2 Documentation Test suite to verify security groups basic and advanced functionalities, including negative tests.
3 ... These test cases are not so relevant for transparent mode, so each test case will be tagged with
4 ... "skip_if_transparent" to allow any underlying keywords to return with a PASS without risking
5 ... a false failure. The real value of this suite will be in stateful mode.
7 Library OperatingSystem
8 Library RequestsLibrary
10 Resource ../../../libraries/DevstackUtils.robot
11 Resource ../../../libraries/KarafKeywords.robot
12 Resource ../../../libraries/OpenStackOperations.robot
13 Resource ../../../libraries/SetupUtils.robot
14 Resource ../../../libraries/Utils.robot
15 Resource ../../../libraries/RemoteBash.robot
16 Resource ../../../variables/netvirt/Variables.robot
18 Suite Setup Suite Setup
19 Suite Teardown OpenStackOperations.OpenStack Suite Teardown
20 Test Setup SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
21 Test Teardown OpenStackOperations.Get Test Teardown Debugs
23 Force Tags skip_if_${security_group_mode}
27 ${SECURITY_GROUP} sg_sg
28 @{NETWORKS} sg_net_1 sg_net_2
29 @{SUBNETS} sg_sub_1 sg_sub_2
31 @{NET_1_VMS} sg_net_1_vm_1 sg_net_1_vm_2
32 @{NET_2_VMS} sg_net_2_vm_1
33 @{SUBNET_CIDRS} 51.0.0.0/24 52.0.0.0/24
37 No Ping From DHCP To Vm Instance1
38 [Documentation] Check non-reachability of vm instances by pinging to them.
39 OpenStackOperations.Ping From DHCP Should Not Succeed ${NETWORKS}[0] ${NET_1_VM_IPS}[1]
41 No Ping From Vm Instance1 To Vm Instance2
42 [Documentation] Login to the vm instance and test some operations
43 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[1]
44 OpenStackOperations.Test Operations From Vm Instance
46 ... ${NET_1_VM_IPS}[0]
48 ... ping_should_succeed=False
50 No Ping From Vm Instance2 To Vm Instance1
51 [Documentation] Login to the vm instance and test operations
52 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[0]
53 OpenStackOperations.Test Operations From Vm Instance
55 ... ${NET_1_VM_IPS}[1]
57 ... ping_should_succeed=False
59 Add Ping Allow Rules With Remote SG (only between VMs)
60 OpenStackOperations.Neutron Security Group Rule Create
64 ... remote_group_id=${SECURITY_GROUP}
65 OpenStackOperations.Neutron Security Group Rule Create
69 ... remote_group_id=${SECURITY_GROUP}
70 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
72 Verify No Ping From DHCP To Vm Instance1
73 [Documentation] Check non-reachability of vm instances by pinging to them.
74 OpenStackOperations.Ping From DHCP Should Not Succeed ${NETWORKS}[0] ${NET_1_VM_IPS}[0]
76 Verify No Ping From DHCP To Vm Instance2
77 [Documentation] Check non-reachability of vm instances by pinging to them.
78 OpenStackOperations.Ping From DHCP Should Not Succeed ${NETWORKS}[0] ${NET_1_VM_IPS}[1]
80 Ping From Vm Instance1 To Vm Instance2
81 [Documentation] Login to the vm instance and test some operations
82 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[1]
83 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[0] ${vm_ips}
85 Ping From Vm Instance2 To Vm Instance1
86 [Documentation] Login to the vm instance and test operations
87 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[0]
88 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[1] ${vm_ips}
91 [Documentation] Create Router and Add Interface to the subnets.
92 OpenStackOperations.Create Router ${ROUTER}
94 Add Interfaces To Router
95 FOR ${interface} IN @{SUBNETS}
96 OpenStackOperations.Add Router Interface ${ROUTER} ${interface}
99 Ping From Vm Instance1 To Vm Instance3
100 [Documentation] Login to the vm instance and test some operations
101 ${vm_ips} = BuiltIn.Create List ${NET_2_VM_IPS}[0]
102 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[0] ${vm_ips}
104 Repeat Ping From Vm Instance1 To Vm Instance2 With a Router
105 [Documentation] Login to the vm instance and test some operations
106 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[1]
107 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[0] ${vm_ips}
109 Repeat Ping From Vm Instance2 To Vm Instance1 With a Router
110 [Documentation] Login to the vm instance and test operations
111 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[0]
112 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[1] ${vm_ips}
114 Add Additional Security Group To VMs
115 [Documentation] Add an additional security group to the VMs - this is done to test a different logic put in place for ports with multiple SGs
116 OpenStackOperations.Security Group Create Without Default Security Rules additional-sg
117 #TODO Remove this after the Newton jobs are removed, Openstack CLI with Newton lacks support to configure rule with remote_ip_prefix
118 OpenStackOperations.Neutron Security Group Rule Create
120 ... direction=ingress
122 ... remote_ip_prefix=${NET_1_DHCP_IP}/32
123 OpenStackOperations.Neutron Security Group Show additional-sg
124 FOR ${vm} IN @{NET_1_VMS}
125 OpenStackOperations.Add Security Group To VM ${vm} additional-sg
128 Ping From DHCP To Vm Instance1
129 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
130 OpenStackOperations.Ping Vm From DHCP Namespace ${NETWORKS}[0] ${NET_1_VM_IPS}[0]
132 Ping From DHCP To Vm Instance2
133 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
134 OpenStackOperations.Ping Vm From DHCP Namespace ${NETWORKS}[0] ${NET_1_VM_IPS}[1]
136 Repeat Ping From Vm Instance1 To Vm Instance2 With additional SG
137 [Documentation] Login to the vm instance and test some operations
138 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[1]
139 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[0] ${vm_ips}
141 Repeat Ping From Vm Instance2 To Vm Instance1 With additional SG
142 [Documentation] Login to the vm instance and test operations
143 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[0]
144 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[1] ${vm_ips}
146 Test Connection when Rules Change Dynamically
147 [Documentation] Initiate ping from DHCP to VM instance and remove security rules
148 ... dynamically check the communication has stopped after removing the security group rules.
149 ${net_id} = OpenstackOperations.Get Net Id ${NETWORKS}[0]
150 Get ControlNode Connection
151 ${output} = SSHLibrary.Write sudo ip netns exec qdhcp-${net_id} ping ${NET_1_VM_IPS}[0]
152 Delete All Security Group Rules additional-sg
155 ${output} = Read Until packet loss
156 Should Not Contain ${output} ${PING_REGEXP}
158 No Ping From DHCP To Vm Instance1 With Additional Security Group Rules Removed
159 [Documentation] Check non-reachability of vm instances by pinging to them.
160 OpenStackOperations.Ping From DHCP Should Not Succeed ${NETWORKS}[0] ${NET_1_VM_IPS}[0]
162 No Ping From DHCP To Vm Instance2 With Additional Security Group Rules Removed
163 [Documentation] Check non-reachability of vm instances by pinging to them.
164 OpenStackOperations.Ping From DHCP Should Not Succeed ${NETWORKS}[0] ${NET_1_VM_IPS}[1]
166 Add The Rules To Additional Security Group Again
167 OpenStackOperations.Neutron Security Group Rule Create
169 ... direction=ingress
171 ... remote_ip_prefix=${NET_1_DHCP_IP}/32
173 Ping From DHCP To Vm Instance1 After Rules Are Added Again
174 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
175 OpenStackOperations.Ping Vm From DHCP Namespace ${NETWORKS}[0] ${NET_1_VM_IPS}[0]
177 Ping From DHCP To Vm Instance2 After Rules Are Added Again
178 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
179 OpenStackOperations.Ping Vm From DHCP Namespace ${NETWORKS}[0] ${NET_1_VM_IPS}[1]
181 Remove the additional Security Group from First Vm
182 OpenStackOperations.Remove Security Group From VM ${NET_1_VMS}[0] additional-sg
184 Repeat Ping From Vm Instance1 To Vm Instance2 With Additional SG Removed From Vm1
185 [Documentation] Login to the vm instance and test some operations
186 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[1]
187 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[0] ${vm_ips}
189 Repeat Ping From Vm Instance2 To Vm Instance1 With Additional SG Removed From Vm1
190 [Documentation] Login to the vm instance and test operations
191 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[0]
192 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[1] ${vm_ips}
194 Remove Router Interfaces
195 FOR ${interface} IN @{SUBNETS}
196 OpenStackOperations.Remove Interface ${ROUTER} ${interface}
200 OpenStackOperations.Delete Router ${ROUTER}
202 Repeat Ping From Vm Instance1 To Vm Instance2 With Router Removed
203 [Documentation] Login to the vm instance and test some operations
204 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[1]
205 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[0] ${vm_ips}
207 Repeat Ping From Vm Instance2 To Vm Instance1 With Router Removed
208 [Documentation] Login to the vm instance and test operations
209 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[0]
210 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[1] ${vm_ips}
212 Delete Vm Instances In net_2
213 FOR ${vm} IN @{NET_2_VMS}
214 OpenStackOperations.Delete Vm Instance ${vm}
217 Repeat Ping From Vm Instance1 To Vm Instance2 With net_2 VM Deleted
218 [Documentation] Login to the vm instance and test some operations
219 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[1]
220 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[0] ${vm_ips}
222 Repeat Ping From Vm Instance2 To Vm Instance1 With net_2 VM Deleted
223 [Documentation] Login to the vm instance and test operations
224 ${vm_ips} = BuiltIn.Create List ${NET_1_VM_IPS}[0]
225 OpenStackOperations.Test Operations From Vm Instance ${NETWORKS}[0] ${NET_1_VM_IPS}[1] ${vm_ips}
230 OpenStackOperations.OpenStack Suite Setup
231 OpenStackOperations.Create Network ${NETWORKS}[0]
232 OpenStackOperations.Create Network ${NETWORKS}[1]
233 BuiltIn.Wait Until Keyword Succeeds
236 ... Utils.Check For Elements At URI
239 OpenStackOperations.Create SubNet ${NETWORKS}[0] ${SUBNETS}[0] ${SUBNET_CIDRS}[0]
240 OpenStackOperations.Create SubNet ${NETWORKS}[1] ${SUBNETS}[1] ${SUBNET_CIDRS}[1]
241 BuiltIn.Wait Until Keyword Succeeds
244 ... Utils.Check For Elements At URI
245 ... ${SUBNETWORK_URL}
247 OpenStackOperations.Security Group Create Without Default Security Rules ${SECURITY_GROUP}
248 OpenStackOperations.Neutron Security Group Rule Create
249 ... ${SECURITY_GROUP}
250 ... direction=ingress
251 ... port_range_max=65535
254 OpenStackOperations.Neutron Security Group Rule Create
255 ... ${SECURITY_GROUP}
257 ... port_range_max=65535
260 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
261 OpenStackOperations.Create Vm Instance On Compute Node
264 ... ${OS_CMP1_HOSTNAME}
265 ... sg=${SECURITY_GROUP}
266 OpenStackOperations.Create Vm Instance On Compute Node
269 ... ${OS_CMP2_HOSTNAME}
270 ... sg=${SECURITY_GROUP}
271 OpenStackOperations.Create Vm Instance On Compute Node
274 ... ${OS_CMP1_HOSTNAME}
275 ... sg=${SECURITY_GROUP}
276 @{NET_1_VM_IPS} ${NET_1_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_1_VMS}
277 @{NET_2_VM_IPS} ${NET_2_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_2_VMS}
278 BuiltIn.Set Suite Variable @{NET_1_VM_IPS}
279 BuiltIn.Set Suite Variable ${NET_1_DHCP_IP}
280 BuiltIn.Set Suite Variable @{NET_2_VM_IPS}
281 BuiltIn.Should Not Contain ${NET_1_VM_IPS} None
282 BuiltIn.Should Not Contain ${NET_2_VM_IPS} None
283 BuiltIn.Should Not Contain ${NET_1_DHCP_IP} None
284 BuiltIn.Should Not Contain ${NET_2_DHCP_IP} None
285 OpenStackOperations.Show Debugs @{NET_1_VMS} @{NET_2_VMS}
286 OpenStackOperations.Get Suite Debugs