2 Documentation Test suite to verify security groups basic and advanced functionalities, including negative tests.
3 ... These test cases are not so relevant for transparent mode, so each test case will be tagged with
4 ... "skip_if_transparent" to allow any underlying keywords to return with a PASS without risking
5 ... a false failure. The real value of this suite will be in stateful mode.
6 Suite Setup Suite Setup
7 Suite Teardown OpenStackOperations.OpenStack Suite Teardown
8 Test Setup SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
9 Test Teardown OpenStackOperations.Get Test Teardown Debugs
10 Force Tags skip_if_${SECURITY_GROUP_MODE}
11 Library OperatingSystem
12 Library RequestsLibrary
14 Resource ../../../libraries/DevstackUtils.robot
15 Resource ../../../libraries/KarafKeywords.robot
16 Resource ../../../libraries/OpenStackOperations.robot
17 Resource ../../../libraries/SetupUtils.robot
18 Resource ../../../libraries/Utils.robot
19 Resource ../../../libraries/RemoteBash.robot
20 Resource ../../../variables/netvirt/Variables.robot
23 ${SECURITY_GROUP} sg_sg
24 @{NETWORKS} sg_net_1 sg_net_2
25 @{SUBNETS} sg_sub_1 sg_sub_2
27 @{NET_1_VMS} sg_net_1_vm_1 sg_net_1_vm_2
28 @{NET_2_VMS} sg_net_2_vm_1
29 @{SUBNET_CIDRS} 51.0.0.0/24 52.0.0.0/24
32 No Ping From DHCP To Vm Instance1
33 [Documentation] Check non-reachability of vm instances by pinging to them.
34 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
36 No Ping From Vm Instance1 To Vm Instance2
37 [Documentation] Login to the vm instance and test some operations
38 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
39 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips} ping_should_succeed=False
41 No Ping From Vm Instance2 To Vm Instance1
42 [Documentation] Login to the vm instance and test operations
43 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
44 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips} ping_should_succeed=False
46 Add Ping Allow Rules With Remote SG (only between VMs)
47 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=ingress protocol=icmp remote_group_id=${SECURITY_GROUP}
48 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=egress protocol=icmp remote_group_id=${SECURITY_GROUP}
49 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
51 Verify No Ping From DHCP To Vm Instance1
52 [Documentation] Check non-reachability of vm instances by pinging to them.
53 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
55 Verify No Ping From DHCP To Vm Instance2
56 [Documentation] Check non-reachability of vm instances by pinging to them.
57 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
59 Ping From Vm Instance1 To Vm Instance2
60 [Documentation] Login to the vm instance and test some operations
61 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
62 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
64 Ping From Vm Instance2 To Vm Instance1
65 [Documentation] Login to the vm instance and test operations
66 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
67 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
70 [Documentation] Create Router and Add Interface to the subnets.
71 OpenStackOperations.Create Router ${ROUTER}
73 Add Interfaces To Router
74 : FOR ${interface} IN @{SUBNETS}
75 \ OpenStackOperations.Add Router Interface ${ROUTER} ${interface}
77 Ping From Vm Instance1 To Vm Instance3
78 [Documentation] Login to the vm instance and test some operations
79 ${vm_ips} = BuiltIn.Create List @{NET_2_VM_IPS}[0]
80 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
82 Repeat Ping From Vm Instance1 To Vm Instance2 With a Router
83 [Documentation] Login to the vm instance and test some operations
84 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
85 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
87 Repeat Ping From Vm Instance2 To Vm Instance1 With a Router
88 [Documentation] Login to the vm instance and test operations
89 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
90 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
92 Add Additional Security Group To VMs
93 [Documentation] Add an additional security group to the VMs - this is done to test a different logic put in place for ports with multiple SGs
94 OpenStackOperations.Security Group Create Without Default Security Rules additional-sg
95 #TODO Remove this after the Newton jobs are removed, Openstack CLI with Newton lacks support to configure rule with remote_ip_prefix
96 OpenStackOperations.Neutron Security Group Rule Create additional-sg direction=ingress protocol=icmp remote_ip_prefix=${NET_1_DHCP_IP}/32
97 OpenStackOperations.Neutron Security Group Show additional-sg
98 : FOR ${vm} IN @{NET_1_VMS}
99 \ OpenStackOperations.Add Security Group To VM ${vm} additional-sg
101 Ping From DHCP To Vm Instance1
102 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
103 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
105 Ping From DHCP To Vm Instance2
106 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
107 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
109 Repeat Ping From Vm Instance1 To Vm Instance2 With additional SG
110 [Documentation] Login to the vm instance and test some operations
111 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
112 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
114 Repeat Ping From Vm Instance2 To Vm Instance1 With additional SG
115 [Documentation] Login to the vm instance and test operations
116 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[0]
117 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
119 Test Connection when Rules Change Dynamically
120 [Documentation] Initiate ping from DHCP to VM instance and remove security rules
121 ... dynamically check the communication has stopped after removing the security group rules.
122 ${net_id}= OpenstackOperations.Get Net Id @{NETWORKS}[0]
123 Get ControlNode Connection
124 ${output}= SSHLibrary.Write sudo ip netns exec qdhcp-${net_id} ping @{NET_1_VM_IPS}[0]
125 Delete All Security Group Rules additional-sg
128 ${output}= Read Until packet loss
129 Should Not Contain ${output} ${PING_REGEXP}
131 No Ping From DHCP To Vm Instance1 With Additional Security Group Rules Removed
132 [Documentation] Check non-reachability of vm instances by pinging to them.
133 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
135 No Ping From DHCP To Vm Instance2 With Additional Security Group Rules Removed
136 [Documentation] Check non-reachability of vm instances by pinging to them.
137 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
139 Add The Rules To Additional Security Group Again
140 OpenStackOperations.Neutron Security Group Rule Create additional-sg direction=ingress protocol=icmp remote_ip_prefix=${NET_1_DHCP_IP}/32
142 Ping From DHCP To Vm Instance1 After Rules Are Added Again
143 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
144 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
146 Ping From DHCP To Vm Instance2 After Rules Are Added Again
147 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
148 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
150 Remove the additional Security Group from First Vm
151 OpenStackOperations.Remove Security Group From VM @{NET_1_VMS}[0] additional-sg
153 Repeat Ping From Vm Instance1 To Vm Instance2 With Additional SG Removed From Vm1
154 [Documentation] Login to the vm instance and test some operations
155 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
156 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
158 Repeat Ping From Vm Instance2 To Vm Instance1 With Additional SG Removed From Vm1
159 [Documentation] Login to the vm instance and test operations
160 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
161 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
163 Remove Router Interfaces
164 : FOR ${interface} IN @{SUBNETS}
165 \ OpenStackOperations.Remove Interface ${ROUTER} ${interface}
168 OpenStackOperations.Delete Router ${ROUTER}
170 Repeat Ping From Vm Instance1 To Vm Instance2 With Router Removed
171 [Documentation] Login to the vm instance and test some operations
172 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
173 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
175 Repeat Ping From Vm Instance2 To Vm Instance1 With Router Removed
176 [Documentation] Login to the vm instance and test operations
177 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[0]
178 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
180 Delete Vm Instances In net_2
181 : FOR ${vm} IN @{NET_2_VMS}
182 \ OpenStackOperations.Delete Vm Instance ${vm}
184 Repeat Ping From Vm Instance1 To Vm Instance2 With net_2 VM Deleted
185 [Documentation] Login to the vm instance and test some operations
186 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
187 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
189 Repeat Ping From Vm Instance2 To Vm Instance1 With net_2 VM Deleted
190 [Documentation] Login to the vm instance and test operations
191 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
192 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
196 OpenStackOperations.OpenStack Suite Setup
197 OpenStackOperations.Create Network @{NETWORKS}[0]
198 OpenStackOperations.Create Network @{NETWORKS}[1]
199 BuiltIn.Wait Until Keyword Succeeds 10s 2s Utils.Check For Elements At URI ${NETWORK_URL} ${NETWORKS}
200 OpenStackOperations.Create SubNet @{NETWORKS}[0] @{SUBNETS}[0] @{SUBNET_CIDRS}[0]
201 OpenStackOperations.Create SubNet @{NETWORKS}[1] @{SUBNETS}[1] @{SUBNET_CIDRS}[1]
202 BuiltIn.Wait Until Keyword Succeeds 10s 2s Utils.Check For Elements At URI ${SUBNETWORK_URL} ${SUBNETS}
203 OpenStackOperations.Security Group Create Without Default Security Rules ${SECURITY_GROUP}
204 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=ingress port_range_max=65535 port_range_min=1 protocol=tcp
205 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=egress port_range_max=65535 port_range_min=1 protocol=tcp
206 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
207 OpenStackOperations.Create Vm Instance On Compute Node @{NETWORKS}[0] @{NET_1_VMS}[0] ${OS_CMP1_HOSTNAME} sg=${SECURITY_GROUP}
208 OpenStackOperations.Create Vm Instance On Compute Node @{NETWORKS}[0] @{NET_1_VMS}[1] ${OS_CMP2_HOSTNAME} sg=${SECURITY_GROUP}
209 OpenStackOperations.Create Vm Instance On Compute Node @{NETWORKS}[1] @{NET_2_VMS}[0] ${OS_CMP1_HOSTNAME} sg=${SECURITY_GROUP}
210 @{NET_1_VM_IPS} ${NET_1_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_1_VMS}
211 @{NET_2_VM_IPS} ${NET_2_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_2_VMS}
212 BuiltIn.Set Suite Variable @{NET_1_VM_IPS}
213 BuiltIn.Set Suite Variable ${NET_1_DHCP_IP}
214 BuiltIn.Set Suite Variable @{NET_2_VM_IPS}
215 BuiltIn.Should Not Contain ${NET_1_VM_IPS} None
216 BuiltIn.Should Not Contain ${NET_2_VM_IPS} None
217 BuiltIn.Should Not Contain ${NET_1_DHCP_IP} None
218 BuiltIn.Should Not Contain ${NET_2_DHCP_IP} None
219 OpenStackOperations.Show Debugs @{NET_1_VMS} @{NET_2_VMS}
220 OpenStackOperations.Get Suite Debugs