2 Documentation Test suite to verify security groups basic and advanced functionalities, including negative tests.
3 ... These test cases are not so relevant for transparent mode, so each test case will be tagged with
4 ... "skip_if_transparent" to allow any underlying keywords to return with a PASS without risking
5 ... a false failure. The real value of this suite will be in stateful mode.
6 Suite Setup BuiltIn.Run Keywords SetupUtils.Setup_Utils_For_Setup_And_Teardown
7 ... AND DevstackUtils.Devstack Suite Setup
8 Suite Teardown Close All Connections
9 Test Setup SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
10 Test Teardown Get Test Teardown Debugs
11 Force Tags skip_if_${SECURITY_GROUP_MODE}
13 Library OperatingSystem
14 Library RequestsLibrary
15 Resource ../../../libraries/DevstackUtils.robot
16 Resource ../../../libraries/OpenStackOperations.robot
17 Resource ../../../libraries/SetupUtils.robot
18 Resource ../../../libraries/Utils.robot
19 Resource ../../../libraries/KarafKeywords.robot
22 ${SECURITY_GROUP} sg-remote
23 @{NETWORKS_NAME} network_1 network_2
24 @{SUBNETS_NAME} l2_subnet_1 l2_subnet_2
25 @{NET_1_VM_INSTANCES} MyFirstInstance_1 MySecondInstance_1
26 @{NET_2_VM_INSTANCES} MyThirdInstance_3
27 @{SUBNETS_RANGE} 30.0.0.0/24 40.0.0.0/24
30 Create VXLAN Network (network_1)
31 [Documentation] Create Network with neutron request.
32 Create Network @{NETWORKS_NAME}[0]
34 Create Subnets For network_1
35 [Documentation] Create Sub Nets for the Networks with neutron request.
36 Create SubNet @{NETWORKS_NAME}[0] @{SUBNETS_NAME}[0] @{SUBNETS_RANGE}[0]
38 Create VXLAN Network (network_2)
39 [Documentation] Create Network with neutron request.
40 Create Network @{NETWORKS_NAME}[1]
42 Create Subnets For network_2
43 [Documentation] Create Sub Nets for the Networks with neutron request.
44 Create SubNet @{NETWORKS_NAME}[1] @{SUBNETS_NAME}[1] @{SUBNETS_RANGE}[1]
47 [Documentation] Allow only TCP packets for this suite
48 Security Group Create Without Default Security Rules ${SECURITY_GROUP}
49 Neutron Security Group Rule Create ${SECURITY_GROUP} direction=ingress port_range_max=65535 port_range_min=1 protocol=tcp
50 Neutron Security Group Rule Create ${SECURITY_GROUP} direction=egress port_range_max=65535 port_range_min=1 protocol=tcp
51 Neutron Security Group Show ${SECURITY_GROUP}
53 Create Vm Instances For network_1
54 [Documentation] Create VM instances using flavor and image names for a network.
55 Create Vm Instances network_1 ${NET_1_VM_INSTANCES} sg=${SECURITY_GROUP}
57 Create Vm Instances For network_2
58 [Documentation] Create VM instances using flavor and image names for a network.
59 Create Vm Instances network_2 ${NET_2_VM_INSTANCES} sg=${SECURITY_GROUP}
61 Check Vm Instances Have Ip Address
62 [Documentation] Test case to verify that all created VMs are ready and have received their ip addresses.
63 ... We are polling first and longest on the last VM created assuming that if it's received it's address
64 ... already the other instances should have theirs already or at least shortly thereafter.
65 # first, ensure all VMs are in ACTIVE state. if not, we can just fail the test case and not waste time polling
67 : FOR ${vm} IN @{NET_1_VM_INSTANCES}
68 \ Wait Until Keyword Succeeds 600s 5s Verify VM Is ACTIVE ${vm}
69 ${status} ${message} Run Keyword And Ignore Error Wait Until Keyword Succeeds 60s 5s Collect VM IP Addresses
70 ... true @{NET_1_VM_INSTANCES}
71 ${NET1_VM_IPS} ${NET1_DHCP_IP} Collect VM IP Addresses false @{NET_1_VM_INSTANCES}
72 ${NET2_VM_IPS} ${NET2_DHCP_IP} Collect VM IP Addresses false @{NET_2_VM_INSTANCES}
73 ${VM_INSTANCES}= Collections.Combine Lists ${NET_1_VM_INSTANCES}
74 ${VM_IPS}= Collections.Combine Lists ${NET1_VM_IPS}
75 ${LOOP_COUNT} Get Length ${VM_INSTANCES}
76 : FOR ${index} IN RANGE 0 ${LOOP_COUNT}
77 \ ${status} ${message} Run Keyword And Ignore Error Should Not Contain @{VM_IPS}[${index}] None
78 \ Run Keyword If '${status}' == 'FAIL' Write Commands Until Prompt nova console-log @{VM_INSTANCES}[${index}] 30s
79 Set Suite Variable ${NET1_VM_IPS}
80 Set Suite Variable ${NET1_DHCP_IP}
81 Should Not Contain ${NET1_VM_IPS} None
82 Should Not Contain ${NET1_DHCP_IP} None
83 Set Suite Variable ${NET2_VM_IPS}
84 Set Suite Variable ${NET2_DHCP_IP}
85 Should Not Contain ${NET2_VM_IPS} None
86 Should Not Contain ${NET2_DHCP_IP} None
87 [Teardown] Run Keywords Show Debugs @{NET_1_VM_INSTANCES}
88 ... AND Get Test Teardown Debugs
90 No Ping From DHCP To Vm Instance1
91 [Documentation] Check non-reachability of vm instances by pinging to them.
92 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[0]
94 No Ping From DHCP To Vm Instance2
95 [Documentation] Check non-reachability of vm instances by pinging to them.
96 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[1]
98 No Ping From Vm Instance1 To Vm Instance2
99 [Documentation] Login to the vm instance and test some operations
100 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
101 # in transparent mode the behavior is the same as with no SG, so this ping would still work.
102 ${expect_ping_to_work}= Set Variable If "skip_if_transparent" in @{TEST_TAGS} True False
103 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST} ping_should_succeed=${expect_ping_to_work}
105 No Ping From Vm Instance2 To Vm Instance1
106 [Documentation] Login to the vm instance and test operations
107 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
108 # in transparent mode the behavior is the same as with no SG, so this ping would still work.
109 ${expect_ping_to_work}= Set Variable If "skip_if_transparent" in @{TEST_TAGS} True False
110 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST} ping_should_succeed=${expect_ping_to_work}
112 Add Ping Allow Rules With Remote SG (only between VMs)
113 Neutron Security Group Rule Create Legacy Cli ${SECURITY_GROUP} direction=ingress protocol=icmp remote_group_id=${SECURITY_GROUP}
114 Neutron Security Group Rule Create Legacy Cli ${SECURITY_GROUP} direction=egress protocol=icmp remote_group_id=${SECURITY_GROUP}
115 Neutron Security Group Show ${SECURITY_GROUP}
117 Verify No Ping From DHCP To Vm Instance1
118 [Documentation] Check non-reachability of vm instances by pinging to them.
119 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[0]
121 Verify No Ping From DHCP To Vm Instance2
122 [Documentation] Check non-reachability of vm instances by pinging to them.
123 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[1]
125 Ping From Vm Instance1 To Vm Instance2
126 [Documentation] Login to the vm instance and test some operations
127 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
128 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
130 Ping From Vm Instance2 To Vm Instance1
131 [Documentation] Login to the vm instance and test operations
132 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
133 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
136 [Documentation] Create Router and Add Interface to the subnets.
137 OpenStackOperations.Create Router router1
139 Add Interfaces To Router
140 [Documentation] Add Interfaces
141 : FOR ${interface} IN @{SUBNETS_NAME}
142 \ OpenStackOperations.Add Router Interface router1 ${interface}
144 Ping From Vm Instance1 To Vm Instance3
145 [Documentation] Login to the vm instance and test some operations
146 ${VM3_LIST} Create List @{NET2_VM_IPS}[0]
147 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM3_LIST}
149 Repeat Ping From Vm Instance1 To Vm Instance2 With a Router
150 [Documentation] Login to the vm instance and test some operations
151 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
152 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
154 Repeat Ping From Vm Instance2 To Vm Instance1 With a Router
155 [Documentation] Login to the vm instance and test operations
156 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
157 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
159 Add Additional Security Group To VMs
160 [Documentation] Add an additional security group to the VMs - this is done to test a different logic put in place for ports with multiple SGs
161 Security Group Create Without Default Security Rules additional-sg
162 #TODO Remove this after the Newton jobs are removed, Openstack CLI with Newton lacks support to configure rule with remote_ip_prefix
163 Neutron Security Group Rule Create Legacy Cli additional-sg direction=ingress protocol=icmp remote_ip_prefix=@{NET1_DHCP_IP}[0]/32
164 Neutron Security Group Show additional-sg
165 : FOR ${VM} IN @{NET_1_VM_INSTANCES}
166 \ Add Security Group To VM ${VM} additional-sg
168 Ping From DHCP To Vm Instance1
169 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
170 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[0]
172 Ping From DHCP To Vm Instance2
173 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
174 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[1]
176 Repeat Ping From Vm Instance1 To Vm Instance2 With additional SG
177 [Documentation] Login to the vm instance and test some operations
178 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
179 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
181 Repeat Ping From Vm Instance2 To Vm Instance1 With additional SG
182 [Documentation] Login to the vm instance and test operations
183 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
184 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
186 Remove The Rules From Additional Security Group
187 Delete All Security Group Rules additional-sg
189 No Ping From DHCP To Vm Instance1 With Additional Security Group Rules Removed
190 [Documentation] Check non-reachability of vm instances by pinging to them.
191 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[0]
193 No Ping From DHCP To Vm Instance2 With Additional Security Group Rules Removed
194 [Documentation] Check non-reachability of vm instances by pinging to them.
195 Ping From DHCP Should Not Succeed network_1 @{NET1_VM_IPS}[1]
197 Add The Rules To Additional Security Group Again
198 Neutron Security Group Rule Create Legacy Cli additional-sg direction=ingress protocol=icmp remote_ip_prefix=@{NET1_DHCP_IP}[0]/32
200 Ping From DHCP To Vm Instance1 After Rules Are Added Again
201 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
202 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[0]
204 Ping From DHCP To Vm Instance2 After Rules Are Added Again
205 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
206 Ping Vm From DHCP Namespace network_1 @{NET1_VM_IPS}[1]
208 Remove the additional Security Group from First Vm
209 [Documentation] Remove the additional Security group
210 Remove Security Group From VM @{NET_1_VM_INSTANCES}[0] additional-sg
212 Repeat Ping From Vm Instance1 To Vm Instance2 With Additional SG Removed From Vm1
213 [Documentation] Login to the vm instance and test some operations
214 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
215 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
217 Repeat Ping From Vm Instance2 To Vm Instance1 With Additional SG Removed From Vm1
218 [Documentation] Login to the vm instance and test operations
219 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
220 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
222 Remove Router Interfaces
223 [Documentation] Delete the Router Interfaces
224 : FOR ${interface} IN @{SUBNETS_NAME}
225 \ Remove Interface router1 ${interface}
228 [Documentation] Delete the Router
229 Delete Router router1
231 Repeat Ping From Vm Instance1 To Vm Instance2 With Router Removed
232 [Documentation] Login to the vm instance and test some operations
233 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
234 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
236 Repeat Ping From Vm Instance2 To Vm Instance1 With Router Removed
237 [Documentation] Login to the vm instance and test operations
238 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
239 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
241 Delete Vm Instances In network_2
242 [Documentation] Delete Vm instances using instance names in network_2.
243 : FOR ${VmElement} IN @{NET_2_VM_INSTANCES}
244 \ Delete Vm Instance ${VmElement}
246 Repeat Ping From Vm Instance1 To Vm Instance2 With network_2 VM Deleted
247 [Documentation] Login to the vm instance and test some operations
248 ${VM2_LIST} Create List @{NET1_VM_IPS}[1]
249 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[0] ${VM2_LIST}
251 Repeat Ping From Vm Instance2 To Vm Instance1 With network_2 VM Deleted
252 [Documentation] Login to the vm instance and test operations
253 ${VM1_LIST} Create List @{NET1_VM_IPS}[0]
254 Test Operations From Vm Instance network_1 @{NET1_VM_IPS}[1] ${VM1_LIST}
256 Delete Vm Instances In network_1
257 [Documentation] Delete Vm instances using instance names in network_1.
258 : FOR ${VmElement} IN @{NET_1_VM_INSTANCES}
259 \ Delete Vm Instance ${VmElement}
261 Delete SecurityGroups
262 [Documentation] Delete Security group
263 Delete SecurityGroup additional-sg
264 Delete SecurityGroup ${SECURITY_GROUP}
266 Delete Sub Networks In network_1
267 [Documentation] Delete Sub Nets for the Networks with neutron request.
268 Delete SubNet l2_subnet_1
271 [Documentation] Delete Networks with neutron request.
272 : FOR ${NetworkElement} IN @{NETWORKS_NAME}
273 \ Delete Network ${NetworkElement}