = self.create_policy_target_group(
l2_policy_id=l2p['id'],
provided_policy_rule_sets={cntr['id']: 'scope'})[
'policy_target_group']
else:
ptg = self.create_policy_target_group(
l2_policy_id=l2p['id'],
consumed_policy_rule_sets={cntr['id']: 'scope'})[
'policy_target_group']
# Verify that the apic call is issued
ct_owner = self._tenant(cntr['tenant_id'], shared)
tenant_id = self._tenant(ptg['tenant_id'])
expected_calls = [
mock.call(
tenant_id, ptg['id'], cntr['id'],
transaction=mock.ANY, contract_owner=ct_owner,
provider=provider),
mock.call(
tenant_id, ptg['id'],
alib.SERVICE_PREFIX + ptg['l2_policy_id'],
transaction=mock.ANY, contract_owner=tenant_id,
provider=False),
mock.call(
tenant_id, ptg['id'],
alib.IMPLICIT_PREFIX + ptg['l2_policy_id'],
transaction=mock.ANY, contract_owner=tenant_id,
provider=True),
mock.call(
tenant_id, ptg['id'],
alib.IMPLICIT_PREFIX + ptg['l2_policy_id'],
transaction=mock.ANY, contract_owner=tenant_id,
provider=False)]
self._check_call_list(expected_calls,
mgr.set_contract_for_epg.call_args_list)
def _test_ptg_policy_rule_set_updated(self, provider=True, shared=False):
p_or_c = {True: 'provided_policy_rule_sets',
False: 'consumed_policy_rule_sets'}
cntr = self.create_policy_rule_set(
name='c1', shared=shared)['policy_rule_set']
new_cntr = self.create_policy_rule_set(
name='c2', shared=shared)['policy_rule_set']
if provider:
ptg = self.create_policy_target_group(
provided_policy_rule_sets={cntr['id']: 'scope'})
else:
ptg = self.create_policy_target_group(
consumed_policy_rule_sets={cntr['id']: 'scope'})
data = {'policy_target_group': {p_or_c[provider]:
{new_cntr['id']: 'scope'}}}
req = self.new_update_request('policy_target_groups', data,
ptg['policy_target_group']['id'],
self.fmt)
ptg = self.deserialize(self.fmt, req.get_response(self.ext_api))
ptg = ptg['policy_target_group']
mgr = self.driver.apic_manager
ct_owner = self._tenant(cntr['tenant_id'], shared)
tenant_id = self._tenant(ptg['tenant_id'])
mgr.set_contract_for_epg.assert_called_with(
tenant_id, ptg['id'], new_cntr['id'],
contract_owner=ct_owner, transaction=mock.ANY,
provider=provider)
mgr.unset_contract_for_epg.assert_called_with(
tenant_id, ptg['id'], cntr['id'],
contract_owner=ct_owner,
transaction=mock.ANY, provider=provider)
def test_ptg_policy_rule_set_provider_created(self):
self._test_ptg_policy_rule_set_created()
def test_ptg_policy_rule_set_provider_updated(self):
self._test_ptg_policy_rule_set_updated()
def test_ptg_policy_rule_set_consumer_created(self):
self._test_ptg_policy_rule_set_created(False)
def test_ptg_policy_rule_set_consumer_updated(self):
self._test_ptg_policy_rule_set_updated(False)
def test_ptg_policy_rule_set_provider_created_shared(self):
self._test_ptg_policy_rule_set_created(shared=True)
def test_ptg_policy_rule_set_provider_updated_shared(self):
self._test_ptg_policy_rule_set_updated(shared=True)
def test_ptg_policy_rule_set_consumer_created_shared(self):
self._test_ptg_policy_rule_set_created(False, shared=True)
def test_ptg_policy_rule_set_consumer_updated_shared(self):
self._test_ptg_policy_rule_set_updated(False, shared=True)
def _test_policy_target_group_deleted_on_apic(self, shared=False):
ptg = self.create_policy_target_group(
name="ptg1", shared=shared)['policy_target_group']
req = self.new_delete_request('policy_target_groups',
ptg['id'], self.fmt)
req.get_response(self.ext_api)
mgr = self.driver.apic_manager
tenant = self._tenant(ptg['tenant_id'], shared)
expected_calls = [
mock.call(tenant, ptg['id']),
mock.call(tenant, amap.SHADOW_PREFIX + ptg['l2_policy_id'],
transaction=mock.ANY)]
self._check_call_list(expected_calls,
mgr.delete_epg_for_network.call_args_list)
def test_policy_target_group_deleted_on_apic(self):
self._test_policy_target_group_deleted_on_apic()
def test_policy_target_group_deleted_on_apic_shared(self):
self._test_policy_target_group_deleted_on_apic(shared=True)
def _test_policy_target_group_subnet_created_on_apic(self, shared=False):
ptg = self._create_explicit_subnet_ptg('10.0.0.0/24', shared=shared)
mgr = self.driver.apic_manager
tenant = self._tenant(ptg['tenant_id'], shared)
mgr.ensure_subnet_created_on_apic.assert_called_once_with(
tenant, ptg['l2_policy_id'], '10.0.0.1/24',
transaction=mock.ANY)
def test_policy_target_group_subnet_created_on_apic(self):
self._test_policy_target_group_subnet_created_on_apic()
def test_policy_target_group_subnet_created_on_apic_shared(self):
self._test_policy_target_group_subnet_created_on_apic(shared=True)
def _test_policy_target_group_subnet_added(self, shared=False):
ptg = self._create_explicit_subnet_ptg('10.0.0.0/24', shared=shared)
l2p = self._get_object('l2_policies', ptg['l2_policy_id'],
self.ext_api)
network = self._get_object('networks', l2p['l2_policy']['network_id'],
self.api)
with self.subnet(network=network, cidr='10.0.1.0/24') as subnet:
data = {'policy_target_group':
{'subnets': ptg['subnets'] + [subnet['subnet']['id']]}}
mgr = self.driver.apic_manager
self.new_update_request('policy_target_groups', data, ptg['id'],
self.fmt).get_response(self.ext_api)
tenant = self._tenant(ptg['tenant_id'], shared)
mgr.ensure_subnet_created_on_apic.assert_called_with(
tenant, ptg['l2_policy_id'], '10.0.1.1/24',
transaction=mock.ANY)
def test_policy_target_group_subnet_added(self):
self._test_policy_target_group_subnet_added()
def test_policy_target_group_subnet_added_shared(self):
self._test_policy_target_group_subnet_added(shared=True)
def _test_process_subnet_update(self, shared=False):
ptg = self._create_explicit_subnet_ptg('10.0.0.0/24', shared=shared)
subnet = self._get_object('subnets', ptg['subnets'][0], self.api)
subnet2 = copy.deepcopy(subnet)
subnet2['subnet']['gateway_ip'] = '10.0.0.254'
mgr = self.driver.apic_manager
mgr.reset_mock()
self.driver.process_subnet_changed(context.get_admin_context(),
subnet['subnet'], subnet2['subnet'])
tenant = self._tenant(ptg['tenant_id'], shared)
mgr.ensure_subnet_created_on_apic.assert_called_once_with(
tenant, ptg['l2_policy_id'], '10.0.0.254/24',
transaction=mock.ANY)
mgr.ensure_subnet_deleted_on_apic.assert_called_with(
tenant, ptg['l2_policy_id'], '10.0.0.1/24',
transaction=mock.ANY)
def test_process_subnet_update(self):
self._test_process_subnet_update()
def test_process_subnet_update_shared(self):
self._test_process_subnet_update(shared=True)
def test_multiple_ptg_per_l2p(self):
l2p = self.create_l2_policy()['l2_policy']
# Create first PTG
ptg1 = self.create_policy_target_group(
l2_policy_id=l2p['id'])['policy_target_group']
ptg2 = self.create_policy_target_group(
l2_policy_id=l2p['id'])['policy_target_group']
self.assertEqual(ptg1['subnets'], ptg2['subnets'])
def test_force_add_subnet(self):
l2p = self.create_l2_policy()['l2_policy']
# Create first PTG
ptg1 = self.create_policy_target_group(
l2_policy_id=l2p['id'])['policy_target_group']
ptg2 = self.create_policy_target_group(
l2_policy_id=l2p['id'])['policy_target_group']
ctx = p_context.PolicyTargetGroupContext(
self.driver.gbp_plugin, context.get_admin_context(), ptg2)
# Emulate force add
self.driver._use_implicit_subnet(ctx, force_add=True)
# There now a new subnet, and it's added to both the PTGs
self.assertEqual(2, len(ctx.current['subnets']))
ptg1 = self.show_policy_target_group(ptg1['id'])['policy_target_group']
self.assertEqual(2, len(ptg1['subnets']))
ptg2 = self.show_policy_target_group(ptg2['id'])['policy_target_group']
self.assertEqual(2, len(ptg2['subnets']))
self.assertEqual(set(ptg1['subnets']), set(ptg2['subnets']))
self.assertNotEqual(ptg2['subnets'][0], ptg2['subnets'][1])
def test_subnets_unique_per_l3p(self):
l3p = self.create_l3_policy(shared=True, tenant_id='admin',
is_admin_context=True)['l3_policy']
l2p1 = self.create_l2_policy(
tenant_id='hr', l3_policy_id=l3p['id'])['l2_policy']
l2p2 = self.create_l2_policy(
tenant_id='eng', l3_policy_id=l3p['id'])['l2_policy']
ptg1 = self.create_policy_target_group(
tenant_id='hr', l2_policy_id=l2p1['id'])['policy_target_group']
ptg2 = self.create_policy_target_group(
tenant_id='eng', l2_policy_id=l2p2['id'])['policy_target_group']
sub_ptg_1 = set(self._get_object('subnets',
x, self.api)['subnet']['cidr']
for x in ptg1['subnets'])
sub_ptg_2 = set(self._get_object('subnets',
x, self.api)['subnet']['cidr']
for x in ptg2['subnets'])
self.assertNotEqual(sub_ptg_1, sub_ptg_2)
self.assertFalse(sub_ptg_1 & sub_ptg_2)
def test_preexisting_l2p_no_service_contracts(self):
# Circumvent name validation
self.driver.name_mapper.has_valid_name = (
self.driver.name_mapper._is_apic_reference)
self.driver.name_mapper.tenant = mock.Mock(
return_value=self._tenant_id)
self.driver.name_mapper.dn_manager.decompose_bridge_domain = mock.Mock(
return_value=['preexisting'])
self.driver._configure_epg_service_contract = mock.Mock()
self.driver._configure_epg_implicit_contract = mock.Mock()
l2p = self.create_l2_policy(name='apic:preexisting')['l2_policy']
self.create_policy_target_group(l2_policy_id=l2p['id'])
self.assertFalse(self.driver._configure_epg_service_contract.called)
self.assertFalse(self.driver._configure_epg_implicit_contract.called)
# Use non-preexisting L2P
self.create_policy_target_group()
self.assertTrue(self.driver._configure_epg_service_contract.called)
self.assertTrue(self.driver._configure_epg_implicit_contract.called)
def _create_explicit_subnet_ptg(self, cidr, shared=False, alloc_pool=None):
l2p = self.create_l2_policy(name="l2p", shared=shared)
l2p_id = l2p['l2_policy']['id']
network_id = l2p['l2_policy']['network_id']
network = self._get_object('networks', network_id, self.api)
pool = alloc_pool or [{'start': '10.0.0.2', 'end': '10.0.0.250'}]
with self.subnet(network=network, cidr=cidr,
allocation_pools=pool):
# The subnet creation in the proper network causes the subnet ID
# to be added to the PTG
return self.create_policy_target_group(
name="ptg1", l2_policy_id=l2p_id,
shared=shared)['policy_target_group']
class TestPolicyTargetGroupSingleTenant(TestPolicyTargetGroup):
def setUp(self):
super(TestPolicyTargetGroupSingleTenant, self).setUp(
single_tenant_mode=True)
class TestPolicyTargetGroupVlanNetwork(ApicMappingVlanTestCase,
TestPolicyTargetGroup):
def _test_shadow_network(self, shared):
ptg1 = self.create_policy_target_group(
name='ptg1', shared=shared)['policy_target_group']
l2p = self.show_l2_policy(ptg1['l2_policy_id'])['l2_policy']
net = self._get_object('networks', l2p['network_id'],
self.api)['network']
subnet1 = self._get_object('subnets', net['subnets'][0],
self.api)['subnet']
shadow_net1 = self._get_ptg_shadow_net(ptg1)
self.assertIsNotNone(shadow_net1)
self.assertEqual(ptg1['tenant_id'], shadow_net1['tenant_id'])
self.assertEqual(shared, shadow_net1['shared'])
self.assertEqual(1, len(shadow_net1['subnets']))
shadow_subnet1 = self._get_object('subnets',
shadow_net1['subnets'][0], self.api)['subnet']
self.assertEqual(subnet1['cidr'], shadow_subnet1['cidr'])
self.assertEqual(ptg1['tenant_id'], shadow_subnet1['tenant_id'])
self.delete_policy_target_group(ptg1['id'])
self._get_object('subnets', shadow_subnet1['id'], self.api,
expected_res_status=404)
self._get_object('networks', shadow_net1['id'], self.api,
expected_res_status=404)
def test_shadow_network(self):
self._test_shadow_network(False)
def test_shadow_network_shared(self):
self._test_shadow_network(True)
def _test_shadow_subnet(self, shared):
ptg1 = self.create_policy_target_group(
name='ptg1', shared=shared)['policy_target_group']
l2p = self.show_l2_policy(ptg1['l2_policy_id'])['l2_policy']
net = self._get_object('networks', l2p['network_id'],
self.api)['network']
subnet1 = self._get_object('subnets', net['subnets'][0],
self.api)['subnet']
shadow_net1 = self._get_ptg_shadow_net(ptg1)
with self.subnet(cidr='20.0.0.0/26',
network={'network': net}) as subnet2:
subnet2 = subnet2['subnet']
shadow_subnets = self._list_resource(
'subnets', self.api, network_id=shadow_net1['id'])['subnets']
shadow_subnets = sorted(shadow_subnets, key=lambda x: x['cidr'])
self.assertEqual(2, len(shadow_subnets))
self.assertEqual(subnet1['cidr'], shadow_subnets[0]['cidr'])
self.assertEqual(subnet2['cidr'], shadow_subnets[1]['cidr'])
self.assertTrue(shadow_subnets[0]['enable_dhcp'])
self.assertTrue(shadow_subnets[1]['enable_dhcp'])
subnet1 = self._update_resource(subnet1['id'], 'subnet',
expected_res_status=200, api=self.api,
enable_dhcp=False)['subnet']
self.assertFalse(subnet1['enable_dhcp'])
shadow_subnets = self._list_resource(
'subnets', self.api, network_id=shadow_net1['id'])['subnets']
shadow_subnets = sorted(shadow_subnets, key=lambda x: x['cidr'])
self.assertFalse(shadow_subnets[0]['enable_dhcp'])
self.delete_policy_target_group(ptg1['id'])
shadow_subnets = self._list_resource('subnets', self.api,
network_id=shadow_net1['id'], expected_res_status=200)['subnets']
self.assertEqual([], shadow_subnets)
def test_shadow_subnet(self):
self._test_shadow_subnet(False)
def test_shadow_subnet_shared(self):
self._test_shadow_subnet(True)
def test_dhcp_port_disabled_in_shadow(self):
ptg1 = self.create_policy_target_group(
name='ptg1')['policy_target_group']
shadow_net1 = self._get_ptg_shadow_net(ptg1)
shadow_subnet1 = self._get_object('subnets',
shadow_net1['subnets'][0], self.api)
with self.port(subnet=shadow_subnet1,
device_owner='network:dhcp') as port:
port = self._get_object('ports', port['port']['id'], self.api)
self.assertFalse(port['port']['admin_state_up'])
self._update_resource(port['port']['id'], 'port',
expected_res_status=200, api=self.api,
admin_state_up=True)
port = self._get_object('ports', port['port']['id'], self.api)
self.assertFalse(port['port']['admin_state_up'])
def test_explicit_l2p_network_phys_net(self):
attr = {'arg_list': ('provider:physical_network',
'provider:network_type'),
'provider:physical_network': 'physnet2',
'provider:network_type': 'vlan'}
with self.network(**attr) as net:
net = net['network']
l2p = self.create_l2_policy(
network_id=net['id'])['l2_policy']
ptg = self.create_policy_target_group(
name='ptg1', l2_policy_id=l2p['id']
)['policy_target_group']
shadow_net = self._get_ptg_shadow_net(ptg)
self.assertIsNone(shadow_net.get('segments'))
self.assertEqual('physnet2',
shadow_net['provider:physical_network'])
self.assertEqual('vlan',
shadow_net['provider:network_type'])
class TestL2PolicyBase(ApicMappingTestCase):
def _test_l2_policy_created_on_apic(self, shared=False):
l2p = self.create_l2_policy(name="l2p", shared=shared)['l2_policy']
tenant = self._tenant(l2p['tenant_id'], shared)
mgr = self.driver.apic_manager
mgr.ensure_bd_created_on_apic.assert_called_once_with(
tenant, l2p['id'], ctx_owner=tenant, ctx_name=l2p['l3_policy_id'],
transaction=mock.ANY)
mgr.ensure_epg_created.assert_called_once_with(
tenant, amap.SHADOW_PREFIX + l2p['id'], bd_owner=tenant,
bd_name=l2p['id'], transaction=mock.ANY)
expected_calls = [
mock.call(mgr.apic.fvCtx, tenant, l2p['l3_policy_id'],
nameAlias='default'),
mock.call(mgr.apic.fvBD, tenant, l2p['id'],
nameAlias='l2p'),
mock.call(mgr.apic.fvAEPg, tenant, mgr.app_profile_name,
amap.SHADOW_PREFIX + l2p['id'],
nameAlias=amap.SHADOW_PREFIX + 'l2p')]
self._check_call_list(expected_calls,
mgr.update_name_alias.call_args_list)
mgr.reset_mock()
self.update_l2_policy(
l2p['id'], description='desc', expected_res_status=200)
self.assertFalse(mgr.update_name_alias.called)
self.update_l2_policy(
l2p['id'], name='l2p_1', expected_res_status=200)
expected_calls = [
mock.call(mgr.apic.fvBD, tenant, l2p['id'],
nameAlias='l2p_1'),
mock.call(mgr.apic.fvAEPg, tenant, mgr.app_profile_name,
amap.SHADOW_PREFIX + l2p['id'],
nameAlias=amap.SHADOW_PREFIX + 'l2p_1')]
self._check_call_list(expected_calls,
mgr.update_name_alias.call_args_list)
def _test_l2_policy_deleted_on_apic(self, shared=False):
l2p = self.create_l2_policy(name="l2p", shared=shared)['l2_policy']
req = self.new_delete_request('l2_policies', l2p['id'], self.fmt)
req.get_response(self.ext_api)
tenant = self._tenant(l2p['tenant_id'], shared)
mgr = self.driver.apic_manager
mgr.delete_bd_on_apic.assert_called_once_with(
tenant, l2p['id'], transaction=mock.ANY)
mgr.delete_epg_for_network.assert_called_once_with(
tenant, amap.SHADOW_PREFIX + l2p['id'],
transaction=mock.ANY)
expected_calls = [
mock.call(alib.IMPLICIT_PREFIX + l2p['id'], owner=tenant,
transaction=mock.ANY),
mock.call(alib.SERVICE_PREFIX + l2p['id'], owner=tenant,
transaction=mock.ANY)]
self._check_call_list(expected_calls,
mgr.delete_contract.call_args_list)
class TestL2Policy(TestL2PolicyBase):
def test_l2_policy_created_on_apic(self):
self._test_l2_policy_created_on_apic()
def test_l2_policy_created_on_apic_shared(self):
self._test_l2_policy_created_on_apic(shared=True)
def test_l2_policy_deleted_on_apic(self):
self._test_l2_policy_deleted_on_apic()
def test_l2_policy_deleted_on_apic_shared(self):
self._test_l2_policy_deleted_on_apic(shared=True)
def test_pre_existing_subnets_added(self):
with self.network() as net:
with self.subnet(network=net) as sub:
sub = sub['subnet']
l2p = self.create_l2_policy(
network_id=net['network']['id'])['l2_policy']
tenant = self._tenant(l2p['tenant_id'])
mgr = self.driver.apic_manager
mgr.ensure_subnet_created_on_apic.assert_called_with(
tenant, l2p['id'],
sub['gateway_ip'] + '/' + sub['cidr'].split('/')[1],
transaction=mock.ANY)
ptg = self.create_policy_target_group(
l2_policy_id=l2p['id'])['policy_target_group']
self.assertEqual(ptg['subnets'], [sub['id']])
def test_reject_l3p_update(self):
l2p = self.create_l2_policy()['l2_policy']
new_l3p = self.create_l3_policy()['l3_policy']
res = self.update_l2_policy(l2p['id'], l3_policy_id=new_l3p['id'],
expected_res_status=400)
self.assertEqual('L3PolicyUpdateOfL2PolicyNotSupported',
res['NeutronError']['type'])
def test_subnet_deallocated(self):
l2p = self.create_l2_policy()['l2_policy']
ptg = self.create_policy_target_group(
l2_policy_id=l2p['id'])['policy_target_group']
subnet = netaddr.IPSet(
[self._show_subnet(x)['subnet']['cidr'] for x in ptg['subnets']])
self.delete_policy_target_group(ptg['id'])
l2p2 = self.create_l2_policy()['l2_policy']
ptg = self.create_policy_target_group(
l2_policy_id=l2p2['id'])['policy_target_group']
subnet2 = netaddr.IPSet(
[self._show_subnet(x)['subnet']['cidr'] for x in ptg['subnets']])
self.assertFalse(subnet & subnet2)
def _test_reuse_bd(self, target_l2p_shared=False):
target_l2p = self.create_l2_policy(
shared=target_l2p_shared)['l2_policy']
target_l2p_tenant = self._tenant(target_l2p['tenant_id'],
target_l2p_shared)
mgr = self.driver.apic_manager
mgr.ensure_bd_created_on_apic.reset_mock()
mgr.ensure_epg_created.reset_mock()
# create L2P with reuse_bd
l2p = self.create_l2_policy(reuse_bd=target_l2p['id'])['l2_policy']
self.assertEqual(target_l2p['id'], l2p['reuse_bd'])
self.assertEqual(target_l2p['l3_policy_id'], l2p['l3_policy_id'])
mgr.ensure_bd_created_on_apic.assert_not_called()
mgr.ensure_epg_created.assert_not_called()
# delete of target L2p is not allowed
res = self.delete_l2_policy(target_l2p['id'],
expected_res_status=409)
self.assertEqual('L2PolicyInUse', res['NeutronError']['type'])
# create in PTG in L2P
ptg = self.create_policy_target_group(
l2_policy_id=l2p['id'])['policy_target_group']
sn1 = self._show_subnet(ptg['subnets'][0])['subnet']
mgr.ensure_epg_created.assert_called_with(
self._tenant(ptg['tenant_id']), ptg['id'],
bd_name=target_l2p['id'], bd_owner=target_l2p_tenant)
mgr.ensure_subnet_created_on_apic.assert_called_with(
target_l2p_tenant, target_l2p['id'],
sn1['gateway_ip'] + '/' + sn1['cidr'].split('/')[1],
transaction=mock.ANY)
# delete PTG in L2P
self.delete_policy_target_group(ptg['id'])
mgr.delete_epg_for_network.assert_called_with(
self._tenant(ptg['tenant_id']), ptg['id'])
# delete L2P
mgr.delete_epg_for_network.reset_mock()
self.delete_l2_policy(l2p['id'])
mgr.delete_bd_on_apic.assert_not_called()
mgr.delete_epg_for_network.assert_not_called()
mgr.delete_contract.assert_not_called()
def test_reuse_bd(self):
self._test_reuse_bd(target_l2p_shared=False)
def test_reuse_bd_shared(self):
self._test_reuse_bd(target_l2p_shared=True)
def test_reuse_bd_invalid_target(self):
# Try to reuse BD of a non-existent target
res = self.create_l2_policy(
reuse_bd='50ae6722-f040-459c-bbfa-a4be1b5cab64',
expected_res_status=404)
self.assertEqual('L2PolicyNotFound', res['NeutronError']['type'])
# Try to reuse BD of L2P in different L3P
target_l2p = self.create_l2_policy()['l2_policy']
l3p = self.create_l3_policy()['l3_policy']
res = self.create_l2_policy(l3_policy_id=l3p['id'],
reuse_bd=target_l2p['id'],
expected_res_status=400)
self.assertEqual('L3PolicyMustBeSame', res['NeutronError']['type'])
class TestL2PolicySingleTenant(TestL2Policy):
def setUp(self):
super(TestL2PolicySingleTenant, self).setUp(
single_tenant_mode=True)
class TestL2PolicyWithAutoPTG(TestL2PolicyBase):
def setUp(self, **kwargs):
config.cfg.CONF.set_override(
'create_auto_ptg', True, group='apic_mapping')
super(TestL2PolicyWithAutoPTG, self).setUp(**kwargs)
self._neutron_context = context.Context(
'', kwargs.get('tenant_id', self._tenant_id),
is_admin_context=False)
def _test_auto_ptg_created(self, shared=False):
ptg = self._gbp_plugin.get_policy_target_groups(
self._neutron_context)[0]
l2p_id = ptg['l2_policy_id']
self.assertEqual(amap.AUTO_PTG_NAME_PREFIX % l2p_id, str(ptg['name']))
auto_ptg_id = amap.AUTO_PTG_ID_PREFIX % hashlib.md5(l2p_id).hexdigest()
self.assertEqual(auto_ptg_id, ptg['id'])
self.assertEqual(shared, ptg['shared'])
# Only certain attributes can be updated for auto PTG
prs1 = self.create_policy_rule_set(
name='p1', shared=shared)['policy_rule_set']
prs2 = self.create_policy_rule_set(
name='c1', shared=shared)['policy_rule_set']
self.update_policy_target_group(
ptg['id'], name='something-else', description='something-else',
provided_policy_rule_sets={prs1['id']: 'scope'},
consumed_policy_rule_sets={prs2['id']: 'scope'},
expected_res_status=webob.exc.HTTPOk.code)
# Update for other attributes fails
res = self.update_policy_target_group(
ptg['id'], service_management=True,
expected_res_status=webob.exc.HTTPBadRequest.code)
self.assertEqual('AutoPTGAttrsUpdateNotSupported',
res['NeutronError']['type'])
self.create_policy_target(name='pt',
policy_target_group_id=ptg['id'])
# Auto PTG cannot be deleted by user
res = self.delete_policy_target_group(
ptg['id'], expected_res_status=webob.exc.HTTPBadRequest.code)
self.assertEqual('AutoPTGDeleteNotSupported',
res['NeutronError']['type'])
def _test_auto_ptg_deleted(self, shared=False):
ptgs = self._gbp_plugin.get_policy_target_groups(self._neutron_context)
self.assertEqual(0, len(ptgs))
def test_l2_policy_created_on_apic(self):
self._test_l2_policy_created_on_apic()
self._test_auto_ptg_created()
def test_l2_policy_created_on_apic_shared(self):
self._test_l2_policy_created_on_apic(shared=True)
self._test_auto_ptg_created(shared=True)
def test_l2_policy_deleted_on_apic(self):
self._test_l2_policy_deleted_on_apic()
self._test_auto_ptg_deleted()
def test_l2_policy_deleted_on_apic_shared(self):
self._test_l2_policy_deleted_on_apic(shared=True)
self._test_auto_ptg_deleted()
def test_auto_ptg_not_created_with_reuse_bd(self):
target_l2p = self.create_l2_policy()['l2_policy']
ptgs_before = self._gbp_plugin.get_policy_target_groups(
self._neutron_context)
self.assertEqual(1, len(ptgs_before))
# create L2P with reuse_bd
self.create_l2_policy(reuse_bd=target_l2p['id'])
ptgs_after = self._gbp_plugin.get_policy_target_groups(
self._neutron_context)
self.assertEqual(ptgs_before, ptgs_after)
class TestL3Policy(ApicMappingTestCase):
def _test_l3_policy_created_on_apic(self, shared=False):
l3p = self.create_l3_policy(name="l3p", shared=shared)['l3_policy']
tenant = self._tenant(l3p['tenant_id'], shared)
mgr = self.driver.apic_manager
mgr.ensure_context_enforced.assert_called_once_with(
tenant, l3p['id'])
mgr.update_name_alias.assert_called_once_with(
mgr.apic.fvCtx, tenant, l3p['id'], nameAlias='l3p')
mgr.reset_mock()
self.update_l3_policy(
l3p['id'], description='desc', expected_res_status=200)
self.assertFalse(mgr.update_name_alias.called)
self.update_l3_policy(
l3p['id'], name='l3p_1', expected_res_status=200)
mgr.update_name_alias.assert_called_once_with(
mgr.apic.fvCtx, tenant, l3p['id'], nameAlias='l3p_1')
def test_l3_policy_created_on_apic(self):
self._test_l3_policy_created_on_apic()
def test_l3_policy_created_on_apic_shared(self):
self._test_l3_policy_created_on_apic(shared=True)
def _test_l3_policy_deleted_on_apic(self, shared=False):
l3p = self.create_l3_policy(name="l3p", shared=shared)['l3_policy']
req = self.new_delete_request('l3_policies', l3p['id'], self.fmt)
req.get_response(self.ext_api)
tenant = self._tenant(l3p['tenant_id'], shared)
mgr = self.driver.apic_manager
mgr.ensure_context_deleted.assert_called_once_with(
tenant, l3p['id'])
def test_l3_policy_deleted_on_apic(self):
self._test_l3_policy_deleted_on_apic()
def test_l3_policy_deleted_on_apic_shared(self):
self._test_l3_policy_deleted_on_apic(shared=True)
def _test_multiple_l3_policy_per_es(self, shared_es=False):
# Verify 2 L3P can be created on same ES if NAT is enabled
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(name='supported',
cidr='192.168.0.0/24', shared=shared_es)['external_segment']
self.create_l3_policy(external_segments={es['id']: ['']},
expected_res_status=201)['l3_policy']
res = self.create_l3_policy(
external_segments={es['id']: ['']},
expected_res_status=201 if self.nat_enabled else 400)
if self.nat_enabled:
es = self.show_external_segment(es['id'])['external_segment']
self.assertEqual(2, len(es['l3_policies']))
else:
self.assertEqual('OnlyOneL3PolicyIsAllowedPerExternalSegment',
res['NeutronError']['type'])
# Verify existing L3P updated to use used ES works if NAT is enabled
sneaky_l3p = self.create_l3_policy()['l3_policy']
self.update_l3_policy(
sneaky_l3p['id'],
expected_res_status=200 if self.nat_enabled else 400,
external_segments={es['id']: ['']})
if self.nat_enabled:
es = self.show_external_segment(es['id'])['external_segment']
self.assertEqual(3, len(es['l3_policies']))
else:
self.assertEqual('OnlyOneL3PolicyIsAllowedPerExternalSegment',
res['NeutronError']['type'])
def test_multiple_l3_policy_per_es(self):
self._test_multiple_l3_policy_per_es(shared_es=False)
def test_multiple_l3_policy_per_es_shared(self):
self._test_multiple_l3_policy_per_es(shared_es=True)
def test_one_l3_policy_ip_on_es(self):
# Verify L3P created with more than 1 IP on ES fails
es = self.create_external_segment(
cidr='192.168.0.0/24')['external_segment']
res = self.create_l3_policy(
external_segments={es['id']: ['192.168.0.2', '192.168.0.3']},
expected_res_status=400)
self.assertEqual('OnlyOneAddressIsAllowedPerExternalSegment',
res['NeutronError']['type'])
# Verify L3P updated to more than 1 IP on ES fails
sneaky_l3p = self.create_l3_policy(
external_segments={es['id']: ['192.168.0.2']},
expected_res_status=201)['l3_policy']
res = self.update_l3_policy(
sneaky_l3p['id'], expected_res_status=400,
external_segments={es['id']: ['192.168.0.2', '192.168.0.3']})
self.assertEqual('OnlyOneAddressIsAllowedPerExternalSegment',
res['NeutronError']['type'])
def test_router_interface_no_gateway(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24')['external_segment']
l3p = self.create_l3_policy(
external_segments={es['id']: ['169.254.0.42']},
expected_res_status=201)['l3_policy']
l2p = self.create_l2_policy(l3_policy_id=l3p['id'])['l2_policy']
ptg = self.create_policy_target_group(
l2_policy_id=l2p['id'])['policy_target_group']
l3p = self.show_l3_policy(l3p['id'])['l3_policy']
self.assertEqual(1, len(l3p['routers']))
subnet = self._show_subnet(ptg['subnets'][0])['subnet']
router_ports = self._list(
'ports',
query_params='device_id=%s' % l3p['routers'][0])['ports']
self.assertEqual(2, len(router_ports))
for port in router_ports:
self.assertEqual(1, len(port['fixed_ips']))
self.assertNotEqual(subnet['gateway_ip'],
port['fixed_ips'][0]['ip_address'])
# One of the two ports is in subnet
self.assertNotEqual(router_ports[0]['fixed_ips'][0]['subnet_id'],
router_ports[1]['fixed_ips'][0]['subnet_id'])
self.assertTrue(
router_ports[0]['fixed_ips'][0]['subnet_id'] == subnet['id'] or
router_ports[1]['fixed_ips'][0]['subnet_id'] == subnet['id'])
def _wrap_up_l3out_request(self, l3out_str, l3p_id, es_id, l3p_owner):
# try to simulate what the implementation does here also for UT purpose
request = {}
request['children'] = self.trimmed_l3out
request['attributes'] = {'rn': u'Shd-Sub'}
final_req = {}
final_req['l3extOut'] = request
final_req = jsonutils.dumps(final_req)
final_req = re.sub('Shd-Sub',
l3out_str % (l3p_id, es_id), final_req)
final_req = re.sub('test-tenant', l3p_owner, final_req)
final_req = re.sub('{},*', '', final_req)
return final_req
def _test_l3p_plugged_to_es_at_creation(self, shared_es,
shared_l3p, is_edge_nat=False):
# this mode is not supported
if self.driver.per_tenant_nat_epg and self.single_tenant_mode:
return
# Verify L3P is correctly plugged to ES on APIC during create
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24',
shared=shared_es,
external_routes=[{'destination': '0.0.0.0/0',
'nexthop': '192.168.0.254'},
{'destination': '128.0.0.0/16',
'nexthop': None}])['external_segment']
owner = self._tenant(es['tenant_id'], shared_es)
mgr = self.driver.apic_manager
mgr.ensure_epg_created.reset_mock()
mgr.set_contract_for_epg.reset_mock()
l3p = self.create_l3_policy(
name='myl3p',
shared=shared_l3p,
tenant_id=es['tenant_id'] if not shared_es else 'another_tenant',
external_segments={es['id']: []},
expected_res_status=201)['l3_policy']
self.assertEqual(1, len(l3p['external_segments'][es['id']]))
self.assertEqual('169.254.0.2', l3p['external_segments'][es['id']][0])
expected_epg_calls = []
expected_contract_calls = []
expected_nat_epg_tenant = owner
if self.nat_enabled and shared_es and self.driver.per_tenant_nat_epg:
expected_epg_calls.append(
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es['id'],
bd_name="NAT-bd-%s" % es['id'], bd_owner=owner,
transaction=mock.ANY))
expected_contract_calls.extend([
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es['id'],
"NAT-allow-%s" % es['id'], transaction=mock.ANY),
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es['id'],
"NAT-allow-%s" % es['id'], provider=True,
transaction=mock.ANY)])
expected_nat_epg_tenant = l3p['tenant_id']
self._check_call_list(expected_epg_calls,
mgr.ensure_epg_created.call_args_list)
self._check_call_list(expected_contract_calls,
mgr.set_contract_for_epg.call_args_list)
ctx = context.get_admin_context()
ctx._plugin_context = ctx
self.assertEqual((expected_nat_epg_tenant, "NAT-epg-%s" % es['id']),
self.driver._determine_nat_epg_for_es(ctx, es, l3p))
l2ps = [self.create_l2_policy(name='myl2p-%s' % x,
tenant_id=l3p['tenant_id'],
shared=shared_l3p,
l3_policy_id=l3p['id'])['l2_policy']
for x in range(0, 3)]
l3p_owner = self._tenant(l3p['tenant_id'], shared_l3p)
call_name = mgr.ensure_external_routed_network_created
l3out_str = "Shd-%s-%s"
if is_edge_nat:
l3out_str = "Auto-%s-%s"
if self.nat_enabled:
expected_l3out_calls = []
if not is_edge_nat or not self.pre_l3out:
expected_l3out_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
owner=l3p_owner, context=l3p['id'],
transaction=mock.ANY))
if not self.pre_l3out:
expected_l3out_calls.append(
mock.call(es['id'], owner=owner,
context="NAT-vrf-%s" % es['id'],
transaction=mock.ANY))
elif not self.pre_l3out:
expected_l3out_calls = [
mock.call(es['id'], owner=owner, context=l3p['id'],
transaction=mock.ANY)]
else:
call_name = mgr.set_context_for_external_routed_network
expected_l3out_calls = [
mock.call(APIC_PRE_L3OUT_TENANT, es['name'], l3p['id'],
transaction=mock.ANY)]
self._check_call_list(expected_l3out_calls, call_name.call_args_list)
if is_edge_nat and self.nat_enabled:
(self.driver.l3out_vlan_alloc.
reserve_vlan.assert_called_once_with(
es['name'], l3p['id']))
if not self.pre_l3out:
expected_set_domain_calls = [
mock.call(es['id'], owner=owner, transaction=mock.ANY)]
expected_logic_node_calls = [
mock.call(es['id'], mocked.APIC_EXT_SWITCH,
mocked.APIC_EXT_MODULE, mocked.APIC_EXT_PORT,
mocked.APIC_EXT_ENCAP, '192.168.0.2/24',
owner=owner, router_id=APIC_EXTERNAL_RID,
transaction=mock.ANY)]
expected_route_calls = [
mock.call(es['id'], mocked.APIC_EXT_SWITCH, '192.168.0.254',
owner=owner, subnet='0.0.0.0/0',
transaction=mock.ANY),
mock.call(es['id'], mocked.APIC_EXT_SWITCH, '192.168.0.1',
owner=owner, subnet='128.0.0.0/16',
transaction=mock.ANY)]
if is_edge_nat and self.nat_enabled:
expected_set_domain_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
owner=l3p_owner, transaction=mock.ANY))
expected_logic_node_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
mocked.APIC_EXT_SWITCH, mocked.APIC_EXT_MODULE,
mocked.APIC_EXT_PORT, mock.ANY, '192.168.0.2/24',
owner=l3p_owner, router_id=APIC_EXTERNAL_RID,
transaction=mock.ANY))
expected_route_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
mocked.APIC_EXT_SWITCH, '192.168.0.254',
owner=l3p_owner, subnet='0.0.0.0/0',
transaction=mock.ANY))
expected_route_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
mocked.APIC_EXT_SWITCH, '192.168.0.1',
owner=l3p_owner, subnet='128.0.0.0/16',
transaction=mock.ANY))
self._check_call_list(expected_set_domain_calls,
mgr.set_domain_for_external_routed_network.call_args_list)
self._check_call_list(expected_logic_node_calls,
mgr.ensure_logical_node_profile_created.call_args_list)
self._check_call_list(expected_route_calls,
mgr.ensure_static_route_created.call_args_list)
else:
if is_edge_nat and self.nat_enabled:
final_req = self._wrap_up_l3out_request(l3out_str,
l3p['id'], es['id'],
l3p_owner)
mgr.apic.post_body.assert_called_once_with(
mgr.apic.l3extOut.mo, final_req, l3p_owner,
l3out_str % (l3p['id'], es['id']))
self.assertFalse(mgr.set_domain_for_external_routed_network.called)
self.assertFalse(mgr.ensure_logical_node_profile_created.called)
self.assertFalse(mgr.ensure_static_route_created.called)
expected_set_l3out_for_bd_calls = []
if self.nat_enabled:
expected_set_l3out_for_bd_calls.append(
mock.call(owner, "NAT-bd-%s" % es['id'],
es['name' if self.pre_l3out else 'id'],
transaction=mock.ANY))
if is_edge_nat:
expected_set_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
l3out_str % (l3p['id'], es['id']),
transaction=mock.ANY) for l2p in l2ps])
else:
expected_set_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
es['name' if self.pre_l3out else 'id'],
transaction=mock.ANY) for l2p in l2ps])
self._check_call_list(expected_set_l3out_for_bd_calls,
mgr.set_l3out_for_bd.call_args_list)
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_l3p_plugged_to_es_at_creation_1(self):
self._test_l3p_plugged_to_es_at_creation(shared_es=True,
shared_l3p=False)
def test_l3p_plugged_to_es_at_creation_2(self):
self._test_l3p_plugged_to_es_at_creation(shared_es=True,
shared_l3p=True)
def test_l3p_plugged_to_es_at_creation_3(self):
self._test_l3p_plugged_to_es_at_creation(shared_es=False,
shared_l3p=False)
def test_l3p_plugged_to_es_at_creation_edge_nat_mode_1(self):
self._test_l3p_plugged_to_es_at_creation(shared_es=True,
shared_l3p=False,
is_edge_nat=True)
def test_l3p_plugged_to_es_at_creation_edge_nat_mode_2(self):
self._test_l3p_plugged_to_es_at_creation(shared_es=True,
shared_l3p=True,
is_edge_nat=True)
def test_l3p_plugged_to_es_at_creation_edge_nat_mode_3(self):
self._test_l3p_plugged_to_es_at_creation(shared_es=False,
shared_l3p=False,
is_edge_nat=True)
def test_l3p_plugged_to_es_at_creation_ptne_1(self):
self.driver.per_tenant_nat_epg = True
self._test_l3p_plugged_to_es_at_creation(shared_es=True,
shared_l3p=False)
def test_l3p_plugged_to_es_at_creation_ptne_2(self):
self.driver.per_tenant_nat_epg = True
self._test_l3p_plugged_to_es_at_creation(shared_es=True,
shared_l3p=True)
def _test_l3p_plugged_to_es_at_update(self, shared_es,
shared_l3p, is_edge_nat=False):
# this mode is not supported
if self.driver.per_tenant_nat_epg and self.single_tenant_mode:
return
# Verify L3P is correctly plugged to ES on APIC during update
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24',
shared=shared_es,
external_routes=[{'destination': '0.0.0.0/0',
'nexthop': '192.168.0.254'},
{'destination': '128.0.0.0/16',
'nexthop': None}])['external_segment']
l3p = self.create_l3_policy(
name='myl3p',
expected_res_status=201,
tenant_id=es['tenant_id'] if not shared_es else 'another_tenant',
shared=shared_l3p)['l3_policy']
l2ps = [self.create_l2_policy(name='myl2p-%s' % x,
tenant_id=l3p['tenant_id'],
shared=shared_l3p,
l3_policy_id=l3p['id'])['l2_policy']
for x in range(0, 3)]
mgr = self.driver.apic_manager
mgr.ensure_epg_created.reset_mock()
mgr.set_contract_for_epg.reset_mock()
# update L3P with ES
l3p = self.update_l3_policy(l3p['id'], tenant_id=l3p['tenant_id'],
external_segments={es['id']: []},
expected_res_status=200)['l3_policy']
self.assertEqual(1, len(l3p['external_segments'][es['id']]))
self.assertEqual('169.254.0.2', l3p['external_segments'][es['id']][0])
owner = self._tenant(es['tenant_id'], shared_es)
l3p_owner = self._tenant(l3p['tenant_id'], shared_l3p)
l3out_str = "Shd-%s-%s"
if is_edge_nat:
l3out_str = "Auto-%s-%s"
expected_l3out_calls = []
call_name = mgr.ensure_external_routed_network_created
if self.nat_enabled:
if not is_edge_nat or not self.pre_l3out:
expected_l3out_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
owner=l3p_owner, context=l3p['id'],
transaction=mock.ANY))
if not self.pre_l3out:
expected_l3out_calls.append(
mock.call(es['id'], owner=owner,
context="NAT-vrf-%s" % es['id'],
transaction=mock.ANY))
elif not self.pre_l3out:
expected_l3out_calls = [
mock.call(es['id'], owner=owner, context=l3p['id'],
transaction=mock.ANY)]
else:
call_name = mgr.set_context_for_external_routed_network
expected_l3out_calls = [
mock.call(APIC_PRE_L3OUT_TENANT, es['name'], l3p['id'],
transaction=mock.ANY)]
self._check_call_list(expected_l3out_calls, call_name.call_args_list)
if is_edge_nat and self.nat_enabled:
(self.driver.l3out_vlan_alloc.
reserve_vlan.assert_called_once_with(
es['name'], l3p['id']))
if not self.pre_l3out:
expected_set_domain_calls = [
mock.call(es['id'], owner=owner, transaction=mock.ANY)]
expected_logic_node_calls = [
mock.call(es['id'], mocked.APIC_EXT_SWITCH,
mocked.APIC_EXT_MODULE, mocked.APIC_EXT_PORT,
mocked.APIC_EXT_ENCAP, '192.168.0.2/24',
owner=owner, router_id=APIC_EXTERNAL_RID,
transaction=mock.ANY)]
expected_route_calls = [
mock.call(es['id'], mocked.APIC_EXT_SWITCH,
'192.168.0.254', owner=owner, subnet='0.0.0.0/0',
transaction=mock.ANY),
mock.call(es['id'], mocked.APIC_EXT_SWITCH, '192.168.0.1',
owner=owner, subnet='128.0.0.0/16',
transaction=mock.ANY)]
if is_edge_nat and self.nat_enabled:
expected_set_domain_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
owner=l3p_owner, transaction=mock.ANY))
expected_logic_node_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
mocked.APIC_EXT_SWITCH, mocked.APIC_EXT_MODULE,
mocked.APIC_EXT_PORT, mock.ANY, '192.168.0.2/24',
owner=l3p_owner, router_id=APIC_EXTERNAL_RID,
transaction=mock.ANY))
expected_route_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
mocked.APIC_EXT_SWITCH, '192.168.0.254',
owner=l3p_owner, subnet='0.0.0.0/0',
transaction=mock.ANY))
expected_route_calls.append(
mock.call(l3out_str % (l3p['id'], es['id']),
mocked.APIC_EXT_SWITCH, '192.168.0.1',
owner=l3p_owner, subnet='128.0.0.0/16',
transaction=mock.ANY))
self._check_call_list(expected_set_domain_calls,
mgr.set_domain_for_external_routed_network.call_args_list)
self._check_call_list(expected_logic_node_calls,
mgr.ensure_logical_node_profile_created.call_args_list)
self._check_call_list(expected_route_calls,
mgr.ensure_static_route_created.call_args_list)
else:
if is_edge_nat and self.nat_enabled:
final_req = self._wrap_up_l3out_request(l3out_str,
l3p['id'], es['id'],
l3p_owner)
mgr.apic.post_body.assert_called_once_with(
mgr.apic.l3extOut.mo, final_req, l3p_owner,
l3out_str % (l3p['id'], es['id']))
self.assertFalse(mgr.set_domain_for_external_routed_network.called)
self.assertFalse(mgr.ensure_logical_node_profile_created.called)
self.assertFalse(mgr.ensure_static_route_created.called)
expected_set_l3out_for_bd_calls = []
if self.nat_enabled:
expected_set_l3out_for_bd_calls.append(
mock.call(owner, "NAT-bd-%s" % es['id'],
es['name' if self.pre_l3out else 'id'],
transaction=mock.ANY))
if is_edge_nat:
expected_set_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
l3out_str % (l3p['id'], es['id'])
) for l2p in l2ps])
else:
expected_set_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
es['name' if self.pre_l3out else 'id'])
for l2p in l2ps])
self._check_call_list(expected_set_l3out_for_bd_calls,
mgr.set_l3out_for_bd.call_args_list)
expected_epg_calls = []
expected_contract_calls = []
expected_nat_epg_tenant = owner
if self.nat_enabled and shared_es and self.driver.per_tenant_nat_epg:
expected_epg_calls.append(
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es['id'],
bd_name="NAT-bd-%s" % es['id'], bd_owner=owner,
transaction=mock.ANY))
expected_contract_calls.extend([
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es['id'],
"NAT-allow-%s" % es['id'], transaction=mock.ANY),
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es['id'],
"NAT-allow-%s" % es['id'], provider=True,
transaction=mock.ANY)])
expected_nat_epg_tenant = l3p['tenant_id']
self._check_call_list(expected_epg_calls,
mgr.ensure_epg_created.call_args_list)
self._check_call_list(expected_contract_calls,
mgr.set_contract_for_epg.call_args_list)
ctx = context.get_admin_context()
ctx._plugin_context = ctx
self.assertEqual((expected_nat_epg_tenant, "NAT-epg-%s" % es['id']),
self.driver._determine_nat_epg_for_es(ctx, es, l3p))
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_l3p_plugged_to_es_at_update_1(self):
self._test_l3p_plugged_to_es_at_update(shared_es=True,
shared_l3p=False)
def test_l3p_plugged_to_es_at_update_2(self):
self._test_l3p_plugged_to_es_at_update(shared_es=True,
shared_l3p=True)
def test_l3p_plugged_to_es_at_update_3(self):
self._test_l3p_plugged_to_es_at_update(shared_es=False,
shared_l3p=False)
def test_l3p_plugged_to_es_at_update_edge_nat_mode_1(self):
self._test_l3p_plugged_to_es_at_update(shared_es=True,
shared_l3p=False,
is_edge_nat=True)
def test_l3p_plugged_to_es_at_update_edge_nat_mode_2(self):
self._test_l3p_plugged_to_es_at_update(shared_es=True,
shared_l3p=True,
is_edge_nat=True)
def test_l3p_plugged_to_es_at_update_edge_nat_mode_3(self):
self._test_l3p_plugged_to_es_at_update(shared_es=False,
shared_l3p=False,
is_edge_nat=True)
def test_l3p_plugged_to_es_at_update_ptne_1(self):
self.driver.per_tenant_nat_epg = True
self._test_l3p_plugged_to_es_at_update(shared_es=True,
shared_l3p=False)
def test_l3p_plugged_to_es_at_update_ptne_2(self):
self.driver.per_tenant_nat_epg = True
self._test_l3p_plugged_to_es_at_update(shared_es=True,
shared_l3p=True)
def _test_l3p_unplugged_from_es_on_delete(self, shared_es,
shared_l3p, is_edge_nat=False):
# this mode is not supported
if self.driver.per_tenant_nat_epg and self.single_tenant_mode:
return
self._mock_external_dict([('supported1', '192.168.0.2/24'),
('supported2', '192.168.1.2/24')],
is_edge_nat)
es1 = self.create_external_segment(
name='supported1', cidr='192.168.0.0/24', shared=shared_es,
external_routes=[{'destination': '0.0.0.0/0',
'nexthop': '192.168.0.254'},
{'destination': '128.0.0.0/16',
'nexthop': None}])['external_segment']
es2 = self.create_external_segment(
shared=shared_es, name='supported2',
cidr='192.168.1.0/24')['external_segment']
l3p_tenant = 'another_tenant'
if not shared_es:
l3p_tenant = es1['tenant_id']
l3p = self.create_l3_policy(shared=shared_l3p,
tenant_id=l3p_tenant,
external_segments={es1['id']: ['169.254.0.3']},
expected_res_status=201)['l3_policy']
mgr = self.driver.apic_manager
mgr.set_context_for_external_routed_network.reset_mock()
req = self.new_delete_request('l3_policies', l3p['id'], self.fmt)
res = req.get_response(self.ext_api)
self.assertEqual(webob.exc.HTTPNoContent.code, res.status_int)
owner = self._tenant(es1['tenant_id'], shared_es)
l3p_owner = self._tenant(l3p['tenant_id'], shared_l3p)
l3out_str = "Shd-%s-%s"
expected_delete_calls = []
if not self.pre_l3out:
expected_delete_calls.append(
mock.call(es1['id'], owner=owner, transaction=mock.ANY))
if self.nat_enabled:
l3out_str = "Shd-%s-%s"
if is_edge_nat:
l3out_str = "Auto-%s-%s"
expected_delete_calls.append(
mock.call(l3out_str % (l3p['id'], es1['id']),
owner=l3p_owner, transaction=mock.ANY))
self._check_call_list(
expected_delete_calls,
mgr.delete_external_routed_network.call_args_list)
if self.nat_enabled:
mgr.unset_l3out_for_bd.assert_called_once_with(owner,
"NAT-bd-%s" % es1['id'],
es1['name' if self.pre_l3out else 'id'], transaction=mock.ANY)
if self.pre_l3out and not self.nat_enabled:
call_name = mgr.set_context_for_external_routed_network
call_name.assert_called_once_with(APIC_PRE_L3OUT_TENANT,
es1['name'], None, transaction=mock.ANY)
if is_edge_nat and self.nat_enabled:
self.driver.l3out_vlan_alloc.release_vlan.assert_called_once_with(
es1['name'], l3p['id'])
mgr.delete_external_routed_network.reset_mock()
mgr.unset_l3out_for_bd.reset_mock()
self.driver.l3out_vlan_alloc.release_vlan.reset_mock()
expected_epg_calls = []
if self.nat_enabled and shared_es and self.driver.per_tenant_nat_epg:
expected_epg_calls.append(
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es1['id'],
transaction=mock.ANY))
self._check_call_list(expected_epg_calls,
mgr.delete_epg_for_network.call_args_list)
ctx = context.get_admin_context()
ctx._plugin_context = ctx
self.assertEqual((owner, "NAT-epg-%s" % es1['id']),
self.driver._determine_nat_epg_for_es(ctx, es1, l3p))
# Verify correct deletion for 2 ESs
l3p = self.create_l3_policy(
shared=shared_l3p,
tenant_id=l3p_tenant,
external_segments={es1['id']: ['169.254.0.3'],
es2['id']: ['169.254.0.3']},
expected_res_status=201)['l3_policy']
mgr.set_context_for_external_routed_network.reset_mock()
mgr.delete_epg_for_network.reset_mock()
req = self.new_delete_request('l3_policies', l3p['id'], self.fmt)
res = req.get_response(self.ext_api)
self.assertEqual(webob.exc.HTTPNoContent.code, res.status_int)
expected_delete_calls = []
if not self.pre_l3out:
expected_delete_calls.extend([
mock.call(es1['id'], owner=owner, transaction=mock.ANY),
mock.call(es2['id'], owner=owner, transaction=mock.ANY)])
if self.nat_enabled:
l3out_str = "Shd-%s-%s"
if is_edge_nat:
l3out_str = "Auto-%s-%s"
expected_delete_calls.extend([
mock.call(l3out_str % (l3p['id'], es1['id']),
owner=l3p_owner, transaction=mock.ANY),
mock.call(l3out_str % (l3p['id'], es2['id']),
owner=l3p_owner, transaction=mock.ANY)])
self._check_call_list(
expected_delete_calls,
mgr.delete_external_routed_network.call_args_list)
if self.nat_enabled:
expected_unset_calls = [
mock.call(owner, "NAT-bd-%s" % es1['id'],
es1['name' if self.pre_l3out else 'id'],
transaction=mock.ANY),
mock.call(owner, "NAT-bd-%s" % es2['id'],
es2['name' if self.pre_l3out else 'id'],
transaction=mock.ANY)]
self._check_call_list(
expected_unset_calls, mgr.unset_l3out_for_bd.call_args_list)
if self.pre_l3out and not self.nat_enabled:
expected_calls = [
mock.call(APIC_PRE_L3OUT_TENANT,
es1['name'], None, transaction=mock.ANY),
mock.call(APIC_PRE_L3OUT_TENANT,
es2['name'], None, transaction=mock.ANY)]
self._check_call_list(
expected_calls,
mgr.set_context_for_external_routed_network.call_args_list)
if is_edge_nat and self.nat_enabled:
expected_release_vlan_calls = [mock.call(es1['name'], l3p['id']),
mock.call(es2['name'], l3p['id'])]
self._check_call_list(
expected_release_vlan_calls,
self.driver.l3out_vlan_alloc.release_vlan.call_args_list)
if self.nat_enabled and shared_es and self.driver.per_tenant_nat_epg:
expected_epg_calls.append(
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es2['id'],
transaction=mock.ANY))
self._check_call_list(expected_epg_calls,
mgr.delete_epg_for_network.call_args_list)
self.assertEqual((owner, "NAT-epg-%s" % es2['id']),
self.driver._determine_nat_epg_for_es(ctx, es2, l3p))
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_l3p_unplugged_from_es_on_delete_1(self):
self._test_l3p_unplugged_from_es_on_delete(shared_es=True,
shared_l3p=False)
def test_l3p_unplugged_from_es_on_delete_2(self):
self._test_l3p_unplugged_from_es_on_delete(shared_es=True,
shared_l3p=True)
def test_l3p_unplugged_from_es_on_delete_3(self):
self._test_l3p_unplugged_from_es_on_delete(shared_es=False,
shared_l3p=False)
def test_l3p_unplugged_from_es_on_delete_edge_nat_mode_1(self):
self._test_l3p_unplugged_from_es_on_delete(shared_es=True,
shared_l3p=False,
is_edge_nat=True)
def test_l3p_unplugged_from_es_on_delete_edge_nat_mode_2(self):
self._test_l3p_unplugged_from_es_on_delete(shared_es=True,
shared_l3p=True,
is_edge_nat=True)
def test_l3p_unplugged_from_es_on_delete_edge_nat_mode_3(self):
self._test_l3p_unplugged_from_es_on_delete(shared_es=False,
shared_l3p=False,
is_edge_nat=True)
def test_l3p_unplugged_from_es_on_delete_ptne_1(self):
self.per_tenant_nat_epg = True
self._test_l3p_unplugged_from_es_on_delete(shared_es=True,
shared_l3p=False)
def test_l3p_unplugged_from_es_on_delete_ptne_2(self):
self.per_tenant_nat_epg = True
self._test_l3p_unplugged_from_es_on_delete(shared_es=True,
shared_l3p=True)
def _test_l3p_unplugged_from_es_on_update(self, shared_es,
shared_l3p, is_edge_nat=False):
# this mode is not supported
if self.driver.per_tenant_nat_epg and self.single_tenant_mode:
return
self._mock_external_dict([('supported1', '192.168.0.2/24'),
('supported', '192.168.1.2/24')],
is_edge_nat)
es1 = self.create_external_segment(
name='supported1', cidr='192.168.0.0/24', shared=shared_es,
external_routes=[{'destination': '0.0.0.0/0',
'nexthop': '192.168.0.254'},
{'destination': '128.0.0.0/16',
'nexthop': None}])['external_segment']
es2 = self.create_external_segment(
shared=shared_es,
name='supported', cidr='192.168.1.0/24')['external_segment']
l3p = self.create_l3_policy(
name='myl3p',
tenant_id=es1['tenant_id'] if not shared_es else 'another_tenant',
shared=shared_l3p,
external_segments={es1['id']: ['169.254.0.3']},
expected_res_status=201)['l3_policy']
l2ps = [self.create_l2_policy(name='myl2p-%s' % x,
tenant_id=l3p['tenant_id'],
shared=shared_l3p,
l3_policy_id=l3p['id'])['l2_policy']
for x in range(0, 3)]
mgr = self.driver.apic_manager
owner = self._tenant(es1['tenant_id'], shared_es)
l3p_owner = self._tenant(l3p['tenant_id'], shared_l3p)
mgr.ensure_external_routed_network_created.reset_mock()
mgr.set_domain_for_external_routed_network.reset_mock()
mgr.ensure_logical_node_profile_created.reset_mock()
mgr.ensure_static_route_created.reset_mock()
self.driver.l3out_vlan_alloc.reserve_vlan.reset_mock()
mgr.apic.post_body.reset_mock()
mgr.set_context_for_external_routed_network.reset_mock()
mgr.set_l3out_for_bd.reset_mock()
l3p = self.update_l3_policy(
l3p['id'], tenant_id=l3p['tenant_id'], expected_res_status=200,
external_segments={es2['id']: ['169.254.0.4']})['l3_policy']
l3out_str = "Shd-%s-%s"
if is_edge_nat:
l3out_str = "Auto-%s-%s"
expected_delete_calls = []
if not self.pre_l3out:
expected_delete_calls.append(
mock.call(es1['id'], owner=owner, transaction=mock.ANY))
if self.nat_enabled:
expected_delete_calls.append(
mock.call(l3out_str % (l3p['id'], es1['id']),
owner=l3p_owner, transaction=mock.ANY))
self._check_call_list(
expected_delete_calls,
mgr.delete_external_routed_network.call_args_list)
if self.pre_l3out and not self.nat_enabled:
expected_calls = [
mock.call(APIC_PRE_L3OUT_TENANT,
es1['name'], None, transaction=mock.ANY),
mock.call(APIC_PRE_L3OUT_TENANT,
es2['name'], l3p['id'], transaction=mock.ANY)]
self._check_call_list(
expected_calls,
mgr.set_context_for_external_routed_network.call_args_list)
expected_unset_l3out_for_bd_calls = []
if self.nat_enabled:
if is_edge_nat:
expected_unset_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
l3out_str % (l3p['id'], es1['id'])
) for l2p in l2ps])
expected_unset_l3out_for_bd_calls.append(
mock.call(owner, "NAT-bd-%s" % es1['id'],
es1['name' if self.pre_l3out else 'id'],
transaction=mock.ANY))
else:
expected_unset_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
es1['name' if self.pre_l3out else 'id'])
for l2p in l2ps])
self._check_call_list(expected_unset_l3out_for_bd_calls,
mgr.unset_l3out_for_bd.call_args_list)
if is_edge_nat and self.nat_enabled:
self.driver.l3out_vlan_alloc.release_vlan.assert_called_once_with(
es1['name'], l3p['id'])
expected_l3out_calls = []
if self.nat_enabled:
if not is_edge_nat or not self.pre_l3out:
expected_l3out_calls.append(
mock.call(l3out_str % (l3p['id'], es2['id']),
owner=l3p_owner, context=l3p['id'],
transaction=mock.ANY))
if not self.pre_l3out:
expected_l3out_calls.append(
mock.call(es2['id'], owner=owner,
context="NAT-vrf-%s" % es2['id'],
transaction=mock.ANY))
elif not self.pre_l3out:
expected_l3out_calls = [
mock.call(es2['id'], owner=owner, context=l3p['id'],
transaction=mock.ANY)]
self._check_call_list(expected_l3out_calls,
mgr.ensure_external_routed_network_created.call_args_list)
if is_edge_nat and self.nat_enabled:
(self.driver.l3out_vlan_alloc.
reserve_vlan.assert_called_once_with(
es2['name'], l3p['id']))
if not self.pre_l3out:
expected_set_domain_calls = [
mock.call(es2['id'], owner=owner, transaction=mock.ANY)]
expected_logic_node_calls = [
mock.call(es2['id'], mocked.APIC_EXT_SWITCH,
mocked.APIC_EXT_MODULE, mocked.APIC_EXT_PORT,
mocked.APIC_EXT_ENCAP, '192.168.1.2/24',
owner=owner, router_id=APIC_EXTERNAL_RID,
transaction=mock.ANY)]
if is_edge_nat and self.nat_enabled:
expected_set_domain_calls.append(
mock.call(l3out_str % (l3p['id'], es2['id']),
owner=l3p_owner, transaction=mock.ANY))
expected_logic_node_calls.append(
mock.call(l3out_str % (l3p['id'], es2['id']),
mocked.APIC_EXT_SWITCH, mocked.APIC_EXT_MODULE,
mocked.APIC_EXT_PORT, mock.ANY, '192.168.1.2/24',
owner=l3p_owner, router_id=APIC_EXTERNAL_RID,
transaction=mock.ANY))
self._check_call_list(expected_set_domain_calls,
mgr.set_domain_for_external_routed_network.call_args_list)
self._check_call_list(expected_logic_node_calls,
mgr.ensure_logical_node_profile_created.call_args_list)
else:
if is_edge_nat and self.nat_enabled:
final_req = self._wrap_up_l3out_request(l3out_str,
l3p['id'], es2['id'],
l3p_owner)
mgr.apic.post_body.assert_called_once_with(
mgr.apic.l3extOut.mo, final_req, l3p_owner,
l3out_str % (l3p['id'], es2['id']))
self.assertFalse(mgr.set_domain_for_external_routed_network.called)
self.assertFalse(mgr.ensure_logical_node_profile_created.called)
self.assertFalse(mgr.ensure_static_route_created.called)
expected_set_l3out_for_bd_calls = []
if self.nat_enabled:
expected_set_l3out_for_bd_calls.append(
mock.call(owner, "NAT-bd-%s" % es2['id'],
es2['name' if self.pre_l3out else 'id'],
transaction=mock.ANY))
if is_edge_nat:
expected_set_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
l3out_str % (l3p['id'], es2['id'])
) for l2p in l2ps])
else:
expected_set_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
es2['name' if self.pre_l3out else 'id'])
for l2p in l2ps])
self._check_call_list(expected_set_l3out_for_bd_calls,
mgr.set_l3out_for_bd.call_args_list)
expected_epg_calls = []
if self.nat_enabled and shared_es and self.driver.per_tenant_nat_epg:
expected_epg_calls.append(
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es1['id'],
transaction=mock.ANY))
self._check_call_list(expected_epg_calls,
mgr.delete_epg_for_network.call_args_list)
ctx = context.get_admin_context()
ctx._plugin_context = ctx
self.assertEqual((owner, "NAT-epg-%s" % es1['id']),
self.driver._determine_nat_epg_for_es(ctx, es1, l3p))
self.driver.l3out_vlan_alloc.release_vlan.reset_mock()
mgr.delete_external_routed_network.reset_mock()
mgr.unset_l3out_for_bd.reset_mock()
self.update_l3_policy(
l3p['id'], expected_res_status=200, tenant_id=l3p['tenant_id'],
external_segments={es1['id']: ['169.254.0.5'],
es2['id']: ['169.254.0.6']})
mgr.set_context_for_external_routed_network.reset_mock()
mgr.delete_epg_for_network.reset_mock()
self.update_l3_policy(
l3p['id'], tenant_id=l3p['tenant_id'],
expected_res_status=200, external_segments={})
expected_delete_calls = []
if not self.pre_l3out:
expected_delete_calls.extend([
mock.call(es1['id'], owner=owner, transaction=mock.ANY),
mock.call(es2['id'], owner=owner, transaction=mock.ANY)])
if self.nat_enabled:
expected_delete_calls.extend([
mock.call(l3out_str % (l3p['id'], es1['id']),
owner=l3p_owner, transaction=mock.ANY),
mock.call(l3out_str % (l3p['id'], es2['id']),
owner=l3p_owner, transaction=mock.ANY)])
self._check_call_list(
expected_delete_calls,
mgr.delete_external_routed_network.call_args_list)
expected_unset_l3out_for_bd_calls = []
if self.nat_enabled:
if is_edge_nat:
expected_unset_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
l3out_str % (l3p['id'], es1['id'])
) for l2p in l2ps])
expected_unset_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
l3out_str % (l3p['id'], es2['id'])
) for l2p in l2ps])
expected_unset_l3out_for_bd_calls.append(
mock.call(owner, "NAT-bd-%s" % es1['id'],
es1['name' if self.pre_l3out else 'id'],
transaction=mock.ANY))
expected_unset_l3out_for_bd_calls.append(
mock.call(owner, "NAT-bd-%s" % es2['id'],
es2['name' if self.pre_l3out else 'id'],
transaction=mock.ANY))
else:
expected_unset_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
es1['name' if self.pre_l3out else 'id'])
for l2p in l2ps])
expected_unset_l3out_for_bd_calls.extend([
mock.call(l3p_owner, l2p['id'],
es2['name' if self.pre_l3out else 'id'])
for l2p in l2ps])
self._check_call_list(expected_unset_l3out_for_bd_calls,
mgr.unset_l3out_for_bd.call_args_list)
if self.pre_l3out and not self.nat_enabled:
expected_calls = [
mock.call(APIC_PRE_L3OUT_TENANT,
es1['name'], None, transaction=mock.ANY),
mock.call(APIC_PRE_L3OUT_TENANT,
es2['name'], None, transaction=mock.ANY)]
self._check_call_list(
expected_calls,
mgr.set_context_for_external_routed_network.call_args_list)
if is_edge_nat and self.nat_enabled:
expected_release_vlan_calls = [mock.call(es1['name'], l3p['id']),
mock.call(es2['name'], l3p['id'])]
self._check_call_list(
expected_release_vlan_calls,
self.driver.l3out_vlan_alloc.release_vlan.call_args_list)
if self.nat_enabled and shared_es and self.driver.per_tenant_nat_epg:
expected_epg_calls.append(
mock.call(l3p['tenant_id'], "NAT-epg-%s" % es2['id'],
transaction=mock.ANY))
self._check_call_list(expected_epg_calls,
mgr.delete_epg_for_network.call_args_list)
self.assertEqual((owner, "NAT-epg-%s" % es2['id']),
self.driver._determine_nat_epg_for_es(ctx, es2, l3p))
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_l3p_unplugged_from_es_on_update_1(self):
self._test_l3p_unplugged_from_es_on_update(shared_es=True,
shared_l3p=False)
def test_l3p_unplugged_from_es_on_update_2(self):
self._test_l3p_unplugged_from_es_on_update(shared_es=True,
shared_l3p=True)
def test_l3p_unplugged_from_es_on_update_3(self):
self._test_l3p_unplugged_from_es_on_update(shared_es=False,
shared_l3p=False)
def test_l3p_unplugged_from_es_on_update_edge_nat_mode_1(self):
self._test_l3p_unplugged_from_es_on_update(shared_es=True,
shared_l3p=False,
is_edge_nat=True)
def test_l3p_unplugged_from_es_on_update_edge_nat_mode_2(self):
self._test_l3p_unplugged_from_es_on_update(shared_es=True,
shared_l3p=True,
is_edge_nat=True)
def test_l3p_unplugged_from_es_on_update_edge_nat_mode_3(self):
self._test_l3p_unplugged_from_es_on_update(shared_es=False,
shared_l3p=False,
is_edge_nat=True)
def test_l3p_unplugged_from_es_on_update_ptne_1(self):
self.driver.per_tenant_nat_epg = True
self._test_l3p_unplugged_from_es_on_update(shared_es=True,
shared_l3p=False)
def test_l3p_unplugged_from_es_on_update_ptne_2(self):
self.driver.per_tenant_nat_epg = True
self._test_l3p_unplugged_from_es_on_update(shared_es=True,
shared_l3p=True)
def test_verify_unsupported_es_noop(self):
# Verify L3P is correctly plugged to ES on APIC during update
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='unsupported', cidr='192.168.0.0/24')['external_segment']
self.create_l3_policy(
external_segments={es['id']: ['192.168.0.3']},
expected_res_status=201)
mgr = self.driver.apic_manager
self.assertFalse(mgr.ensure_external_routed_network_created.called)
self.assertFalse(mgr.set_domain_for_external_routed_network.called)
self.assertFalse(mgr.ensure_logical_node_profile_created.called)
self.assertFalse(mgr.ensure_static_route_created.called)
def test_l3p_external_address(self):
# Verify auto allocated IP address is assigned to L3P when no
# explicit address is configured
self._mock_external_dict([('supported1', '192.168.0.2/24'),
('supported2', '192.168.1.2/24')])
es1 = self.create_external_segment(
name='supported1', cidr='192.168.0.0/24')['external_segment']
es2 = self.create_external_segment(
name='supported2', cidr='192.168.1.0/24')['external_segment']
l3p = self.create_l3_policy(
external_segments={es1['id']: []},
expected_res_status=201)['l3_policy']
self.assertEqual(['169.254.0.2'], l3p['external_segments'][es1['id']])
l3p = self.update_l3_policy(
l3p['id'], expected_res_status=200,
external_segments={es1['id']: [], es2['id']: []})['l3_policy']
self.assertEqual(['169.254.0.2'], l3p['external_segments'][es1['id']])
self.assertEqual(['169.254.0.2'], l3p['external_segments'][es2['id']])
# Address IP changed
l3p = self.update_l3_policy(
l3p['id'], expected_res_status=200,
external_segments={es1['id']: ['169.254.0.3'],
es2['id']: []})['l3_policy']
self.assertEqual(['169.254.0.3'], l3p['external_segments'][es1['id']])
self.assertEqual(['169.254.0.2'], l3p['external_segments'][es2['id']])
def _test_multi_es_with_ptg(self, shared_es):
self._mock_external_dict([('supported1', '192.168.0.2/24'),
('supported2', '192.168.1.2/24')])
es1 = self.create_external_segment(shared=shared_es,
name='supported1', cidr='192.168.0.0/24')['external_segment']
es2 = self.create_external_segment(shared=shared_es,
name='supported2', cidr='192.168.1.0/24')['external_segment']
l3p = self.create_l3_policy(
external_segments={es1['id']: [], es2['id']: []},
expected_res_status=201)['l3_policy']
l2p = self.create_l2_policy(l3_policy_id=l3p['id'])['l2_policy']
ptg = self.create_policy_target_group(name="ptg",
l2_policy_id=l2p['id'],
expected_res_status=201)['policy_target_group']
res = self.new_delete_request('policy_target_groups', ptg['id'],
self.fmt).get_response(self.ext_api)
self.assertEqual(webob.exc.HTTPNoContent.code, res.status_int)
def test_multi_es_with_ptg_1(self):
self._test_multi_es_with_ptg(False)
def test_multi_es_with_ptg_2(self):
self._test_multi_es_with_ptg(True)
def test_multi_l3p_ptne(self):
if self.single_tenant_mode:
return
self.driver.per_tenant_nat_epg = True
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='supported', shared=True)['external_segment']
mgr = self.driver.apic_manager
mgr.ensure_epg_created.reset_mock()
l3ps = []
l3p_tenant = 'another_tenant'
for x in range(0, 3 if self.nat_enabled else 1):
l3ps.append(self.create_l3_policy(
name='myl3p-%s' % x, tenant_id=l3p_tenant,
external_segments={es['id']: []},
expected_res_status=201)['l3_policy'])
if self.nat_enabled:
mgr.ensure_epg_created.assert_called_once_with(
l3p_tenant, "NAT-epg-%s" % es['id'],
bd_name="NAT-bd-%s" % es['id'],
bd_owner=self.common_tenant, transaction=mock.ANY)
else:
mgr.ensure_epg_created.assert_not_called()
for l3p in l3ps[:-1]:
self.delete_l3_policy(l3p['id'], tenant_id=l3p['tenant_id'])
mgr.delete_epg_for_network.assert_not_called()
self.delete_l3_policy(l3ps[-1]['id'], tenant_id=l3ps[-1]['tenant_id'])
if self.nat_enabled:
mgr.delete_epg_for_network.assert_called_once_with(
l3p_tenant, "NAT-epg-%s" % es['id'],
transaction=mock.ANY)
else:
mgr.delete_epg_for_network.assert_not_called()
def test_ptne_upgrade(self):
if self.single_tenant_mode:
return
# Simulate "upgrade" - tenants existing before upgrade should
# continue using non-specific NAT EPG where as new ones use
# specific NAT EPGs
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='supported', shared=True)['external_segment']
mgr = self.driver.apic_manager
mgr.ensure_epg_created.reset_mock()
ctx = context.get_admin_context()
ctx._plugin_context = ctx
l3p_a_1 = self.create_l3_policy(
name='myl3p-a-1', tenant_id='tenant_a',
external_segments={es['id']: []})['l3_policy']
mgr.ensure_epg_created.assert_not_called()
self.assertEqual((self.common_tenant, "NAT-epg-%s" % es['id']),
self.driver._determine_nat_epg_for_es(ctx, es, l3p_a_1))
# "Upgrade" and change to per-tenant NAT EPG
self.driver.per_tenant_nat_epg = True
if self.nat_enabled:
l3p_a_2 = self.create_l3_policy(
name='myl3p-a-2', tenant_id='tenant_a',
external_segments={es['id']: []})['l3_policy']
mgr.ensure_epg_created.assert_not_called()
self.assertEqual((self.common_tenant, "NAT-epg-%s" % es['id']),
self.driver._determine_nat_epg_for_es(ctx, es, l3p_a_2))
self.delete_l3_policy(l3p_a_2['id'],
tenant_id=l3p_a_2['tenant_id'])
self.assertEqual((self.common_tenant, "NAT-epg-%s" % es['id']),
self.driver._determine_nat_epg_for_es(ctx, es, l3p_a_1))
self.delete_l3_policy(l3p_a_1['id'], tenant_id=l3p_a_1['tenant_id'])
mgr.delete_epg_for_network.assert_not_called()
l3p_a_3 = self.create_l3_policy(
name='myl3p-a-3', tenant_id='tenant_a',
external_segments={es['id']: []})['l3_policy']
if self.nat_enabled:
mgr.ensure_epg_created.assert_called_once_with(
'tenant_a', "NAT-epg-%s" % es['id'],
bd_name="NAT-bd-%s" % es['id'], bd_owner=self.common_tenant,
transaction=mock.ANY)
self.assertEqual(('tenant_a', "NAT-epg-%s" % es['id']),
self.driver._determine_nat_epg_for_es(ctx, es, l3p_a_3))
else:
mgr.ensure_epg_created.assert_not_called()
self.delete_l3_policy(l3p_a_3['id'], tenant_id=l3p_a_3['tenant_id'])
mgr.ensure_epg_created.reset_mock()
l3p_b_1 = self.create_l3_policy(
name='myl3p-b-1', tenant_id='tenant_b',
external_segments={es['id']: []})['l3_policy']
if self.nat_enabled:
mgr.ensure_epg_created.assert_called_once_with(
'tenant_b', "NAT-epg-%s" % es['id'],
bd_name="NAT-bd-%s" % es['id'], bd_owner=self.common_tenant,
transaction=mock.ANY)
self.assertEqual(('tenant_b', "NAT-epg-%s" % es['id']),
self.driver._determine_nat_epg_for_es(ctx, es, l3p_b_1))
else:
mgr.ensure_epg_created.assert_not_called()
class TestL3PolicySingleTenant(TestL3Policy):
def setUp(self):
super(TestL3PolicySingleTenant, self).setUp(
single_tenant_mode=True)
class TestL3PolicyNoNat(TestL3Policy):
def setUp(self, single_tenant_mode=False):
super(TestL3PolicyNoNat, self).setUp(nat_enabled=False,
single_tenant_mode=single_tenant_mode)
class TestL3PolicyNoNatSingleTenant(TestL3PolicyNoNat):
def setUp(self):
super(TestL3PolicyNoNatSingleTenant, self).setUp(
single_tenant_mode=True)
class TestL3PolicyPreL3Out(TestL3Policy):
def setUp(self, single_tenant_mode=False):
super(TestL3PolicyPreL3Out, self).setUp(pre_existing_l3out=True,
single_tenant_mode=single_tenant_mode)
class TestL3PolicyPreL3OutSingleTenant(TestL3PolicyPreL3Out):
def setUp(self):
super(TestL3PolicyPreL3OutSingleTenant, self).setUp(
single_tenant_mode=True)
class TestL3PolicyNoNatPreL3Out(TestL3Policy):
def setUp(self, single_tenant_mode=False):
super(TestL3PolicyNoNatPreL3Out, self).setUp(
nat_enabled=False, pre_existing_l3out=True,
single_tenant_mode=single_tenant_mode)
class TestL3PolicyNoNatPreL3OutSingleTenant(TestL3PolicyNoNatPreL3Out):
def setUp(self):
super(TestL3PolicyNoNatPreL3OutSingleTenant, self).setUp(
single_tenant_mode=True)
class TestPolicyRuleSet(ApicMappingTestCase):
# TODO(ivar): verify rule intersection with hierarchical PRS happens
# on APIC
def _test_policy_rule_set_created_on_apic(self, shared=False):
ct = self.create_policy_rule_set(name="ctr",
shared=shared)['policy_rule_set']
tenant = self._tenant(ct['tenant_id'], shared)
mgr = self.driver.apic_manager
mgr.create_contract.assert_called_once_with(
ct['id'], owner=tenant, transaction=mock.ANY)
mgr.update_name_alias.assert_called_once_with(
mgr.apic.vzBrCP, tenant, ct['id'], nameAlias='ctr')
mgr.reset_mock()
self.update_policy_rule_set(
ct['id'], description='desc', expected_res_status=200)
self.assertFalse(mgr.update_name_alias.called)
self.update_policy_rule_set(
ct['id'], name='ctr_1', expected_res_status=200)
mgr.update_name_alias.assert_called_once_with(
mgr.apic.vzBrCP, tenant, ct['id'], nameAlias='ctr_1')
def test_policy_rule_set_created_on_apic(self):
self._test_policy_rule_set_created_on_apic()
def test_policy_rule_set_created_on_apic_shared(self):
self._test_policy_rule_set_created_on_apic(shared=True)
def _test_policy_rule_set_created_with_rules(self, shared=False):
bi, in_d, out = range(3)
rules = self._create_3_direction_rules(shared=shared)
# exclude BI rule for now
ctr = self.create_policy_rule_set(
name="ctr", policy_rules=[x['id'] for x in rules[1:]])[
'policy_rule_set']
rule_owner = self._tenant(rules[0]['tenant_id'], shared)
ctr_tenant = self._tenant(ctr['tenant_id'])
# Verify that the in-out rules are correctly enforced on the APIC
mgr = self.driver.apic_manager
expected_calls = [
mock.call(ctr['id'], ctr['id'], rules[in_d]['id'],
owner=ctr_tenant, transaction=mock.ANY,
unset=False, rule_owner=rule_owner),
mock.call(ctr['id'], ctr['id'],
alib.REVERSE_PREFIX + rules[out]['id'],
owner=ctr_tenant, transaction=mock.ANY,
unset=False, rule_owner=rule_owner)]
self._check_call_list(
expected_calls,
mgr.manage_contract_subject_in_filter.call_args_list)
expected_calls = [
mock.call(ctr['id'], ctr['id'], rules[out]['id'],
owner=ctr_tenant, transaction=mock.ANY,
unset=False, rule_owner=rule_owner),
mock.call(ctr['id'], ctr['id'],
alib.REVERSE_PREFIX + rules[in_d]['id'],
owner=ctr_tenant, transaction=mock.ANY,
unset=False, rule_owner=rule_owner)]
self._check_call_list(
expected_calls,
mgr.manage_contract_subject_out_filter.call_args_list)
# Create policy_rule_set with BI rule
ctr = self.create_policy_rule_set(
name="ctr", policy_rules=[rules[bi]['id']])['policy_rule_set']
mgr.manage_contract_subject_in_filter.call_happened_with(
ctr['id'], ctr['id'], rules[bi]['id'], owner=ctr_tenant,
transaction=mock.ANY, unset=False,
rule_owner=rule_owner)
mgr.manage_contract_subject_out_filter.call_happened_with(
ctr['id'], ctr['id'], rules[bi]['id'], owner=ctr_tenant,
transaction=mock.ANY, unset=False,
rule_owner=rule_owner)
mgr.manage_contract_subject_in_filter.call_happened_with(
ctr['id'], ctr['id'], alib.REVERSE_PREFIX + rules[bi]['id'],
owner=ctr_tenant, transaction=mock.ANY, unset=False,
rule_owner=rule_owner)
mgr.manage_contract_subject_out_filter.call_happened_with(
ctr['id'], ctr['id'], alib.REVERSE_PREFIX + rules[bi]['id'],
owner=ctr_tenant, transaction=mock.ANY, unset=False,
rule_owner=rule_owner)
def test_policy_rule_set_created_with_rules(self):
self._test_policy_rule_set_created_with_rules()
def test_policy_rule_set_created_with_rules_shared(self):
self._test_policy_rule_set_created_with_rules(shared=True)
def _test_policy_rule_set_updated_with_new_rules(self, shared=False):
bi, in_d, out = range(3)
old_rules = self._create_3_direction_rules(shared=shared)
new_rules = self._create_3_direction_rules(shared=shared)
# exclude BI rule for now
ctr = self.create_policy_rule_set(
name="ctr",
policy_rules=[x['id'] for x in old_rules[1:]])['policy_rule_set']
data = {'policy_rule_set': {
'policy_rules': [x['id'] for x in new_rules[1:]]}}
rule_owner = self._tenant(old_rules[in_d]['tenant_id'], shared)
ctr_tenant = self._tenant(ctr['tenant_id'])
mgr = self.driver.apic_manager
mgr.manage_contract_subject_in_filter = MockCallRecorder()
mgr.manage_contract_subject_out_filter = MockCallRecorder()
self.new_update_request(
'policy_rule_sets', data, ctr['id'], self.fmt).get_response(
self.ext_api)
# Verify old IN rule unset and new IN rule set
self.assertTrue(
mgr.manage_contract_subject_in_filter.call_happened_with(
ctr['id'], ctr['id'], old_rules[in_d]['id'],
rule_owner=rule_owner,
owner=ctr_tenant, transaction='transaction', unset=True))
self.assertTrue(
mgr.manage_contract_subject_in_filter.call_happened_with(
ctr['id'], ctr['id'], new_rules[in_d]['id'],
owner=ctr_tenant, transaction='transaction',
unset=False, rule_owner=rule_owner))
self.assertTrue(
mgr.manage_contract_subject_out_filter.call_happened_with(
ctr['id'], ctr['id'], old_rules[out]['id'],
owner=ctr_tenant, transaction='transaction', unset=True,
rule_owner=rule_owner))
self.assertTrue(
mgr.manage_contract_subject_out_filter.call_happened_with(
ctr['id'], ctr['id'], new_rules[out]['id'],
owner=ctr_tenant, transaction='transaction',
unset=False, rule_owner=rule_owner))
ctr = self.create_policy_rule_set(
name="ctr",
policy_rules=[old_rules[0]['id']])['policy_rule_set']
data = {'policy_rule_set': {'policy_rules': [new_rules[0]['id']]}}
self.new_update_request(
'policy_rule_sets', data, ctr['id'], self.fmt).get_response(
self.ext_api)
# Verify old BI rule unset and new Bu rule set
self.assertTrue(
mgr.manage_contract_subject_in_filter.call_happened_with(
ctr['id'], ctr['id'], old_rules[bi]['id'],
owner=ctr_tenant, transaction='transaction', unset=True,
rule_owner=rule_owner))
self.assertTrue(
mgr.manage_contract_subject_out_filter.call_happened_with(
ctr['id'], ctr['id'], old_rules[bi]['id'],
owner=ctr_tenant, transaction='transaction', unset=True,
rule_owner=rule_owner))
self.assertTrue(
mgr.manage_contract_subject_in_filter.call_happened_with(
ctr['id'], ctr['id'], new_rules[bi]['id'],
owner=ctr_tenant, transaction='transaction',
unset=False, rule_owner=rule_owner))
self.assertTrue(
mgr.manage_contract_subject_out_filter.call_happened_with(
ctr['id'], ctr['id'], new_rules[bi]['id'],
owner=ctr_tenant, transaction='transaction',
unset=False, rule_owner=rule_owner))
def test_policy_rule_set_updated_with_new_rules(self):
self._test_policy_rule_set_updated_with_new_rules()
def test_policy_rule_set_updated_with_new_rules_shared(self):
self._test_policy_rule_set_updated_with_new_rules(shared=True)
def _create_3_direction_rules(self, shared=False):
a1 = self.create_policy_action(name='a1',
action_type='allow', shared=shared)['policy_action']
cl_attr = {'protocol': 'tcp', 'port_range': 80}
cls = []
for direction in ['bi', 'in', 'out']:
if direction == 'out':
cl_attr['protocol'] = 'udp'
cls.append(self.create_policy_classifier(
direction=direction, shared=shared,
**cl_attr)['policy_classifier'])
rules = []
for classifier in cls:
rules.append(self.create_policy_rule(
policy_classifier_id=classifier['id'],
policy_actions=[a1['id']],
shared=shared)['policy_rule'])
return rules
class TestPolicyRuleSetSingleTenant(TestPolicyRuleSet):
def setUp(self):
super(TestPolicyRuleSetSingleTenant, self).setUp(
single_tenant_mode=True)
class TestPolicyRule(ApicMappingTestCase):
def _test_policy_rule_created_on_apic(self, shared=False):
pr = self._create_simple_policy_rule('in', 'tcp', 88, shared=shared)
pr1 = self._create_simple_policy_rule('in', 'udp', 53, shared=shared)
pr2 = self._create_simple_policy_rule('in', None, 88, shared=shared)
tenant = self._tenant(pr['tenant_id'], shared)
mgr = self.driver.apic_manager
expected_calls = [
mock.call(pr['id'], owner=tenant, entry='os-entry-0', etherT='ip',
prot='tcp', dToPort=88, dFromPort=88,
transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr['id'], owner=tenant,
entry='os-entry-0', etherT='ip', prot='tcp', sToPort=88,
sFromPort=88, tcpRules='est', transaction=mock.ANY),
mock.call(pr1['id'], owner=tenant, entry='os-entry-0',
etherT='ip', prot='udp', dToPort=53, dFromPort=53,
transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr1['id'], owner=tenant,
entry='os-entry-0', etherT='ip', prot='udp', sToPort=53,
sFromPort=53, transaction=mock.ANY),
mock.call(pr2['id'], owner=tenant, entry='os-entry-0',
etherT='unspecified', dToPort=88, dFromPort=88,
transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.create_tenant_filter.call_args_list)
mgr.reset_mock()
pr = self._create_simple_policy_rule('bi', None, None, shared=shared)
expected_calls = [
mock.call(pr['id'], owner=tenant, entry='os-entry-0',
etherT='unspecified', transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.create_tenant_filter.call_args_list)
def test_policy_rule_created_on_apic(self):
self._test_policy_rule_created_on_apic()
def test_policy_rule_created_on_apic_shared(self):
self._test_policy_rule_created_on_apic(shared=True)
def _test_policy_rule_deleted_on_apic(self, shared=False):
pr = self._create_simple_policy_rule(shared=shared)
pr1 = self._create_simple_policy_rule('in', 'udp', 53, shared=shared)
self.delete_policy_rule(pr['id'], expected_res_status=204)
tenant = self._tenant(pr['tenant_id'], shared)
mgr = self.driver.apic_manager
expected_calls = [
mock.call(pr['id'], owner=tenant, transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr['id'], owner=tenant,
transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.delete_tenant_filter.call_args_list)
mgr.delete_tenant_filter.reset_mock()
self.delete_policy_rule(pr1['id'], expected_res_status=204)
expected_calls = [
mock.call(pr1['id'], owner=tenant, transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr1['id'], owner=tenant,
transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.delete_tenant_filter.call_args_list)
def test_policy_rule_deleted_on_apic(self):
self._test_policy_rule_deleted_on_apic()
def test_policy_rule_deleted_on_apic_shared(self):
self._test_policy_rule_deleted_on_apic(shared=True)
def test_policy_classifier_updated(self):
pa = self.create_policy_action(
action_type='allow', is_admin_context=True,
tenant_id='admin', shared=True)['policy_action']
pc = self.create_policy_classifier(
direction='in', protocol='udp', port_range=80,
shared=True, is_admin_context=True,
tenant_id='admin')['policy_classifier']
pr1 = self.create_policy_rule(
policy_classifier_id=pc['id'], policy_actions=[pa['id']],
shared=True, is_admin_context=True,
tenant_id='admin')['policy_rule']
tenant_id1 = self._tenant('common')
tenant_id2 = self._tenant(self._tenant_id)
pr2 = self.create_policy_rule(policy_classifier_id=pc['id'],
policy_actions=[pa['id']])['policy_rule']
prs1 = self.create_policy_rule_set(
policy_rules=[pr1['id']])['policy_rule_set']
prs2 = self.create_policy_rule_set(
policy_rules=[pr2['id'], pr1['id']])['policy_rule_set']
mgr = self.driver.apic_manager
mgr.reset_mock()
# Remove Classifier port, should just delete and create the filter
self.update_policy_classifier(pc['id'], port_range=None,
is_admin_context=True)
expected_calls = [
mock.call(pr1['id'], owner=tenant_id1, etherT='ip', prot='udp',
entry='os-entry-0', transaction=mock.ANY),
mock.call(pr2['id'], owner=tenant_id2, etherT='ip', prot='udp',
entry='os-entry-0', transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr1['id'], owner=tenant_id1,
etherT='ip', prot='udp', entry='os-entry-0',
transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr2['id'], owner=tenant_id2,
etherT='ip', prot='udp', entry='os-entry-0',
transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.create_tenant_filter.call_args_list)
expected_calls = [
mock.call(pr1['id'], owner=tenant_id1, transaction=mock.ANY),
mock.call(pr2['id'], owner=tenant_id2, transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr1['id'], owner=tenant_id1,
transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr2['id'], owner=tenant_id2,
transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.delete_tenant_filter.call_args_list)
self.assertFalse(mgr.manage_contract_subject_in_filter.called)
self.assertFalse(mgr.manage_contract_subject_out_filter.called)
mgr.reset_mock()
# Change Classifier protocol, to not revertible
self.update_policy_classifier(pc['id'], protocol=None,
is_admin_context=True)
expected_calls = [
mock.call(pr1['id'], owner=tenant_id1, etherT='unspecified',
entry='os-entry-0', transaction=mock.ANY),
mock.call(pr2['id'], owner=tenant_id2, etherT='unspecified',
entry='os-entry-0', transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.create_tenant_filter.call_args_list)
expected_calls = [
mock.call(pr1['id'], owner=tenant_id1, transaction=mock.ANY),
mock.call(pr2['id'], owner=tenant_id2, transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr1['id'], owner=tenant_id1,
transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr2['id'], owner=tenant_id2,
transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.delete_tenant_filter.call_args_list)
# Protocol went from revertible to non-revertible
self.assertTrue(mgr.manage_contract_subject_in_filter.called)
self.assertTrue(mgr.manage_contract_subject_out_filter.called)
mgr.reset_mock()
# Change Classifier protocol to revertible
self.update_policy_classifier(pc['id'], protocol='tcp',
is_admin_context=True)
expected_calls = [
mock.call(pr1['id'], owner=tenant_id1, transaction=mock.ANY),
mock.call(pr2['id'], owner=tenant_id2, transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr1['id'], owner=tenant_id1,
transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr2['id'], owner=tenant_id2,
transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.delete_tenant_filter.call_args_list)
expected_calls = [
mock.call(pr1['id'], owner=tenant_id1, etherT='ip', prot='tcp',
entry='os-entry-0', transaction=mock.ANY),
mock.call(pr2['id'], owner=tenant_id2, etherT='ip', prot='tcp',
entry='os-entry-0', transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr1['id'], owner=tenant_id1,
etherT='ip', prot='tcp', tcpRules='est',
entry='os-entry-0', transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr2['id'], owner=tenant_id2,
etherT='ip', prot='tcp', tcpRules='est',
entry='os-entry-0', transaction=mock.ANY)]
self._check_call_list(
expected_calls, mgr.create_tenant_filter.call_args_list)
expected_calls = [
# Unset PR1 and PR2 IN
mock.call(prs1['id'], prs1['id'], pr1['id'], owner=tenant_id2,
transaction=mock.ANY, unset=True, rule_owner=tenant_id1),
mock.call(prs2['id'], prs2['id'], pr1['id'], owner=tenant_id2,
transaction=mock.ANY, unset=True, rule_owner=tenant_id1),
mock.call(prs2['id'], prs2['id'], pr2['id'], owner=tenant_id2,
transaction=mock.ANY, unset=True,
rule_owner=tenant_id2),
# SET PR1 and PR2 IN
mock.call(prs1['id'], prs1['id'], pr1['id'], owner=tenant_id2,
transaction=mock.ANY, unset=False,
rule_owner=tenant_id1),
mock.call(prs2['id'], prs2['id'], pr1['id'], owner=tenant_id2,
transaction=mock.ANY, unset=False,
rule_owner=tenant_id1),
mock.call(prs2['id'], prs2['id'], pr2['id'], owner=tenant_id2,
transaction=mock.ANY, unset=False,
rule_owner=tenant_id2)
]
self._check_call_list(
expected_calls,
mgr.manage_contract_subject_in_filter.call_args_list)
# SET Reverse PR1 and PR2 OUT
expected_calls = [
mock.call(prs1['id'], prs1['id'], alib.REVERSE_PREFIX + pr1['id'],
owner=tenant_id2, transaction=mock.ANY, unset=False,
rule_owner=tenant_id1),
mock.call(prs2['id'], prs2['id'], alib.REVERSE_PREFIX + pr1['id'],
owner=tenant_id2, transaction=mock.ANY, unset=False,
rule_owner=tenant_id1),
mock.call(prs2['id'], prs2['id'], alib.REVERSE_PREFIX + pr2['id'],
owner=tenant_id2, transaction=mock.ANY, unset=False,
rule_owner=tenant_id2)
]
self._check_call_list(
expected_calls,
mgr.manage_contract_subject_out_filter.call_args_list)
def test_icmp_rule_created_on_apic(self):
pr = self._create_simple_policy_rule('in', 'icmp', None)
tenant = self._tenant(pr['tenant_id'])
mgr = self.driver.apic_manager
expected_calls = [
mock.call(pr['id'], owner=tenant, entry='os-entry-0', etherT='ip',
prot='icmp', transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr['id'], owner=tenant,
entry=mock.ANY, etherT='ip', icmpv4T='echo-rep',
prot='icmp', transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr['id'], owner=tenant,
entry=mock.ANY, etherT='ip', icmpv4T='dst-unreach',
prot='icmp', transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr['id'], owner=tenant,
entry=mock.ANY, etherT='ip', icmpv4T='src-quench',
prot='icmp', transaction=mock.ANY),
mock.call(alib.REVERSE_PREFIX + pr['id'], owner=tenant,
entry=mock.ANY, etherT='ip', icmpv4T='time-exceeded',
prot='icmp', transaction=mock.ANY)]
# verify that entry is always different
found = set()
for call in mgr.create_tenant_filter.call_args_list:
# Only for reverse filters
if call[0][0].startswith(alib.REVERSE_PREFIX):
self.assertFalse(call[1]['entry'] in found)
found.add(call[1]['entry'])
self._check_call_list(
expected_calls, mgr.create_tenant_filter.call_args_list)
class TestPolicyRuleSingleTenant(TestPolicyRule):
def setUp(self):
super(TestPolicyRuleSingleTenant, self).setUp(
single_tenant_mode=True)
class TestExternalSegment(ApicMappingTestCase):
def test_single_tenant_and_ptne_rejected(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
self.driver.per_tenant_nat_epg = True
# Verify Rejected on create
if self.single_tenant_mode:
res = self.create_external_segment(
name='supported', cidr='192.168.0.2/24',
expected_res_status=400)
self.assertEqual('SingleTenantAndPerTenantNatEPGNotSupported',
res['NeutronError']['type'])
else:
res = self.create_external_segment(
name='supported', cidr='192.168.0.2/24',
expected_res_status=201)
def test_pat_rejected(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
# Verify Rejected on create
res = self.create_external_segment(
name='supported', port_address_translation=True,
expected_res_status=400)
self.assertEqual('PATNotSupportedByApicDriver',
res['NeutronError']['type'])
# Verify Rejected on Update
es = self.create_external_segment(
name='supported', expected_res_status=201,
port_address_translation=False)['external_segment']
res = self.update_external_segment(
es['id'], expected_res_status=400, port_address_translation=True)
self.assertEqual('PATNotSupportedByApicDriver',
res['NeutronError']['type'])
def test_edge_nat_invalid_vlan_range_rejected(self):
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat=True)
self.driver.l3out_vlan_alloc.l3out_vlan_ranges = {}
res = self.create_external_segment(
name='supported', expected_res_status=400)
self.assertEqual('EdgeNatBadVlanRange', res['NeutronError']['type'])
ext_info = self.driver.apic_manager.ext_net_dict.get('supported')
del ext_info['vlan_range']
res = self.create_external_segment(
name='supported', expected_res_status=400)
self.assertEqual('EdgeNatVlanRangeNotFound',
res['NeutronError']['type'])
def _test_create_delete(self, shared=False, is_edge_nat=False):
mgr = self.driver.apic_manager
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
mgr.ext_net_dict['supported']['host_pool_cidr'] = '192.168.200.1/24'
es = self.create_external_segment(name='supported',
cidr='192.168.0.2/24',
expected_res_status=201, shared=shared)['external_segment']
self.create_external_segment(name='unsupport', expected_res_status=201,
shared=shared)
self.assertEqual('192.168.0.2/24', es['cidr'])
self.assertIsNotNone(es['subnet_id'])
subnet = self._get_object('subnets', es['subnet_id'],
self.api)['subnet']
self.assertEqual('169.254.0.0/16', subnet['cidr'])
owner = self._tenant(es['tenant_id'], shared)
prs = "NAT-allow-%s" % es['id']
if self.nat_enabled:
ctx = "NAT-vrf-%s" % es['id']
ctx_owner = owner
contract_owner = owner
if self.pre_l3out:
ctx = APIC_PRE_VRF
ctx_owner = APIC_PRE_VRF_TENANT
contract_owner = APIC_PRE_L3OUT_TENANT
self.assertFalse(mgr.ensure_context_enforced.called)
else:
mgr.ensure_context_enforced.assert_called_with(
owner=owner, ctx_id=ctx,
transaction=mock.ANY)
if not is_edge_nat:
mgr.ensure_bd_created_on_apic(
owner, "NAT-bd-%s" % es['id'], ctx_owner=ctx_owner,
ctx_name=ctx, transaction=mock.ANY)
mgr.ensure_epg_created.assert_called_with(
owner, "NAT-epg-%s" % es['id'],
bd_name="NAT-bd-%s" % es['id'],
transaction=mock.ANY)
else:
self.assertFalse(mgr.ensure_bd_created_on_apic.called)
self.assertFalse(mgr.ensure_epg_created.called)
mgr.create_tenant_filter.assert_called_with(
prs, owner=contract_owner,
entry="allow-all", transaction=mock.ANY)
mgr.manage_contract_subject_bi_filter.assert_called_with(
prs, prs, prs, owner=contract_owner, transaction=mock.ANY)
if not is_edge_nat:
expected_calls = [
mock.call(owner, "NAT-epg-%s" % es['id'], prs,
transaction=mock.ANY),
mock.call(owner, "NAT-epg-%s" % es['id'], prs,
provider=True, transaction=mock.ANY)]
self._check_call_list(expected_calls,
mgr.set_contract_for_epg.call_args_list)
else:
self.assertFalse(mgr.ensure_subnet_created_on_apic.called)
self.assertFalse(mgr.set_contract_for_epg.called)
ctx = context.get_admin_context()
internal_subnets = self._db_plugin.get_subnets(
ctx, filters={'name': [amap.HOST_SNAT_POOL]})
self.assertEqual(1, len(internal_subnets))
else:
self.assertFalse(mgr.ensure_bd_created_on_apic.called)
self.assertFalse(mgr.ensure_epg_created.called)
self.assertFalse(mgr.ensure_subnet_created_on_apic.called)
self.assertFalse(mgr.create_tenant_filter.called)
self.assertFalse(mgr.manage_contract_subject_bi_filter.called)
self.assertFalse(mgr.set_contract_for_epg.called)
subnet_id = es['subnet_id']
self.delete_external_segment(es['id'],
expected_res_status=webob.exc.HTTPNoContent.code)
self._get_object('subnets', subnet_id, self.api,
expected_res_status=404)
if self.nat_enabled:
ctx = "NAT-vrf-%s" % es['id']
ctx_owner = owner
contract_owner = owner
if self.pre_l3out:
ctx = APIC_PRE_VRF
ctx_owner = APIC_PRE_VRF_TENANT
contract_owner = APIC_PRE_L3OUT_TENANT
self.assertFalse(mgr.ensure_context_enforced.called)
else:
mgr.ensure_context_deleted.assert_called_with(
ctx_owner, ctx, transaction=mock.ANY)
if not is_edge_nat:
mgr.delete_bd_on_apic.assert_called_with(
owner, "NAT-bd-%s" % es['id'], transaction=mock.ANY)
mgr.delete_epg_for_network.assert_called_with(
owner, "NAT-epg-%s" % es['id'], transaction=mock.ANY)
else:
self.assertFalse(mgr.delete_bd_on_apic.called)
self.assertFalse(mgr.delete_epg_for_network.called)
mgr.delete_contract.assert_called_with(
prs, owner=contract_owner, transaction=mock.ANY)
mgr.delete_tenant_filter.assert_called_with(
prs, owner=contract_owner, transaction=mock.ANY)
else:
self.assertFalse(mgr.delete_bd_on_apic.called)
self.assertFalse(mgr.delete_epg_for_network.called)
self.assertFalse(mgr.delete_contract.called)
self.assertFalse(mgr.delete_tenant_filter.called)
def test_create_delete_unshared(self):
self._test_create_delete(False)
def test_create_delete_shared(self):
self._test_create_delete(True)
def test_create_delete_unshared_edge_nat(self):
self._test_create_delete(False, is_edge_nat=True)
def test_create_delete_shared_edge_nat(self):
self._test_create_delete(True, is_edge_nat=True)
def test_update_unsupported_noop(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='unsupport', cidr='192.168.0.0/24',
external_routes=[{'destination': '0.0.0.0/0',
'nexthop': '192.168.0.254'},
{'destination': '128.0.0.0/16',
'nexthop': None}],
expected_res_status=201)['external_segment']
self.update_external_segment(es['id'], expected_res_status=200,
external_routes=[])
mgr = self.driver.apic_manager
self.assertFalse(mgr.ensure_static_route_deleted.called)
self.assertFalse(mgr.ensure_external_epg_routes_deleted.called)
self.assertFalse(mgr.ensure_static_route_created.called)
self.assertFalse(mgr.ensure_external_epg_created.called)
self.assertFalse(mgr.ensure_next_hop_deleted.called)
def _test_route_update_remove(self, shared_es, is_edge_nat=False):
# Verify routes are updated correctly
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=shared_es,
external_routes=[{'destination': '0.0.0.0/0',
'nexthop': '192.168.0.254'},
{'destination': '128.0.0.0/16',
'nexthop': None}],
expected_res_status=201)['external_segment']
# create L3-policies
if self.pre_l3out and not self.nat_enabled:
tenants = [es['tenant_id']]
else:
tenants = (['tenant_a', 'tenant_b', 'tenant_c']
if self.nat_enabled and shared_es
else [es['tenant_id']])
l3p_list = []
for x in xrange(len(tenants)):
l3p = self.create_l3_policy(
shared=False,
tenant_id=tenants[x],
external_segments={es['id']: []},
expected_res_status=201)['l3_policy']
l3p_list.append(l3p)
# Attach external policy
f = self.create_external_policy
eps = [f(external_segments=[es['id']],
tenant_id=tenants[x],
expected_res_status=201)['external_policy']
for x in xrange(len(tenants))]
mgr = self.driver.apic_manager
owner = self._tenant(es['tenant_id'], shared_es)
mgr.ensure_external_epg_created.reset_mock()
mgr.ensure_static_route_created.reset_mock()
# Remove route completely
self.update_external_segment(es['id'], expected_res_status=200,
external_routes=[
{'destination': '0.0.0.0/0',
'nexthop': '192.168.0.254'}])
sub_str = "Shd-%s-%s"
if is_edge_nat:
sub_str = "Auto-%s-%s"
mgr = self.driver.apic_manager
if not self.pre_l3out:
expected_delete_calls = []
expected_delete_calls.append(
mock.call(es['id'], mocked.APIC_EXT_SWITCH,
'128.0.0.0/16', owner=owner, transaction=mock.ANY))
if self.nat_enabled and is_edge_nat:
for x in range(len(tenants)):
l3p = l3p_list[x]
l3out = sub_str % (l3p['id'], es['id'])
tenant = self._tenant(tenants[x])
expected_delete_calls.append(
mock.call(l3out, mocked.APIC_EXT_SWITCH,
'128.0.0.0/16', owner=tenant,
transaction=mock.ANY))
self._check_call_list(expected_delete_calls,
mgr.ensure_static_route_deleted.call_args_list)
else:
self.assertFalse(mgr.ensure_static_route_deleted.called)
expected_delete_calls = []
for x in range(len(tenants)):
ep = eps[x]
l3p = l3p_list[x]
l3out = es['name' if self.pre_l3out else 'id']
ext_epg = ep['id']
tenant = APIC_PRE_L3OUT_TENANT if self.pre_l3out else owner
if self.nat_enabled:
l3out = sub_str % (l3p['id'], es['id'])
ext_epg = sub_str % (l3p['id'], ext_epg)
tenant = self._tenant(tenants[x])
expected_delete_calls.append(
mock.call(l3out, subnets=['128.0.0.0/16'],
external_epg=ext_epg, owner=tenant,
transaction=mock.ANY))
self._check_call_list(
expected_delete_calls,
mgr.ensure_external_epg_routes_deleted.call_args_list)
self.assertFalse(mgr.ensure_static_route_created.called)
self.assertFalse(mgr.ensure_external_epg_created.called)
self.assertFalse(mgr.ensure_next_hop_deleted.called)
# Remove nexthop only
mgr.ensure_static_route_deleted.reset_mock()
mgr.ensure_external_epg_routes_deleted.reset_mock()
self.update_external_segment(es['id'], expected_res_status=200,
external_routes=[
{'destination': '0.0.0.0/0',
'nexthop': None}])
if not self.pre_l3out:
expected_delete_calls = []
expected_create_calls = []
expected_delete_calls.append(
mock.call(es['id'], mocked.APIC_EXT_SWITCH, '0.0.0.0/0',
'192.168.0.254', owner=owner, transaction=mock.ANY))
# Being the new nexthop 'None', the default one is used
expected_create_calls.append(
mock.call(es['id'], mocked.APIC_EXT_SWITCH, '192.168.0.1',
subnet='0.0.0.0/0', owner=owner, transaction=mock.ANY))
if self.nat_enabled and is_edge_nat:
for x in range(len(tenants)):
l3p = l3p_list[x]
l3out = sub_str % (l3p['id'], es['id'])
tenant = self._tenant(tenants[x])
expected_delete_calls.append(
mock.call(l3out, mocked.APIC_EXT_SWITCH, '0.0.0.0/0',
'192.168.0.254', owner=tenant,
transaction=mock.ANY))
expected_create_calls.append(
mock.call(l3out, mocked.APIC_EXT_SWITCH, '192.168.0.1',
subnet='0.0.0.0/0', owner=tenant,
transaction=mock.ANY))
self._check_call_list(expected_delete_calls,
mgr.ensure_next_hop_deleted.call_args_list)
self._check_call_list(expected_create_calls,
mgr.ensure_static_route_created.call_args_list)
else:
self.assertFalse(mgr.ensure_static_route_created.called)
self.assertFalse(mgr.ensure_next_hop_deleted.called)
expected_delete_calls = []
for x in range(len(tenants)):
ep = eps[x]
l3p = l3p_list[x]
l3out = es['name' if self.pre_l3out else 'id']
ext_epg = ep['id']
tenant = APIC_PRE_L3OUT_TENANT if self.pre_l3out else owner
if self.nat_enabled:
l3out = sub_str % (l3p['id'], es['id'])
ext_epg = sub_str % (l3p['id'], ext_epg)
tenant = self._tenant(tenants[x])
expected_delete_calls.append(
mock.call(l3out, subnet='0.0.0.0/0',
external_epg=ext_epg, owner=tenant,
transaction=mock.ANY))
self._check_call_list(expected_delete_calls,
mgr.ensure_external_epg_created.call_args_list)
self.assertFalse(mgr.ensure_static_route_deleted.called)
self.assertFalse(mgr.ensure_external_epg_routes_deleted.called)
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_route_update_remove_1(self):
self._test_route_update_remove(shared_es=True)
def test_route_update_remove_2(self):
self._test_route_update_remove(shared_es=False)
def test_route_update_remove_edge_nat_mode_1(self):
self._test_route_update_remove(shared_es=True, is_edge_nat=True)
def test_route_update_remove_edge_nat_mode_2(self):
self._test_route_update_remove(shared_es=False, is_edge_nat=True)
def _test_route_update_add(self, shared_es, is_edge_nat=False):
# Verify routes are updated correctly
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=shared_es,
external_routes=[],
expected_res_status=201)['external_segment']
if self.pre_l3out and not self.nat_enabled:
tenants = [es['tenant_id']]
else:
tenants = (['tenant_a', 'tenant_b', 'tenant_c']
if self.nat_enabled and shared_es
else [es['tenant_id']])
# create L3-policies
l3p_list = []
for x in xrange(len(tenants)):
l3p = self.create_l3_policy(
shared=False,
tenant_id=tenants[x],
external_segments={es['id']: []},
expected_res_status=201)['l3_policy']
l3p_list.append(l3p)
# Attach external policies
f = self.create_external_policy
eps = [f(external_segments=[es['id']],
tenant_id=tenants[x],
expected_res_status=201)['external_policy']
for x in xrange(len(tenants))]
mgr = self.driver.apic_manager
mgr.ensure_static_route_created.reset_mock()
mgr.ensure_external_epg_created.reset_mock()
owner = self._tenant(es['tenant_id'], shared_es)
self.update_external_segment(es['id'], expected_res_status=200,
external_routes=[
{'destination': '128.0.0.0/16',
'nexthop': '192.168.0.254'}])
sub_str = "Shd-%s-%s"
if is_edge_nat:
sub_str = "Auto-%s-%s"
if not self.pre_l3out:
expected_create_calls = []
expected_create_calls.append(
mock.call(es['id'], mocked.APIC_EXT_SWITCH,
'192.168.0.254', subnet='128.0.0.0/16',
owner=owner, transaction=mock.ANY))
if self.nat_enabled and is_edge_nat:
for x in range(len(tenants)):
l3p = l3p_list[x]
l3out = sub_str % (l3p['id'], es['id'])
tenant = self._tenant(tenants[x])
expected_create_calls.append(
mock.call(l3out, mocked.APIC_EXT_SWITCH,
'192.168.0.254', subnet='128.0.0.0/16',
owner=tenant, transaction=mock.ANY))
self._check_call_list(expected_create_calls,
mgr.ensure_static_route_created.call_args_list)
else:
self.assertFalse(mgr.ensure_static_route_created.called)
expected_create_calls = []
for x in range(len(tenants)):
ep = eps[x]
l3p = l3p_list[x]
l3out = es['name' if self.pre_l3out else 'id']
ext_epg = ep['id']
tenant = APIC_PRE_L3OUT_TENANT if self.pre_l3out else owner
if self.nat_enabled:
l3out = sub_str % (l3p['id'], es['id'])
ext_epg = sub_str % (l3p['id'], ext_epg)
tenant = self._tenant(tenants[x])
expected_create_calls.append(
mock.call(l3out, subnet='128.0.0.0/16',
external_epg=ext_epg, owner=tenant,
transaction=mock.ANY))
self._check_call_list(expected_create_calls,
mgr.ensure_external_epg_created.call_args_list)
self.assertFalse(mgr.ensure_static_route_deleted.called)
self.assertFalse(mgr.ensure_external_epg_routes_deleted.called)
self.assertFalse(mgr.ensure_next_hop_deleted.called)
mgr.ensure_static_route_created.reset_mock()
mgr.ensure_external_epg_created.reset_mock()
# Verify Route added with default gateway
self.update_external_segment(es['id'], expected_res_status=200,
external_routes=[
{'destination': '128.0.0.0/16',
'nexthop': '192.168.0.254'},
{'destination': '0.0.0.0/0',
'nexthop': None}])
if not self.pre_l3out:
expected_create_calls = []
expected_create_calls.append(
mock.call(es['id'], mocked.APIC_EXT_SWITCH,
'192.168.0.1', subnet='0.0.0.0/0',
owner=owner, transaction=mock.ANY))
if self.nat_enabled and is_edge_nat:
for x in range(len(tenants)):
l3p = l3p_list[x]
l3out = sub_str % (l3p['id'], es['id'])
tenant = self._tenant(tenants[x])
expected_create_calls.append(
mock.call(l3out, mocked.APIC_EXT_SWITCH, '192.168.0.1',
subnet='0.0.0.0/0', owner=tenant,
transaction=mock.ANY))
self._check_call_list(expected_create_calls,
mgr.ensure_static_route_created.call_args_list)
else:
self.assertFalse(mgr.ensure_static_route_created.called)
expected_create_calls = []
for x in range(len(tenants)):
ep = eps[x]
l3p = l3p_list[x]
l3out = es['name' if self.pre_l3out else 'id']
ext_epg = ep['id']
tenant = APIC_PRE_L3OUT_TENANT if self.pre_l3out else owner
if self.nat_enabled:
l3out = sub_str % (l3p['id'], es['id'])
ext_epg = sub_str % (l3p['id'], ext_epg)
tenant = self._tenant(tenants[x])
expected_create_calls.append(
mock.call(l3out, subnet='0.0.0.0/0',
external_epg=ext_epg, owner=tenant,
transaction=mock.ANY))
self._check_call_list(expected_create_calls,
mgr.ensure_external_epg_created.call_args_list)
self.assertFalse(mgr.ensure_static_route_deleted.called)
self.assertFalse(mgr.ensure_external_epg_routes_deleted.called)
self.assertFalse(mgr.ensure_next_hop_deleted.called)
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_route_update_add_1(self):
self._test_route_update_add(shared_es=True)
def test_route_update_add_2(self):
self._test_route_update_add(shared_es=False)
def test_route_update_add_edge_nat_mode_1(self):
self._test_route_update_add(shared_es=True, is_edge_nat=True)
def test_route_update_add_edge_nat_mode_2(self):
self._test_route_update_add(shared_es=False, is_edge_nat=True)
def test_es_create_no_cidr_with_routes(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
nh = '172.16.0.1' if self.pre_l3out else '192.168.0.254'
self.create_external_segment(
name='supported',
external_routes=[{'destination': '0.0.0.0/0',
'nexthop': nh}],
expected_res_status=201)
def test_implicit_es_router_gw_ip(self):
self._mock_external_dict([('default', '192.168.0.2/24')])
es = self.create_external_segment(
name='default',
external_routes=[{'destination': '0.0.0.0/0',
'nexthop': None}])['external_segment']
l3p = self.create_l3_policy()['l3_policy']
self.assertEqual(es['id'],
l3p['external_segments'].keys()[0])
self.assertEqual('169.254.0.2',
l3p['external_segments'][es['id']][0])
def _do_test_plug_l3p_to_es_with_multi_ep(self):
# this mode is not supported
if self.driver.per_tenant_nat_epg and self.single_tenant_mode:
return
tenants = (['tenant_a', 'tenant_b', 'tenant_c']
if self.nat_enabled else ['tenant_a'])
self._mock_external_dict([('supported', '192.168.0.2/24')])
ext_routes = ['128.0.0.0/24', '128.0.1.0/24']
es_list = [
self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=True,
expected_res_status=201,
external_routes=[{
'destination': ext_routes[x],
'nexthop': '192.168.0.254'}])['external_segment']
for x in range(2)]
ep_list = []
for x in range(len(tenants)):
ep = self.create_external_policy(
name=(x < 2 and APIC_EXTERNAL_EPG or 'other-ext-epg'),
external_segments=[e['id'] for e in es_list],
tenant_id=tenants[x],
expected_res_status=201)['external_policy']
ep_list.append(ep)
mgr = self.driver.apic_manager
mgr.ensure_external_epg_created.reset_mock()
mgr.set_contract_for_external_epg.reset_mock()
ep = ep_list[0]
l3p = self.create_l3_policy(
shared=False,
tenant_id=tenants[0],
external_segments={x['id']: [] for x in es_list},
expected_res_status=201)['l3_policy']
expected_create_calls = []
expected_assoc_calls = []
expected_contract_calls = []
owner = self._tenant(l3p['tenant_id'])
target_owner = self.common_tenant
if self.driver.per_tenant_nat_epg:
target_owner = l3p['tenant_id']
elif self.single_tenant_mode:
target_owner = APIC_SINGLE_TENANT_NAME
if self.nat_enabled:
for es in es_list:
if not self.pre_l3out:
expected_create_calls.append(
mock.call(es['id'], subnet='0.0.0.0/0',
external_epg='default-%s' % es['id'],
owner=(APIC_SINGLE_TENANT_NAME if
self.single_tenant_mode else
self.common_tenant),
transaction=mock.ANY))
expected_create_calls.append(
mock.call("Shd-%s-%s" % (l3p['id'], es['id']),
subnet=es['external_routes'][0]['destination'],
external_epg="Shd-%s-%s" % (l3p['id'], ep['id']),
owner=owner,
transaction=mock.ANY))
expected_assoc_calls.append(
mock.call(owner,
"Shd-%s-%s" % (l3p['id'], es['id']),
"Shd-%s-%s" % (l3p['id'], ep['id']),
"NAT-epg-%s" % es['id'],
target_owner=target_owner,
transaction=mock.ANY))
l3out = es['name' if self.pre_l3out else 'id']
l3out_owner = self._tenant(self.common_tenant)
if self.pre_l3out:
l3out_owner = APIC_PRE_L3OUT_TENANT
nat_contract = "NAT-allow-%s" % es['id']
ext_epg = (ep['name']
if self.pre_l3out else ('default-%s' % es['id']))
expected_contract_calls.append(
mock.call(l3out, nat_contract,
external_epg=ext_epg,
owner=l3out_owner,
provided=True, transaction=mock.ANY))
expected_contract_calls.append(
mock.call(l3out, nat_contract,
external_epg=ext_epg,
owner=l3out_owner,
provided=False, transaction=mock.ANY))
self._check_call_list(expected_create_calls,
mgr.ensure_external_epg_created.call_args_list)
self._check_call_list(expected_assoc_calls,
mgr.associate_external_epg_to_nat_epg.call_args_list)
self._check_call_list(expected_contract_calls,
mgr.set_contract_for_external_epg.call_args_list)
def test_plug_l3p_to_es_with_multi_ep(self):
self._do_test_plug_l3p_to_es_with_multi_ep()
def test_plug_l3p_to_es_with_multi_ep_ptne(self):
self.driver.per_tenant_nat_epg = True
self._do_test_plug_l3p_to_es_with_multi_ep()
class TestExternalSegmentSingleTenant(TestExternalSegment):
def setUp(self):
super(TestExternalSegmentSingleTenant, self).setUp(
single_tenant_mode=True)
class TestExternalSegmentNoNat(TestExternalSegment):
def setUp(self, single_tenant_mode=False):
super(TestExternalSegmentNoNat, self).setUp(nat_enabled=False,
single_tenant_mode=single_tenant_mode)
class TestExternalSegmentNoNatSingleTenant(TestExternalSegmentNoNat):
def setUp(self):
super(TestExternalSegmentNoNatSingleTenant, self).setUp(
single_tenant_mode=True)
class TestExternalSegmentPreL3Out(TestExternalSegment):
def setUp(self, **kwargs):
kwargs['pre_existing_l3out'] = True
super(TestExternalSegmentPreL3Out, self).setUp(**kwargs)
def test_query_l3out_info(self):
self.driver._query_l3out_info = self.orig_query_l3out_info
ctx1 = [{
'l3extRsEctx': {'attributes': {'tDn': 'uni/tn-foo/ctx-foobar'}}}]
mgr = self.driver.apic_manager
mgr.apic.l3extOut.get_subtree.return_value = ctx1
info = self.driver._query_l3out_info('l3out', 'bar_tenant')
self.assertEqual('bar_tenant', info['l3out_tenant'])
self.assertEqual('foobar', info['vrf_name'])
self.assertEqual('foo', info['vrf_tenant'])
mgr.apic.l3extOut.get_subtree.reset_mock()
mgr.apic.l3extOut.get_subtree.return_value = []
info = self.driver._query_l3out_info('l3out', 'bar_tenant')
self.assertEqual(None, info)
expected_calls = [
mock.call('bar_tenant', 'l3out'),
mock.call('common', 'l3out')]
self._check_call_list(
expected_calls, mgr.apic.l3extOut.get_subtree.call_args_list)
def test_l3out_tenant(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
self.driver._query_l3out_info.return_value['l3out_tenant'] = (
apic_mapper.ApicName('some_other_tenant'))
res = self.create_external_segment(name='supported',
tenant_id='a_tenant', cidr='192.168.0.2/24',
expected_res_status=400)
self.assertEqual('PreExistingL3OutInIncorrectTenant',
res['NeutronError']['type'])
tenant_id = self._tenant('some_other_tenant')
self.driver._query_l3out_info.return_value['l3out_tenant'] = (
apic_mapper.ApicName(tenant_id))
self.create_external_segment(name='supported',
tenant_id='some_other_tenant', cidr='192.168.0.2/24',
expected_res_status=201)
def test_edge_nat_wrong_L3out_IF_type_rejected(self):
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat=True)
self.driver._query_l3out_info.return_value['l3out'] = (
[{u'l3extLNodeP':
{u'attributes':
{u'dn': u'uni/tn-common/out-supported/lnodep-Leaf3-4_NP'},
u'children': [{u'l3extLIfP':
{u'children': [{u'l3extRsPathL3OutAtt':
{u'attributes':
{u'ifInstT': u'l3-port'
}}}]}}]}}])
res = self.create_external_segment(
name='supported', expected_res_status=400)
self.assertEqual('EdgeNatWrongL3OutIFType',
res['NeutronError']['type'])
def test_edge_nat_wrong_L3out_OSPF_Auth_type_rejected(self):
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat=True)
self.driver._query_l3out_info.return_value['l3out'] = (
[{u'l3extLNodeP':
{u'attributes':
{u'dn': u'uni/tn-common/out-supported/lnodep-Leaf3-4_NP'},
u'children': [{u'l3extLIfP':
{u'children': [{u'ospfIfP':
{u'attributes':
{u'authType': u'simple'
}}}]}}]}}])
res = self.create_external_segment(
name='supported', expected_res_status=400)
self.assertEqual('EdgeNatWrongL3OutAuthTypeForOSPF',
res['NeutronError']['type'])
def test_edge_nat_wrong_L3out_BGP_Auth_type_rejected(self):
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat=True)
self.driver._query_l3out_info.return_value['l3out'] = (
[{u'l3extLNodeP':
{u'attributes':
{u'dn': u'uni/tn-common/out-supported/lnodep-Leaf3-4_NP'},
u'children': [{u'l3extLIfP':
{u'children': [{u'l3extRsNodeL3OutAtt':
{u'attributes':
{u'type': u'sha1'}}},
{u'bfdIfP':
{u'attributes':
{u'type': u'sha1'}}},
{u'l3extRsNodeL3OutAtt':
{u'attributes':
{u'type': u'sha1'}}}]}}]}}])
res = self.create_external_segment(
name='supported', expected_res_status=400)
self.assertEqual('EdgeNatWrongL3OutAuthTypeForBGP',
res['NeutronError']['type'])
# try again with a good input
self.driver._query_l3out_info.return_value['l3out'] = (
[{u'l3extLNodeP':
{u'attributes':
{u'dn': u'uni/tn-common/out-supported/lnodep-Leaf3-4_NP'},
u'children': [{u'l3extLIfP':
{u'children': [{u'l3extRsNodeL3OutAtt':
{u'attributes':
{u'type': u'sha1'}}},
{u'bfdIfP':
{u'attributes':
{u'type': u'none'}}},
{u'l3extRsNodeL3OutAtt':
{u'attributes':
{u'type': u'sha1'}}}]}}]}}])
res = self.create_external_segment(
name='supported', expected_res_status=201)
class TestExternalSegmentPreL3OutSingleTenant(TestExternalSegmentPreL3Out):
def setUp(self):
super(TestExternalSegmentPreL3OutSingleTenant, self).setUp(
single_tenant_mode=True)
class TestExternalSegmentNoNatPreL3Out(TestExternalSegmentPreL3Out):
def setUp(self, single_tenant_mode=False):
super(TestExternalSegmentNoNatPreL3Out, self).setUp(
nat_enabled=False, single_tenant_mode=single_tenant_mode)
class TestExternalSegmentNoNatPreL3OutSingleTenant(
TestExternalSegmentNoNatPreL3Out):
def setUp(self):
super(TestExternalSegmentNoNatPreL3OutSingleTenant, self).setUp(
single_tenant_mode=True)
class TestExternalPolicy(ApicMappingTestCase):
def test_creation_noop(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24',
external_routes=[], expected_res_status=201)['external_segment']
self.create_external_policy(
name=APIC_EXTERNAL_EPG,
external_segments=[es['id']], expected_res_status=201)
# Verify called with default route always
owner = self._tenant(es['tenant_id'])
mgr = self.driver.apic_manager
if self.nat_enabled and not self.pre_l3out:
mgr.ensure_external_epg_created.assert_called_once_with(
es['id'], subnet='0.0.0.0/0',
external_epg=("default-%s" % es['id']), owner=owner,
transaction=mock.ANY)
else:
self.assertFalse(mgr.ensure_external_epg_created.called)
mgr.ensure_external_epg_created.reset_mock()
es = self.create_external_segment(
name='unsupported', cidr='192.168.0.0/24', expected_res_status=201,
external_routes=[{'destination': '128.0.0.0/16',
'nexthop': '192.168.0.254'}])['external_segment']
self.create_external_policy(
external_segments=[es['id']], expected_res_status=201)
# Verify noop on unsupported
self.assertFalse(mgr.ensure_external_epg_created.called)
def test_create_shared(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24',
external_routes=[], shared=True,
expected_res_status=201)['external_segment']
res = self.create_external_policy(
external_segments=[es['id']], shared=True,
expected_res_status=400)
self.assertEqual('SharedExternalPolicyUnsupported',
res['NeutronError']['type'])
def test_update_shared(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24',
external_routes=[], shared=True,
expected_res_status=201)['external_segment']
ep = self.create_external_policy(
external_segments=[es['id']],
expected_res_status=201)['external_policy']
res = self.update_external_policy(
ep['id'], shared=True, expected_res_status=400)
self.assertEqual('SharedExternalPolicyUnsupported',
res['NeutronError']['type'])
def _test_creation_no_prs(self, shared_es, is_edge_nat=False):
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
es_list = [
self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=shared_es,
expected_res_status=201,
external_routes=[{
'destination': '128.0.0.0/16',
'nexthop': '192.168.0.254'}])['external_segment']
for x in range(3)]
l3p_list = []
for x in xrange(len(es_list)):
l3p = self.create_l3_policy(
shared=False,
tenant_id=shared_es and 'another' or es_list[x]['tenant_id'],
external_segments={es_list[x]['id']: []},
expected_res_status=201)['l3_policy']
l3p_list.append(l3p)
ep = self.create_external_policy(
name=APIC_EXTERNAL_EPG,
external_segments=[x['id'] for x in es_list],
tenant_id=es_list[0]['tenant_id'] if not shared_es else 'another',
expected_res_status=201)['external_policy']
mgr = self.driver.apic_manager
owner = self._tenant(es_list[0]['tenant_id'], shared_es)
l3p_owner = self._tenant(l3p_list[0]['tenant_id'])
expected_create_calls = []
sub_str = "Shd-%s-%s"
if is_edge_nat:
sub_str = "Auto-%s-%s"
for x in range(len(es_list)):
es = es_list[x]
l3p = l3p_list[x]
if self.nat_enabled:
if not self.pre_l3out:
expected_create_calls.append(
mock.call(es['id'], subnet='0.0.0.0/0',
external_epg="default-%s" % es['id'], owner=owner,
transaction=mock.ANY))
expected_create_calls.append(
mock.call(sub_str % (l3p['id'], es['id']),
subnet='128.0.0.0/16',
external_epg=(sub_str % (l3p['id'], ep['id'])),
owner=l3p_owner,
transaction=mock.ANY))
elif not self.pre_l3out:
expected_create_calls.append(
mock.call(es['id'], subnet='128.0.0.0/16',
external_epg=ep['id'], owner=owner,
transaction=mock.ANY))
self._check_call_list(expected_create_calls,
mgr.ensure_external_epg_created.call_args_list)
if self.nat_enabled:
expected_contract_calls = []
ext_epg_tenant = (APIC_PRE_L3OUT_TENANT if self.pre_l3out
else owner)
for x in range(len(es_list)):
es = es_list[x]
ext_epg = (APIC_EXTERNAL_EPG if self.pre_l3out
else "default-%s" % es['id'])
es_name = es['name' if self.pre_l3out else 'id']
nat_contract = "NAT-allow-%s" % es['id']
expected_contract_calls.extend([
mock.call(es_name, nat_contract,
external_epg=ext_epg, owner=ext_epg_tenant,
provided=True, transaction=mock.ANY),
mock.call(es_name, nat_contract,
external_epg=ext_epg, owner=ext_epg_tenant,
provided=False, transaction=mock.ANY)])
self._check_call_list(expected_contract_calls,
mgr.set_contract_for_external_epg.call_args_list)
else:
self.assertFalse(mgr.set_contract_for_external_epg.called)
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_creation_no_prs_1(self):
self._test_creation_no_prs(shared_es=True)
def test_creation_no_prs_2(self):
self._test_creation_no_prs(shared_es=False)
def test_creation_no_prs_edge_nat_mode_1(self):
self._test_creation_no_prs(shared_es=True, is_edge_nat=True)
def test_creation_no_prs_edge_nat_mode_2(self):
self._test_creation_no_prs(shared_es=False, is_edge_nat=True)
def _test_update_no_prs(self, shared_es, is_edge_nat=False):
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
es_list = [
self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=shared_es,
expected_res_status=201,
external_routes=[{
'destination': '128.0.0.0/16',
'nexthop': '192.168.0.254'}])['external_segment']
for x in range(3)]
l3p_list = []
for x in xrange(len(es_list)):
l3p = self.create_l3_policy(
shared=False,
tenant_id=shared_es and 'another' or es_list[x]['tenant_id'],
external_segments={es_list[x]['id']: []},
expected_res_status=201)['l3_policy']
l3p_list.append(l3p)
ep = self.create_external_policy(
name=APIC_EXTERNAL_EPG,
tenant_id=es_list[0]['tenant_id'] if not shared_es else 'another',
expected_res_status=201)['external_policy']
ep = self.update_external_policy(
ep['id'], expected_res_status=200, tenant_id=ep['tenant_id'],
external_segments=[x['id'] for x in es_list])['external_policy']
mgr = self.driver.apic_manager
owner = self._tenant(es_list[0]['tenant_id'], shared_es)
l3p_owner = self._tenant(l3p_list[0]['tenant_id'])
expected_create_calls = []
sub_str = "Shd-%s-%s"
if is_edge_nat:
sub_str = "Auto-%s-%s"
for x in range(len(es_list)):
es = es_list[x]
l3p = l3p_list[x]
if self.nat_enabled:
if not self.pre_l3out:
expected_create_calls.append(
mock.call(es['id'], subnet='0.0.0.0/0',
external_epg="default-%s" % es['id'],
owner=owner, transaction=mock.ANY))
expected_create_calls.append(
mock.call(sub_str % (l3p['id'], es['id']),
subnet='128.0.0.0/16',
external_epg=sub_str % (l3p['id'], ep['id']),
owner=l3p_owner, transaction=mock.ANY))
elif not self.pre_l3out:
expected_create_calls.append(
mock.call(es['id'], subnet='128.0.0.0/16',
external_epg=ep['id'],
owner=owner, transaction=mock.ANY))
self._check_call_list(expected_create_calls,
mgr.ensure_external_epg_created.call_args_list)
if self.nat_enabled:
expected_contract_calls = []
ext_epg_tenant = (APIC_PRE_L3OUT_TENANT if self.pre_l3out
else owner)
for x in range(len(es_list)):
es = es_list[x]
ext_epg = (APIC_EXTERNAL_EPG if self.pre_l3out
else "default-%s" % es['id'])
es_name = es['name' if self.pre_l3out else 'id']
nat_contract = "NAT-allow-%s" % es['id']
expected_contract_calls.extend([
mock.call(es_name, nat_contract,
external_epg=ext_epg, owner=ext_epg_tenant,
provided=True, transaction=mock.ANY),
mock.call(es_name, nat_contract,
external_epg=ext_epg, owner=ext_epg_tenant,
provided=False, transaction=mock.ANY)])
self._check_call_list(expected_contract_calls,
mgr.set_contract_for_external_epg.call_args_list)
else:
self.assertFalse(mgr.set_contract_for_external_epg.called)
ep = self.update_external_policy(
ep['id'], expected_res_status=200, tenant_id=ep['tenant_id'],
external_segments=[])['external_policy']
mgr = self.driver.apic_manager
expected_create_calls = []
for x in range(len(es_list)):
es = es_list[x]
l3p = l3p_list[x]
if self.nat_enabled:
if not self.pre_l3out:
expected_create_calls.append(
mock.call(es['id'], owner=owner,
external_epg="default-%s" % es['id']))
expected_create_calls.append(
mock.call(sub_str % (l3p['id'], es['id']),
owner=l3p_owner,
external_epg=sub_str % (l3p['id'], ep['id'])))
elif not self.pre_l3out:
expected_create_calls.append(
mock.call(es['id'], owner=owner, external_epg=ep['id']))
self._check_call_list(expected_create_calls,
mgr.ensure_external_epg_deleted.call_args_list)
if self.nat_enabled and self.pre_l3out:
expected_contract_calls = []
ext_epg_tenant = APIC_PRE_L3OUT_TENANT
for x in range(len(es_list)):
es = es_list[x]
nat_contract = "NAT-allow-%s" % es['id']
expected_contract_calls.extend([
mock.call(es['name'], nat_contract,
external_epg=APIC_EXTERNAL_EPG, owner=ext_epg_tenant,
provided=True, transaction=mock.ANY),
mock.call(es['name'], nat_contract,
external_epg=APIC_EXTERNAL_EPG, owner=ext_epg_tenant,
provided=False, transaction=mock.ANY)])
self._check_call_list(expected_contract_calls,
mgr.unset_contract_for_external_epg.call_args_list)
else:
self.assertFalse(mgr.unset_contract_for_external_epg.called)
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_update_no_prs_1(self):
self._test_update_no_prs(shared_es=True)
def test_update_no_prs_2(self):
self._test_update_no_prs(shared_es=False)
def test_update_no_prs_edge_nat_mode_1(self):
self._test_update_no_prs(shared_es=True, is_edge_nat=True)
def test_update_no_prs_edge_nat_mode_2(self):
self._test_update_no_prs(shared_es=False, is_edge_nat=True)
def _test_create_with_prs(self, shared_es, shared_prs, is_edge_nat=False):
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
es_list = [
self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=shared_es,
expected_res_status=201,
external_routes=[{
'destination': '128.0.0.0/16',
'nexthop': '192.168.0.254'}])['external_segment']
for x in range(3)]
l3p_list = []
for x in xrange(len(es_list)):
l3p = self.create_l3_policy(
shared=False,
tenant_id=shared_es and 'another' or es_list[x]['tenant_id'],
external_segments={es_list[x]['id']: []},
expected_res_status=201)['l3_policy']
l3p_list.append(l3p)
prov = self._create_policy_rule_set_on_shared(
shared=shared_prs,
tenant_id=es_list[0]['tenant_id'] if not (
shared_es | shared_prs) else 'another')
cons = self._create_policy_rule_set_on_shared(
shared=shared_prs,
tenant_id=es_list[0]['tenant_id'] if not (
shared_es | shared_prs) else 'another')
ep = self.create_external_policy(
name=APIC_EXTERNAL_EPG,
provided_policy_rule_sets={prov['id']: ''},
consumed_policy_rule_sets={cons['id']: ''},
tenant_id=es_list[0]['tenant_id'] if not shared_es else 'another',
external_segments=[x['id'] for x in es_list],
expected_res_status=201)['external_policy']
mgr = self.driver.apic_manager
owner = self._tenant(es_list[0]['tenant_id'], shared_es)
l3p_owner = self._tenant(l3p_list[0]['tenant_id'])
expected_calls = []
for x in range(len(es_list)):
es = es_list[x]
l3p = l3p_list[x]
nat = self.nat_enabled
external_epg = APIC_EXTERNAL_EPG if self.pre_l3out else (
("default-%s" % es['id']) if nat else ep['id'])
ext_epg_tenant = (APIC_PRE_L3OUT_TENANT if self.pre_l3out else
owner)
es_name = es['name' if self.pre_l3out else 'id']
expected_calls.append(
mock.call(es_name,
("NAT-allow-%s" % es['id']) if nat else prov['id'],
external_epg=external_epg,
provided=True, owner=ext_epg_tenant,
transaction=mock.ANY))
expected_calls.append(
mock.call(es_name,
("NAT-allow-%s" % es['id']) if nat else cons['id'],
external_epg=external_epg,
provided=False, owner=ext_epg_tenant,
transaction=mock.ANY))
if nat:
sub_str = "Shd-%s-%s"
if is_edge_nat:
sub_str = "Auto-%s-%s"
expected_calls.append(
mock.call(sub_str % (l3p['id'], es['id']), prov['id'],
external_epg=(sub_str % (l3p['id'], ep['id'])),
provided=True, owner=l3p_owner,
transaction=mock.ANY))
expected_calls.append(
mock.call(sub_str % (l3p['id'], es['id']), cons['id'],
external_epg=(sub_str % (l3p['id'], ep['id'])),
provided=False, owner=l3p_owner,
transaction=mock.ANY))
self._check_call_list(expected_calls,
mgr.set_contract_for_external_epg.call_args_list)
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_create_with_prs_1(self):
self._test_create_with_prs(shared_es=True, shared_prs=True)
def test_create_with_prs_2(self):
self._test_create_with_prs(shared_es=True, shared_prs=False)
def test_create_with_prs_3(self):
self._test_create_with_prs(shared_es=False, shared_prs=False)
def test_create_with_prs_4(self):
self._test_create_with_prs(shared_es=False, shared_prs=True)
def test_create_with_prs_edge_nat_mode_1(self):
self._test_create_with_prs(shared_es=True, shared_prs=True,
is_edge_nat=True)
def test_create_with_prs_edge_nat_mode_2(self):
self._test_create_with_prs(shared_es=True, shared_prs=False,
is_edge_nat=True)
def test_create_with_prs_edge_nat_mode_3(self):
self._test_create_with_prs(shared_es=False, shared_prs=False,
is_edge_nat=True)
def test_create_with_prs_edge_nat_mode_4(self):
self._test_create_with_prs(shared_es=False, shared_prs=True,
is_edge_nat=True)
def _test_update_add_prs(self, shared_es, shared_prs, is_edge_nat=False):
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
es_list = [
self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=shared_es,
expected_res_status=201,
external_routes=[{
'destination': '128.0.0.0/16',
'nexthop': '192.168.0.254'}])['external_segment']
for x in range(3)]
l3p_list = []
for x in xrange(len(es_list)):
l3p = self.create_l3_policy(
shared=False,
tenant_id=shared_es and 'another' or es_list[x]['tenant_id'],
external_segments={es_list[x]['id']: []},
expected_res_status=201)['l3_policy']
l3p_list.append(l3p)
prov = self._create_policy_rule_set_on_shared(
shared=shared_prs, tenant_id=es_list[0]['tenant_id'] if not (
shared_es | shared_prs) else 'another')
cons = self._create_policy_rule_set_on_shared(
shared=shared_prs, tenant_id=es_list[0]['tenant_id'] if not (
shared_es | shared_prs) else 'another')
ep = self.create_external_policy(
name=APIC_EXTERNAL_EPG,
external_segments=[x['id'] for x in es_list],
tenant_id=es_list[0]['tenant_id'] if not shared_es else 'another',
expected_res_status=201)['external_policy']
ep = self.update_external_policy(
ep['id'], expected_res_status=200, tenant_id=ep['tenant_id'],
provided_policy_rule_sets={prov['id']: ''},
consumed_policy_rule_sets={cons['id']: ''})['external_policy']
mgr = self.driver.apic_manager
owner = self._tenant(es_list[0]['tenant_id'], shared_es)
l3p_owner = self._tenant(l3p_list[0]['tenant_id'])
expected_calls = []
nat = self.nat_enabled
sub_str = "Shd-%s-%s"
if is_edge_nat:
sub_str = "Auto-%s-%s"
for x in range(len(es_list)):
es = es_list[x]
l3p = l3p_list[x]
external_epg = APIC_EXTERNAL_EPG if self.pre_l3out else (
("default-%s" % es['id']) if nat else ep['id'])
ext_epg_tenant = (APIC_PRE_L3OUT_TENANT if self.pre_l3out else
owner)
es_name = es['name' if self.pre_l3out else 'id']
expected_calls.append(
mock.call(es_name,
("NAT-allow-%s" % es['id']) if nat else prov['id'],
external_epg=external_epg,
provided=True, owner=ext_epg_tenant,
transaction=mock.ANY))
expected_calls.append(
mock.call(es_name,
("NAT-allow-%s" % es['id']) if nat else cons['id'],
external_epg=external_epg,
provided=False, owner=ext_epg_tenant,
transaction=mock.ANY))
if nat:
expected_calls.append(
mock.call(sub_str % (l3p['id'], es['id']), prov['id'],
external_epg=(sub_str % (l3p['id'], ep['id'])),
provided=True, owner=l3p_owner,
transaction=mock.ANY))
expected_calls.append(
mock.call(sub_str % (l3p['id'], es['id']), cons['id'],
external_epg=(sub_str % (l3p['id'], ep['id'])),
provided=False, owner=l3p_owner,
transaction=mock.ANY))
self._check_call_list(expected_calls,
mgr.set_contract_for_external_epg.call_args_list)
ep = self.update_external_policy(
ep['id'], expected_res_status=200, provided_policy_rule_sets={},
consumed_policy_rule_sets={},
tenant_id=ep['tenant_id'])['external_policy']
expected_calls = []
for x in range(len(es_list)):
es = es_list[x]
l3p = l3p_list[x]
if nat:
expected_calls.append(
mock.call(sub_str % (l3p['id'], es['id']), prov['id'],
external_epg=(sub_str % (l3p['id'], ep['id'])),
provided=True, owner=l3p_owner,
transaction=mock.ANY))
expected_calls.append(
mock.call(sub_str % (l3p['id'], es['id']), cons['id'],
external_epg=(sub_str % (l3p['id'], ep['id'])),
provided=False, owner=l3p_owner,
transaction=mock.ANY))
else:
external_epg = (APIC_EXTERNAL_EPG if self.pre_l3out
else ep['id'])
ext_epg_tenant = (APIC_PRE_L3OUT_TENANT if self.pre_l3out else
owner)
es_name = es['name' if self.pre_l3out else 'id']
expected_calls.append(
mock.call(es_name, prov['id'],
external_epg=external_epg,
provided=True, owner=ext_epg_tenant,
transaction=mock.ANY))
expected_calls.append(
mock.call(es_name, cons['id'],
external_epg=external_epg,
provided=False, owner=ext_epg_tenant,
transaction=mock.ANY))
self._check_call_list(
expected_calls, mgr.unset_contract_for_external_epg.call_args_list)
# Although the naming convention used here has been chosen poorly,
# I'm separating the tests in order to get the mock re-set.
def test_update_add_prs_1(self):
self._test_update_add_prs(shared_es=True, shared_prs=True)
def test_update_add_prs_2(self):
self._test_update_add_prs(shared_es=True, shared_prs=False)
def test_update_add_prs_3(self):
self._test_update_add_prs(shared_es=False, shared_prs=False)
def test_update_add_prs_4(self):
self._test_update_add_prs(shared_es=False, shared_prs=True)
def test_update_add_prs_edge_nat_mode_1(self):
self._test_update_add_prs(shared_es=True, shared_prs=True,
is_edge_nat=True)
def test_update_add_prs_edge_nat_mode_2(self):
self._test_update_add_prs(shared_es=True, shared_prs=False,
is_edge_nat=True)
def test_update_add_prs_edge_nat_mode_3(self):
self._test_update_add_prs(shared_es=False, shared_prs=False,
is_edge_nat=True)
def test_update_add_prs_edge_nat_mode_4(self):
self._test_update_add_prs(shared_es=False, shared_prs=True,
is_edge_nat=True)
def test_update_add_prs_unsupported(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='unsupported', cidr='192.168.0.0/24', expected_res_status=201,
external_routes=[{'destination': '128.0.0.0/16',
'nexthop': '192.168.0.254'}])['external_segment']
prov = self._create_policy_rule_set_on_shared()
cons = self._create_policy_rule_set_on_shared()
ep = self.create_external_policy(
external_segments=[es['id']],
expected_res_status=201)['external_policy']
self.update_external_policy(
ep['id'], expected_res_status=200, tenant_id=ep['tenant_id'],
provided_policy_rule_sets={prov['id']: ''},
consumed_policy_rule_sets={cons['id']: ''})['external_policy']
mgr = self.driver.apic_manager
self.assertFalse(mgr.set_contract_for_external_epg.called)
def _test_multi_policy_single_tenant(self, shared_es):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24',
expected_res_status=201, shared=shared_es,
external_routes=[{
'destination': '128.0.0.0/16',
'nexthop': '192.168.0.254'}])['external_segment']
owner = 'another' if shared_es else es['tenant_id']
self.create_external_policy(
external_segments=[es['id']],
tenant_id=owner,
expected_res_status=201)
res = self.create_external_policy(
external_segments=[es['id']],
tenant_id=owner,
expected_res_status=400)
self.assertEqual('MultipleExternalPoliciesForL3Policy',
res['NeutronError']['type'])
# create another external policy and update it to use external-segment
ep2 = self.create_external_policy(
tenant_id=owner,
expected_res_status=201)['external_policy']
res = self.update_external_policy(
ep2['id'], external_segments=[es['id']],
tenant_id=owner,
expected_res_status=400)
self.assertEqual('MultipleExternalPoliciesForL3Policy',
res['NeutronError']['type'])
def test_multi_policy_single_tenant_1(self):
self._test_multi_policy_single_tenant(True)
def test_multi_policy_single_tenant_2(self):
self._test_multi_policy_single_tenant(False)
def test_multi_policy_multi_tenant(self):
tenants = (['tenant_a', 'tenant_b', 'tenant_c']
if self.nat_enabled else ['tenant_a'])
self._mock_external_dict([('supported', '192.168.0.2/24')])
ext_routes = ['128.0.0.0/24', '128.0.1.0/24']
es_list = [
self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=True,
expected_res_status=201,
external_routes=[{
'destination': ext_routes[x],
'nexthop': '192.168.0.254'}])['external_segment']
for x in range(2)]
l3p_list = []
for x in xrange(len(tenants)):
l3p = self.create_l3_policy(
shared=False,
tenant_id=tenants[x],
external_segments={x['id']: [] for x in es_list},
expected_res_status=201)['l3_policy']
l3p_list.append(l3p)
# create external-policy
ep_list = []
mgr = self.driver.apic_manager
owner = self._tenant(self.common_tenant)
for x in range(len(tenants)):
ep = self.create_external_policy(
name=APIC_EXTERNAL_EPG,
external_segments=[e['id'] for e in es_list],
tenant_id=tenants[x],
expected_res_status=201)['external_policy']
ep_list.append(ep)
l3p = l3p_list[x]
expected_calls = []
for es in es_list:
if self.nat_enabled:
if not self.pre_l3out:
expected_calls.append(
mock.call(es['id'], subnet='0.0.0.0/0',
external_epg="default-%s" % es['id'],
owner=owner,
transaction=mock.ANY))
expected_calls.append(
mock.call("Shd-%s-%s" % (l3p['id'], es['id']),
subnet=es['external_routes'][0]['destination'],
external_epg=("Shd-%s-%s" % (l3p['id'], ep['id'])),
owner=(APIC_SINGLE_TENANT_NAME if
self.single_tenant_mode else tenants[x]),
transaction=mock.ANY))
elif not self.pre_l3out:
expected_calls.append(
mock.call(es['id'],
subnet=es['external_routes'][0]['destination'],
external_epg=ep['id'], owner=owner,
transaction=mock.ANY))
self._check_call_list(expected_calls,
mgr.ensure_external_epg_created.call_args_list)
mgr.ensure_external_epg_created.reset_mock()
# delete external-policy
expected_calls = []
for x in range(len(tenants)):
ep = ep_list[x]
self.delete_external_policy(
ep['id'], tenant_id=ep['tenant_id'],
expected_res_status=webob.exc.HTTPNoContent.code)
l3p = l3p_list[x]
for es in es_list:
if self.nat_enabled:
expected_calls.append(
mock.call("Shd-%s-%s" % (l3p['id'], es['id']),
external_epg=("Shd-%s-%s" % (l3p['id'], ep['id'])),
owner=(APIC_SINGLE_TENANT_NAME if
self.single_tenant_mode else tenants[x])))
elif not self.pre_l3out:
expected_calls.append(
mock.call(es['id'], external_epg=ep['id'],
owner=owner))
if self.nat_enabled and not self.pre_l3out:
for es in es_list:
expected_calls.append(
mock.call(es['id'], external_epg="default-%s" % es['id'],
owner=owner))
self._check_call_list(expected_calls,
mgr.ensure_external_epg_deleted.call_args_list)
class TestExternalPolicySingleTenant(TestExternalPolicy):
def setUp(self):
super(TestExternalPolicySingleTenant, self).setUp(
single_tenant_mode=True)
class TestExternalPolicyNoNat(TestExternalPolicy):
def setUp(self, single_tenant_mode=False):
super(TestExternalPolicyNoNat, self).setUp(nat_enabled=False,
single_tenant_mode=single_tenant_mode)
class TestExternalPolicyNoNatSingleTenant(TestExternalPolicyNoNat):
def setUp(self):
super(TestExternalPolicyNoNatSingleTenant, self).setUp(
single_tenant_mode=True)
class TestExternalPolicyPreL3Out(TestExternalPolicy):
def setUp(self, single_tenant_mode=False):
super(TestExternalPolicyPreL3Out, self).setUp(
pre_existing_l3out=True, single_tenant_mode=single_tenant_mode)
def test_multi_tenant_delete(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=True,
expected_res_status=201)['external_segment']
ep_list = [
self.create_external_policy(
name=APIC_EXTERNAL_EPG,
external_segments=[es['id']],
tenant_id=tnnt,
expected_res_status=201)['external_policy']
for tnnt in ['tenant_a', 'tenant_b', 'tenant_c']]
for ep in ep_list:
self.delete_external_policy(
ep['id'], tenant_id=ep['tenant_id'],
expected_res_status=webob.exc.HTTPNoContent.code)
nat_contract = "NAT-allow-%s" % es['id']
expected_calls = [
mock.call(es['name'], nat_contract,
external_epg=APIC_EXTERNAL_EPG,
provided=True, owner=APIC_PRE_L3OUT_TENANT,
transaction=mock.ANY),
mock.call(es['name'], nat_contract,
external_epg=APIC_EXTERNAL_EPG,
provided=False, owner=APIC_PRE_L3OUT_TENANT,
transaction=mock.ANY)
]
mgr = self.driver.apic_manager
self._check_call_list(expected_calls,
mgr.unset_contract_for_external_epg.call_args_list)
def test_multi_tenant_update_dissociate(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(
name='supported', cidr='192.168.0.0/24', shared=True,
expected_res_status=201)['external_segment']
ep_list = [
self.create_external_policy(
name=APIC_EXTERNAL_EPG,
external_segments=[es['id']],
tenant_id=tnnt,
expected_res_status=201)['external_policy']
for tnnt in ['tenant_a', 'tenant_b', 'tenant_c']]
for ep in ep_list:
self.update_external_policy(
ep['id'], tenant_id=ep['tenant_id'],
external_segments=[],
expected_res_status=200)
nat_contract = "NAT-allow-%s" % es['id']
expected_calls = [
mock.call(es['name'], nat_contract,
external_epg=APIC_EXTERNAL_EPG,
provided=True, owner=APIC_PRE_L3OUT_TENANT,
transaction=mock.ANY),
mock.call(es['name'], nat_contract,
external_epg=APIC_EXTERNAL_EPG,
provided=False, owner=APIC_PRE_L3OUT_TENANT,
transaction=mock.ANY)
]
mgr = self.driver.apic_manager
self._check_call_list(expected_calls,
mgr.unset_contract_for_external_epg.call_args_list)
class TestExternalPolicyPreL3OutSingleTenant(TestExternalPolicyPreL3Out):
def setUp(self):
super(TestExternalPolicyPreL3OutSingleTenant, self).setUp(
single_tenant_mode=True)
class TestExternalPolicyNoNatPreL3Out(TestExternalPolicy):
def setUp(self, single_tenant_mode=False):
super(TestExternalPolicyNoNatPreL3Out, self).setUp(
nat_enabled=False, pre_existing_l3out=True,
single_tenant_mode=single_tenant_mode)
class TestExternalPolicyNoNatPreL3OutSingleTenant(
TestExternalPolicyNoNatPreL3Out):
def setUp(self):
super(TestExternalPolicyNoNatPreL3OutSingleTenant, self).setUp(
single_tenant_mode=True)
class TestNatPool(ApicMappingTestCase):
def test_overlap_nat_pool_create(self):
self._mock_external_dict([('supported', '192.168.0.2/24')])
mgr = self.driver.apic_manager
mgr.ext_net_dict['supported']['host_pool_cidr'] = '192.168.200.1/24'
es = self.create_external_segment(name='supported',
expected_res_status=webob.exc.HTTPCreated.code)['external_segment']
# cidr_exposed overlap
res = self.create_nat_pool(
external_segment_id=es['id'],
ip_version=4, ip_pool='192.168.0.0/24',
expected_res_status=webob.exc.HTTPBadRequest.code)
self.assertEqual('NatPoolOverlapsApicSubnet',
res['NeutronError']['type'])
# host-pool overlap
res = self.create_nat_pool(
external_segment_id=es['id'],
ip_version=4, ip_pool='192.168.200.0/24',
expected_res_status=webob.exc.HTTPBadRequest.code)
self.assertEqual('NatPoolOverlapsApicSubnet',
res['NeutronError']['type'])
def test_overlap_nat_pool_update(self):
self._mock_external_dict([('supported', '192.168.0.2/24'),
('supported1', '192.168.1.2/24')])
es1 = self.create_external_segment(name='supported',
expected_res_status=webob.exc.HTTPCreated.code)['external_segment']
es2 = self.create_external_segment(name='supported1',
expected_res_status=webob.exc.HTTPCreated.code)['external_segment']
nat_pool = self.create_nat_pool(
external_segment_id=es1['id'],
ip_version=4, ip_pool='192.168.1.0/24',
expected_res_status=webob.exc.HTTPCreated.code)['nat_pool']
res = self.update_nat_pool(nat_pool['id'],
external_segment_id=es2['id'],
expected_res_status=webob.exc.HTTPBadRequest.code)
self.assertEqual('NatPoolOverlapsApicSubnet',
res['NeutronError']['type'])
def _test_nat_bd_subnet_created_deleted(self, shared, is_edge_nat=False):
self._mock_external_dict([('supported', '192.168.0.2/24')],
is_edge_nat)
es = self.create_external_segment(name='supported',
expected_res_status=webob.exc.HTTPCreated.code,
shared=shared)['external_segment']
nat_pool = self.create_nat_pool(
external_segment_id=es['id'],
ip_version=4, ip_pool='192.168.1.0/24', shared=shared,
expected_res_status=webob.exc.HTTPCreated.code)['nat_pool']
owner = self._tenant(es['tenant_id'], shared)
mgr = self.driver.apic_manager
if self.nat_enabled and not is_edge_nat:
mgr.ensure_subnet_created_on_apic.assert_called_with(
owner, "NAT-bd-%s" % es['id'], '192.168.1.1/24')
else:
self.assertFalse(mgr.ensure_subnet_created_on_apic.called)
self.delete_nat_pool(nat_pool['id'],
expected_res_status=webob.exc.HTTPNoContent.code)
if self.nat_enabled and not is_edge_nat:
mgr.ensure_subnet_deleted_on_apic.assert_called_with(
owner, "NAT-bd-%s" % es['id'], '192.168.1.1/24')
else:
self.assertFalse(mgr.ensure_subnet_deleted_on_apic.called)
def test_nat_bd_subnet_create_delete_unshared(self):
self._test_nat_bd_subnet_created_deleted(False)
def test_nat_bd_subnet_create_delete_shared(self):
self._test_nat_bd_subnet_created_deleted(True)
def test_nat_bd_subnet_create_delete_unshared_edge_nat(self):
self._test_nat_bd_subnet_created_deleted(False, is_edge_nat=True)
def test_nat_bd_subnet_create_delete_shared_edge_nat(self):
self._test_nat_bd_subnet_created_deleted(True, is_edge_nat=True)
def _test_nat_bd_subnet_updated(self, shared, is_edge_nat=False):
self._mock_external_dict([('supported', '192.168.0.2/24'),
('supported1', '192.168.10.2/24')],
is_edge_nat)
es1 = self.create_external_segment(name='supported',
expected_res_status=webob.exc.HTTPCreated.code,
shared=shared)['external_segment']
es2 = self.create_external_segment(name='supported1',
expected_res_status=webob.exc.HTTPCreated.code,
shared=shared)['external_segment']
nat_pool = self.create_nat_pool(
external_segment_id=es1['id'],
ip_version=4, ip_pool='192.168.1.0/24', shared=shared,
expected_res_status=webob.exc.HTTPCreated.code)['nat_pool']
owner = self._tenant(es1['tenant_id'], shared)
mgr = self.driver.apic_manager
mgr.ensure_subnet_created_on_apic.reset_mock()
nat_pool = self.update_nat_pool(nat_pool['id'],
external_segment_id=es2['id'],
expected_res_status=webob.exc.HTTPOk.code)['nat_pool']
if self.nat_enabled and not is_edge_nat:
mgr.ensure_subnet_deleted_on_apic.assert_called_with(
owner, "NAT-bd-%s" % es1['id'], '192.168.1.1/24')
mgr.ensure_subnet_created_on_apic.assert_called_with(
owner, "NAT-bd-%s" % es2['id'], '192.168.1.1/24')
else:
self.assertFalse(mgr.ensure_subnet_created_on_apic.called)
self.assertFalse(mgr.ensure_subnet_deleted_on_apic.called)
def test_nat_bd_subnet_update_unshared(self):
self._test_nat_bd_subnet_updated(False)
def test_nat_bd_subnet_update_shared(self):
self._test_nat_bd_subnet_updated(True)
def test_nat_bd_subnet_update_unshared_edge_nat(self):
self._test_nat_bd_subnet_updated(False, is_edge_nat=True)
def test_nat_bd_subnet_update_shared_edge_nat(self):
self._test_nat_bd_subnet_updated(True, is_edge_nat=True)
def _test_create_fip(self, shared):
self._mock_external_dict([('supported', '192.168.0.2/24')])
es = self.create_external_segment(name='supported',
expected_res_status=webob.exc.HTTPCreated.code,
shared=shared)['external_segment']
self.create_nat_pool(external_segment_id=es['id'],
ip_version=4, ip_pool='192.168.1.0/24', shared=shared,
expected_res_status=webob.exc.HTTPCreated.code)
subnet = self._get_object('subnets', es['subnet_id'],
self.api)['subnet']
fip_dict = {'floating_network_id': subnet['network_id']}
fip = self.l3plugin.create_floatingip(
context.get_admin_context(),
{'floatingip': fip_dict,
'tenant_id': es['tenant_id']})
self.assertIsNotNone(fip)
self.assertTrue(
netaddr.IPAddress(fip['floating_ip_address']) in
netaddr.IPNetwork('192.168.1.0/24'))
def test_create_fip(self):
self._test_create_fip(False)
def test_create_fip_shared(self):
self._test_create_fip(True)
class TestNatPoolSingleTenant(TestNatPool):
def setUp(self):
super(TestNatPoolSingleTenant, self).setUp(
single_tenant_mode=True)
class TestNatPoolNoNat(TestNatPool):
def setUp(self, single_tenant_mode=False):
super(TestNatPoolNoNat, self).setUp(nat_enabled=False,
single_tenant_mode=single_tenant_mode)
class TestNatPoolNoNatSingleTenant(TestNatPoolNoNat):
def setUp(self):
super(TestNatPoolNoNatSingleTenant, self).setUp(
single_tenant_mode=True)
View Git Blame Copy Permalink