2 Documentation Test suite to verify security groups basic and advanced functionalities, including negative tests.
3 ... These test cases are not so relevant for transparent mode, so each test case will be tagged with
4 ... "skip_if_transparent" to allow any underlying keywords to return with a PASS without risking
5 ... a false failure. The real value of this suite will be in stateful mode.
6 Suite Setup BuiltIn.Run Keywords SetupUtils.Setup_Utils_For_Setup_And_Teardown
7 ... AND DevstackUtils.Devstack Suite Setup
8 Suite Teardown Close All Connections
9 Test Setup SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
10 Test Teardown Get Test Teardown Debugs
11 Force Tags skip_if_transparent
13 Library OperatingSystem
14 Library RequestsLibrary
15 Resource ../../../libraries/DevstackUtils.robot
16 Resource ../../../libraries/OpenStackOperations.robot
17 Resource ../../../libraries/SetupUtils.robot
18 Resource ../../../libraries/Utils.robot
19 Resource ../../../libraries/KarafKeywords.robot
22 @{NETWORKS_NAME} network_1
23 @{SUBNETS_NAME} l2_subnet_1
24 @{NET_1_VM_INSTANCES} MyFirstInstance_1 MySecondInstance_1
25 @{SUBNETS_RANGE} 30.0.0.0/24
28 Create VXLAN Network (network_1)
29 [Documentation] Create Network with neutron request.
30 Create Network @{NETWORKS_NAME}[0]
32 Create Subnets For network_1
33 [Documentation] Create Sub Nets for the Networks with neutron request.
34 Create SubNet @{NETWORKS_NAME}[0] @{SUBNETS_NAME}[0] @{SUBNETS_RANGE}[0]
37 [Documentation] Allow only TCP packets for this suite
38 Security Group Create Without Default Security Rules csit-remote-sgs
39 Neutron Security Group Rule Create csit-remote-sgs direction=ingress port_range_max=65535 port_range_min=1 protocol=tcp remote_ip_prefix=0.0.0.0/0
40 Neutron Security Group Rule Create csit-remote-sgs direction=egress port_range_max=65535 port_range_min=1 protocol=tcp remote_ip_prefix=0.0.0.0/0
41 Neutron Security Group Show csit-remote-sgs
43 Create Vm Instances For network_1
44 [Documentation] Create VM instances using flavor and image names for a network.
45 Create Vm Instances network_1 ${NET_1_VM_INSTANCES} sg=csit-remote-sgs
47 Check Vm Instances Have Ip Address
48 [Documentation] Test case to verify that all created VMs are ready and have received their ip addresses.
49 ... We are polling first and longest on the last VM created assuming that if it's received it's address
50 ... already the other instances should have theirs already or at least shortly thereafter.
51 # first, ensure all VMs are in ACTIVE state. if not, we can just fail the test case and not waste time polling
53 : FOR ${vm} IN @{NET_1_VM_INSTANCES}
54 \ Wait Until Keyword Succeeds 15s 5s Verify VM Is ACTIVE ${vm}
55 ${status} ${message} Run Keyword And Ignore Error Wait Until Keyword Succeeds 60s 5s Collect VM IP Addresses
56 ... true @{NET_1_VM_INSTANCES}
57 ${NET1_VM_IPS} ${NET1_DHCP_IP} Collect VM IP Addresses false @{NET_1_VM_INSTANCES}
58 ${VM_INSTANCES}= Collections.Combine Lists ${NET_1_VM_INSTANCES}
59 ${VM_IPS}= Collections.Combine Lists ${NET1_VM_IPS}
60 ${LOOP_COUNT} Get Length ${VM_INSTANCES}
61 : FOR ${index} IN RANGE 0 ${LOOP_COUNT}
62 \ ${status} ${message} Run Keyword And Ignore Error Should Not Contain @{VM_IPS}[${index}] None
63 \ Run Keyword If '${status}' == 'FAIL' Write Commands Until Prompt nova console-log @{VM_INSTANCES}[${index}] 30s
64 Set Suite Variable ${NET1_VM_IPS}
65 Set Suite Variable ${NET1_DHCP_IP}
66 Should Not Contain ${NET1_VM_IPS} None
67 Should Not Contain ${NET1_DHCP_IP} None
68 [Teardown] Run Keywords Show Debugs @{NET_1_VM_INSTANCES}
69 ... AND Get Test Teardown Debugs
71 No Ping From DHCP To Vm Instance1
72 [Documentation] Check non-reachability of vm instances by pinging to them.
73 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[0]
75 No Ping From DHCP To Vm Instance2
76 [Documentation] Check non-reachability of vm instances by pinging to them.
77 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[1]
79 No Ping From Vm Instance1 To Vm Instance2
80 [Documentation] Login to the vm instance and test some operations
81 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
82 # in transparent mode the behavior is the same as with no SG, so this ping would still work.
83 ${expect_ping_to_work}= Set Variable If "skip_if_transparent" in @{TEST_TAGS} True False
84 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST} ping_should_succeed=${expect_ping_to_work}
86 No Ping From Vm Instance2 To Vm Instance1
87 [Documentation] Login to the vm instance and test operations
88 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
89 # in transparent mode the behavior is the same as with no SG, so this ping would still work.
90 ${expect_ping_to_work}= Set Variable If "skip_if_transparent" in @{TEST_TAGS} True False
91 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST} ping_should_succeed=False
93 Add Ping Allow Rules With Remote SG (only between VMs)
94 Neutron Security Group Rule Create csit-remote-sgs direction=ingress protocol=icmp remote_group_id=csit-remote-sgs
95 Neutron Security Group Rule Create csit-remote-sgs direction=egress protocol=icmp remote_group_id=csit-remote-sgs
96 Neutron Security Group Show csit-remote-sgs
98 Verify No Ping From DHCP To Vm Instance1
99 [Documentation] Check non-reachability of vm instances by pinging to them.
100 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[0]
102 Verify No Ping From DHCP To Vm Instance2
103 [Documentation] Check non-reachability of vm instances by pinging to them.
104 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[1]
106 Ping From Vm Instance1 To Vm Instance2
107 [Documentation] Login to the vm instance and test some operations
108 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
109 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
111 Ping From Vm Instance2 To Vm Instance1
112 [Documentation] Login to the vm instance and test operations
113 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
114 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
116 Add Additional Security Group To VMs
117 [Documentation] Add an additional security group to the VMs - this is done to test a different logic put in place for ports with multiple SGs
118 Security Group Create Without Default Security Rules additional-sg
119 Neutron Security Group Rule Create additional-sg direction=ingress protocol=icmp remote_ip_prefix=@{NET1_DHCP_IP}[0]/32
120 Neutron Security Group Show additional-sg
121 : FOR ${VM} IN @{NET_1_VM_INSTANCES}
122 \ Add Security Group To VM ${VM} additional-sg
124 Ping From DHCP To Vm Instance1
125 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
126 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[0]
128 Ping From DHCP To Vm Instance2
129 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
130 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[1]
132 Repeat Ping From Vm Instance1 To Vm Instance2
133 [Documentation] Login to the vm instance and test some operations
134 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
135 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
137 Repeat Ping From Vm Instance2 To Vm Instance1
138 [Documentation] Login to the vm instance and test operations
139 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
140 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
142 Delete Vm Instances In network_1
143 [Documentation] Delete Vm instances using instance names in network_1.
144 : FOR ${VmElement} IN @{NET_1_VM_INSTANCES}
145 \ Delete Vm Instance ${VmElement}
147 Delete Sub Networks In network_1
148 [Documentation] Delete Sub Nets for the Networks with neutron request.
149 Delete SubNet l2_subnet_1
152 [Documentation] Delete Networks with neutron request.
153 : FOR ${NetworkElement} IN @{NETWORKS_NAME}
154 \ Delete Network ${NetworkElement}