2 Documentation Test suite to verify security groups basic and advanced functionalities, including negative tests.
3 ... These test cases are not so relevant for transparent mode, so each test case will be tagged with
4 ... "skip_if_transparent" to allow any underlying keywords to return with a PASS without risking
5 ... a false failure. The real value of this suite will be in stateful mode.
6 Suite Setup OpenStackOperations.OpenStack Suite Setup
7 Suite Teardown OpenStackOperations.OpenStack Suite Teardown
8 Test Setup SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
9 Test Teardown OpenStackOperations.Get Test Teardown Debugs
10 Force Tags skip_if_${SECURITY_GROUP_MODE}
11 Library OperatingSystem
12 Library RequestsLibrary
14 Resource ../../../libraries/DevstackUtils.robot
15 Resource ../../../libraries/KarafKeywords.robot
16 Resource ../../../libraries/OpenStackOperations.robot
17 Resource ../../../libraries/SetupUtils.robot
18 Resource ../../../libraries/Utils.robot
19 Resource ../../../variables/netvirt/Variables.robot
22 ${SECURITY_GROUP} sg_sg
23 @{NETWORKS} sg_net_1 sg_net_2
24 @{SUBNETS} sg_sub_1 sg_sub_2
26 @{NET_1_VMS} sg_net_1_vm_1 sg_net_1_vm_2
27 @{NET_2_VMS} sg_net_2_vm_1
28 @{SUBNET_CIDRS} 51.0.0.0/24 52.0.0.0/24
32 OpenStackOperations.Create Network @{NETWORKS}[0]
33 OpenStackOperations.Create Network @{NETWORKS}[1]
34 BuiltIn.Wait Until Keyword Succeeds 10s 2s Utils.Check For Elements At URI ${NETWORK_URL} ${NETWORKS}
35 OpenStackOperations.Create SubNet @{NETWORKS}[0] @{SUBNETS}[0] @{SUBNET_CIDRS}[0]
36 OpenStackOperations.Create SubNet @{NETWORKS}[1] @{SUBNETS}[1] @{SUBNET_CIDRS}[1]
37 BuiltIn.Wait Until Keyword Succeeds 10s 2s Utils.Check For Elements At URI ${SUBNETWORK_URL} ${SUBNETS}
40 [Documentation] Allow only TCP packets for this suite
41 OpenStackOperations.Security Group Create Without Default Security Rules ${SECURITY_GROUP}
42 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=ingress port_range_max=65535 port_range_min=1 protocol=tcp
43 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=egress port_range_max=65535 port_range_min=1 protocol=tcp
44 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
46 Create Vm Instances For net_1
47 [Documentation] Create VM instances using flavor and image names for a network.
48 OpenStackOperations.Create Vm Instances @{NETWORKS}[0] ${NET_1_VMS} sg=${SECURITY_GROUP}
50 Create Vm Instances For net_2
51 [Documentation] Create VM instances using flavor and image names for a network.
52 OpenStackOperations.Create Vm Instances @{NETWORKS}[1] ${NET_2_VMS} sg=${SECURITY_GROUP}
54 Check Vm Instances Have Ip Address
55 @{NET_1_VM_IPS} ${NET_1_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_1_VMS}
56 @{NET_2_VM_IPS} ${NET_2_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_2_VMS}
57 BuiltIn.Set Suite Variable @{NET_1_VM_IPS}
58 BuiltIn.Set Suite Variable ${NET_1_DHCP_IP}
59 BuiltIn.Set Suite Variable @{NET_2_VM_IPS}
60 BuiltIn.Should Not Contain ${NET_1_VM_IPS} None
61 BuiltIn.Should Not Contain ${NET_2_VM_IPS} None
62 BuiltIn.Should Not Contain ${NET_1_DHCP_IP} None
63 BuiltIn.Should Not Contain ${NET_2_DHCP_IP} None
64 [Teardown] BuiltIn.Run Keywords OpenStackOperations.Show Debugs @{NET_1_VMS}
65 ... AND OpenStackOperations.Get Test Teardown Debugs
67 No Ping From DHCP To Vm Instance1
68 [Documentation] Check non-reachability of vm instances by pinging to them.
69 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
71 No Ping From Vm Instance1 To Vm Instance2
72 [Documentation] Login to the vm instance and test some operations
73 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
74 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips} ping_should_succeed=False
76 No Ping From Vm Instance2 To Vm Instance1
77 [Documentation] Login to the vm instance and test operations
78 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
79 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips} ping_should_succeed=False
81 Add Ping Allow Rules With Remote SG (only between VMs)
82 OpenStackOperations.Neutron Security Group Rule Create Legacy Cli ${SECURITY_GROUP} direction=ingress protocol=icmp remote_group_id=${SECURITY_GROUP}
83 OpenStackOperations.Neutron Security Group Rule Create Legacy Cli ${SECURITY_GROUP} direction=egress protocol=icmp remote_group_id=${SECURITY_GROUP}
84 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
86 Verify No Ping From DHCP To Vm Instance1
87 [Documentation] Check non-reachability of vm instances by pinging to them.
88 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
90 Verify No Ping From DHCP To Vm Instance2
91 [Documentation] Check non-reachability of vm instances by pinging to them.
92 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
94 Ping From Vm Instance1 To Vm Instance2
95 [Documentation] Login to the vm instance and test some operations
96 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
97 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
99 Ping From Vm Instance2 To Vm Instance1
100 [Documentation] Login to the vm instance and test operations
101 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
102 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
105 [Documentation] Create Router and Add Interface to the subnets.
106 OpenStackOperations.Create Router ${ROUTER}
108 Add Interfaces To Router
109 : FOR ${interface} IN @{SUBNETS}
110 \ OpenStackOperations.Add Router Interface ${ROUTER} ${interface}
112 Ping From Vm Instance1 To Vm Instance3
113 [Documentation] Login to the vm instance and test some operations
114 ${vm_ips} = BuiltIn.Create List @{NET_2_VM_IPS}[0]
115 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
117 Repeat Ping From Vm Instance1 To Vm Instance2 With a Router
118 [Documentation] Login to the vm instance and test some operations
119 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
120 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
122 Repeat Ping From Vm Instance2 To Vm Instance1 With a Router
123 [Documentation] Login to the vm instance and test operations
124 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
125 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
127 Add Additional Security Group To VMs
128 [Documentation] Add an additional security group to the VMs - this is done to test a different logic put in place for ports with multiple SGs
129 OpenStackOperations.Security Group Create Without Default Security Rules additional-sg
130 #TODO Remove this after the Newton jobs are removed, Openstack CLI with Newton lacks support to configure rule with remote_ip_prefix
131 OpenStackOperations.Neutron Security Group Rule Create Legacy Cli additional-sg direction=ingress protocol=icmp remote_ip_prefix=${NET_1_DHCP_IP}/32
132 OpenStackOperations.Neutron Security Group Show additional-sg
133 : FOR ${vm} IN @{NET_1_VMS}
134 \ OpenStackOperations.Add Security Group To VM ${vm} additional-sg
136 Ping From DHCP To Vm Instance1
137 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
138 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
140 Ping From DHCP To Vm Instance2
141 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
142 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
144 Repeat Ping From Vm Instance1 To Vm Instance2 With additional SG
145 [Documentation] Login to the vm instance and test some operations
146 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
147 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
149 Repeat Ping From Vm Instance2 To Vm Instance1 With additional SG
150 [Documentation] Login to the vm instance and test operations
151 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[0]
152 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
154 Remove The Rules From Additional Security Group
155 OpenStackOperations.Delete All Security Group Rules additional-sg
157 No Ping From DHCP To Vm Instance1 With Additional Security Group Rules Removed
158 [Documentation] Check non-reachability of vm instances by pinging to them.
159 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
161 No Ping From DHCP To Vm Instance2 With Additional Security Group Rules Removed
162 [Documentation] Check non-reachability of vm instances by pinging to them.
163 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
165 Add The Rules To Additional Security Group Again
166 OpenStackOperations.Neutron Security Group Rule Create Legacy Cli additional-sg direction=ingress protocol=icmp remote_ip_prefix=${NET_1_DHCP_IP}/32
168 Ping From DHCP To Vm Instance1 After Rules Are Added Again
169 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
170 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
172 Ping From DHCP To Vm Instance2 After Rules Are Added Again
173 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
174 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
176 Remove the additional Security Group from First Vm
177 OpenStackOperations.Remove Security Group From VM @{NET_1_VMS}[0] additional-sg
179 Repeat Ping From Vm Instance1 To Vm Instance2 With Additional SG Removed From Vm1
180 [Documentation] Login to the vm instance and test some operations
181 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
182 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
184 Repeat Ping From Vm Instance2 To Vm Instance1 With Additional SG Removed From Vm1
185 [Documentation] Login to the vm instance and test operations
186 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
187 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
189 Remove Router Interfaces
190 : FOR ${interface} IN @{SUBNETS}
191 \ OpenStackOperations.Remove Interface ${ROUTER} ${interface}
194 OpenStackOperations.Delete Router ${ROUTER}
196 Repeat Ping From Vm Instance1 To Vm Instance2 With Router Removed
197 [Documentation] Login to the vm instance and test some operations
198 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
199 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
201 Repeat Ping From Vm Instance2 To Vm Instance1 With Router Removed
202 [Documentation] Login to the vm instance and test operations
203 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[0]
204 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
206 Delete Vm Instances In net_2
207 : FOR ${vm} IN @{NET_2_VMS}
208 \ OpenStackOperations.Delete Vm Instance ${vm}
210 Repeat Ping From Vm Instance1 To Vm Instance2 With net_2 VM Deleted
211 [Documentation] Login to the vm instance and test some operations
212 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
213 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
215 Repeat Ping From Vm Instance2 To Vm Instance1 With net_2 VM Deleted
216 [Documentation] Login to the vm instance and test operations
217 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
218 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
220 Delete Vm Instances In net_1
221 : FOR ${VmElement} IN @{NET_1_VMS}
222 \ OpenStackOperations.Delete Vm Instance ${VmElement}
224 Delete Security Groups
225 OpenStackOperations.Delete SecurityGroup additional-sg
226 OpenStackOperations.Delete SecurityGroup ${SECURITY_GROUP}