2 Documentation Test suite to verify security groups basic and advanced functionalities, including negative tests.
3 ... These test cases are not so relevant for transparent mode, so each test case will be tagged with
4 ... "skip_if_transparent" to allow any underlying keywords to return with a PASS without risking
5 ... a false failure. The real value of this suite will be in stateful mode.
6 Suite Setup BuiltIn.Run Keywords SetupUtils.Setup_Utils_For_Setup_And_Teardown
7 ... AND DevstackUtils.Devstack Suite Setup
8 Suite Teardown Close All Connections
9 Test Setup SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
10 Test Teardown Get Test Teardown Debugs
11 Force Tags skip_if_${SECURITY_GROUP_MODE}
13 Library OperatingSystem
14 Library RequestsLibrary
15 Resource ../../../libraries/DevstackUtils.robot
16 Resource ../../../libraries/OpenStackOperations.robot
17 Resource ../../../libraries/SetupUtils.robot
18 Resource ../../../libraries/Utils.robot
19 Resource ../../../libraries/KarafKeywords.robot
22 @{NETWORKS_NAME} network_1 network_2
23 @{SUBNETS_NAME} l2_subnet_1 l2_subnet_2
24 @{NET_1_VM_INSTANCES} MyFirstInstance_1 MySecondInstance_1
25 @{NET_2_VM_INSTANCES} MyThirdInstance_3
26 @{SUBNETS_RANGE} 30.0.0.0/24 40.0.0.0/24
29 Create VXLAN Network (network_1)
30 [Documentation] Create Network with neutron request.
31 Create Network @{NETWORKS_NAME}[0]
33 Create Subnets For network_1
34 [Documentation] Create Sub Nets for the Networks with neutron request.
35 Create SubNet @{NETWORKS_NAME}[0] @{SUBNETS_NAME}[0] @{SUBNETS_RANGE}[0]
37 Create VXLAN Network (network_2)
38 [Documentation] Create Network with neutron request.
39 Create Network @{NETWORKS_NAME}[1]
41 Create Subnets For network_2
42 [Documentation] Create Sub Nets for the Networks with neutron request.
43 Create SubNet @{NETWORKS_NAME}[1] @{SUBNETS_NAME}[1] @{SUBNETS_RANGE}[1]
46 [Documentation] Allow only TCP packets for this suite
47 Security Group Create Without Default Security Rules csit-remote-sgs
48 Neutron Security Group Rule Create csit-remote-sgs direction=ingress port_range_max=65535 port_range_min=1 protocol=tcp
49 Neutron Security Group Rule Create csit-remote-sgs direction=egress port_range_max=65535 port_range_min=1 protocol=tcp
50 Neutron Security Group Show csit-remote-sgs
52 Create Vm Instances For network_1
53 [Documentation] Create VM instances using flavor and image names for a network.
54 Create Vm Instances network_1 ${NET_1_VM_INSTANCES} sg=csit-remote-sgs
56 Create Vm Instances For network_2
57 [Documentation] Create VM instances using flavor and image names for a network.
58 Create Vm Instances network_2 ${NET_2_VM_INSTANCES} sg=csit-remote-sgs
60 Check Vm Instances Have Ip Address
61 [Documentation] Test case to verify that all created VMs are ready and have received their ip addresses.
62 ... We are polling first and longest on the last VM created assuming that if it's received it's address
63 ... already the other instances should have theirs already or at least shortly thereafter.
64 # first, ensure all VMs are in ACTIVE state. if not, we can just fail the test case and not waste time polling
66 : FOR ${vm} IN @{NET_1_VM_INSTANCES}
67 \ Wait Until Keyword Succeeds 15s 5s Verify VM Is ACTIVE ${vm}
68 ${status} ${message} Run Keyword And Ignore Error Wait Until Keyword Succeeds 60s 5s Collect VM IP Addresses
69 ... true @{NET_1_VM_INSTANCES}
70 ${NET1_VM_IPS} ${NET1_DHCP_IP} Collect VM IP Addresses false @{NET_1_VM_INSTANCES}
71 ${NET2_VM_IPS} ${NET2_DHCP_IP} Collect VM IP Addresses false @{NET_2_VM_INSTANCES}
72 ${VM_INSTANCES}= Collections.Combine Lists ${NET_1_VM_INSTANCES}
73 ${VM_IPS}= Collections.Combine Lists ${NET1_VM_IPS}
74 ${LOOP_COUNT} Get Length ${VM_INSTANCES}
75 : FOR ${index} IN RANGE 0 ${LOOP_COUNT}
76 \ ${status} ${message} Run Keyword And Ignore Error Should Not Contain @{VM_IPS}[${index}] None
77 \ Run Keyword If '${status}' == 'FAIL' Write Commands Until Prompt nova console-log @{VM_INSTANCES}[${index}] 30s
78 Set Suite Variable ${NET1_VM_IPS}
79 Set Suite Variable ${NET1_DHCP_IP}
80 Should Not Contain ${NET1_VM_IPS} None
81 Should Not Contain ${NET1_DHCP_IP} None
82 Set Suite Variable ${NET2_VM_IPS}
83 Set Suite Variable ${NET2_DHCP_IP}
84 Should Not Contain ${NET2_VM_IPS} None
85 Should Not Contain ${NET2_DHCP_IP} None
86 [Teardown] Run Keywords Show Debugs @{NET_1_VM_INSTANCES}
87 ... AND Get Test Teardown Debugs
89 No Ping From DHCP To Vm Instance1
90 [Documentation] Check non-reachability of vm instances by pinging to them.
91 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[0]
93 No Ping From DHCP To Vm Instance2
94 [Documentation] Check non-reachability of vm instances by pinging to them.
95 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[1]
97 No Ping From Vm Instance1 To Vm Instance2
98 [Documentation] Login to the vm instance and test some operations
99 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
100 # in transparent mode the behavior is the same as with no SG, so this ping would still work.
101 ${expect_ping_to_work}= Set Variable If "skip_if_transparent" in @{TEST_TAGS} True False
102 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST} ping_should_succeed=${expect_ping_to_work}
104 No Ping From Vm Instance2 To Vm Instance1
105 [Documentation] Login to the vm instance and test operations
106 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
107 # in transparent mode the behavior is the same as with no SG, so this ping would still work.
108 ${expect_ping_to_work}= Set Variable If "skip_if_transparent" in @{TEST_TAGS} True False
109 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST} ping_should_succeed=${expect_ping_to_work}
111 Add Ping Allow Rules With Remote SG (only between VMs)
112 Neutron Security Group Rule Create Legacy Cli csit-remote-sgs direction=ingress protocol=icmp remote_group_id=csit-remote-sgs
113 Neutron Security Group Rule Create Legacy Cli csit-remote-sgs direction=egress protocol=icmp remote_group_id=csit-remote-sgs
114 Neutron Security Group Show csit-remote-sgs
116 Verify No Ping From DHCP To Vm Instance1
117 [Documentation] Check non-reachability of vm instances by pinging to them.
118 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[0]
120 Verify No Ping From DHCP To Vm Instance2
121 [Documentation] Check non-reachability of vm instances by pinging to them.
122 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[1]
124 Ping From Vm Instance1 To Vm Instance2
125 [Documentation] Login to the vm instance and test some operations
126 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
127 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
129 Ping From Vm Instance2 To Vm Instance1
130 [Documentation] Login to the vm instance and test operations
131 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
132 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
135 [Documentation] Create Router and Add Interface to the subnets.
136 OpenStackOperations.Create Router router1
138 Add Interfaces To Router
139 [Documentation] Add Interfaces
140 : FOR ${interface} IN @{SUBNETS_NAME}
141 \ OpenStackOperations.Add Router Interface router1 ${interface}
143 Ping From Vm Instance1 To Vm Instance3
144 [Documentation] Login to the vm instance and test some operations
145 ${VM3_LIST} Create List @{NET2_VM_IPS}[0]
146 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM3_LIST}
148 Repeat Ping From Vm Instance1 To Vm Instance2 With a Router
149 [Documentation] Login to the vm instance and test some operations
150 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
151 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
153 Repeat Ping From Vm Instance2 To Vm Instance1 With a Router
154 [Documentation] Login to the vm instance and test operations
155 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
156 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
158 Add Additional Security Group To VMs
159 [Documentation] Add an additional security group to the VMs - this is done to test a different logic put in place for ports with multiple SGs
160 Security Group Create Without Default Security Rules additional-sg
161 #TODO Remove this after the Newton jobs are removed, Openstack CLI with Newton lacks support to configure rule with remote_ip_prefix
162 Neutron Security Group Rule Create Legacy Cli additional-sg direction=ingress protocol=icmp remote_ip_prefix=@{NET1_DHCP_IP}[0]/32
163 Neutron Security Group Show additional-sg
164 : FOR ${VM} IN @{NET_1_VM_INSTANCES}
165 \ Add Security Group To VM ${VM} additional-sg
167 Ping From DHCP To Vm Instance1
168 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
169 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[0]
171 Ping From DHCP To Vm Instance2
172 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
173 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[1]
175 Repeat Ping From Vm Instance1 To Vm Instance2 With additional SG
176 [Documentation] Login to the vm instance and test some operations
177 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
178 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
180 Repeat Ping From Vm Instance2 To Vm Instance1 With additional SG
181 [Documentation] Login to the vm instance and test operations
182 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
183 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
185 Remove The Rules From Additional Security Group
186 Delete All Security Group Rules additional-sg
188 No Ping From DHCP To Vm Instance1 With Additional Security Group Rules Removed
189 [Documentation] Check non-reachability of vm instances by pinging to them.
190 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[0]
192 No Ping From DHCP To Vm Instance2 With Additional Security Group Rules Removed
193 [Documentation] Check non-reachability of vm instances by pinging to them.
194 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[1]
196 Add The Rules To Additional Security Group Again
197 Neutron Security Group Rule Create Legacy Cli additional-sg direction=ingress protocol=icmp remote_ip_prefix=@{NET1_DHCP_IP}[0]/32
199 Ping From DHCP To Vm Instance1 After Rules Are Added Again
200 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
201 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[0]
203 Ping From DHCP To Vm Instance2 After Rules Are Added Again
204 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
205 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[1]
207 Remove the additional Security Group from First Vm
208 [Documentation] Remove the additional Security group
209 Remove Security Group From VM @{NET_1_VM_INSTANCES}[0] additional-sg
211 Repeat Ping From Vm Instance1 To Vm Instance2 With Additional SG Removed From Vm1
212 [Documentation] Login to the vm instance and test some operations
213 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
214 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
216 Repeat Ping From Vm Instance2 To Vm Instance1 With Additional SG Removed From Vm1
217 [Documentation] Login to the vm instance and test operations
218 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
219 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
221 Remove Router Interfaces
222 [Documentation] Delete the Router Interfaces
223 : FOR ${interface} IN @{SUBNETS_NAME}
224 \ Remove Interface router1 ${interface}
227 [Documentation] Delete the Router
228 Delete Router router1
230 Repeat Ping From Vm Instance1 To Vm Instance2 With Router Removed
231 [Documentation] Login to the vm instance and test some operations
232 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
233 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
235 Repeat Ping From Vm Instance2 To Vm Instance1 With Router Removed
236 [Documentation] Login to the vm instance and test operations
237 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
238 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
240 Delete Vm Instances In network_2
241 [Documentation] Delete Vm instances using instance names in network_2.
242 : FOR ${VmElement} IN @{NET_2_VM_INSTANCES}
243 \ Delete Vm Instance ${VmElement}
245 Repeat Ping From Vm Instance1 To Vm Instance2 With network_2 VM Deleted
246 [Documentation] Login to the vm instance and test some operations
247 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
248 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
250 Repeat Ping From Vm Instance2 To Vm Instance1 With network_2 VM Deleted
251 [Documentation] Login to the vm instance and test operations
252 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
253 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
255 Delete Vm Instances In network_1
256 [Documentation] Delete Vm instances using instance names in network_1.
257 : FOR ${VmElement} IN @{NET_1_VM_INSTANCES}
258 \ Delete Vm Instance ${VmElement}
260 Delete SecurityGroups
261 [Documentation] Delete Security group
262 Delete SecurityGroup additional-sg
263 Delete SecurityGroup csit-remote-sgs
265 Delete Sub Networks In network_1
266 [Documentation] Delete Sub Nets for the Networks with neutron request.
267 Delete SubNet l2_subnet_1
270 [Documentation] Delete Networks with neutron request.
271 : FOR ${NetworkElement} IN @{NETWORKS_NAME}
272 \ Delete Network ${NetworkElement}