2 Documentation Test suite to verify security groups basic and advanced functionalities, including negative tests.
3 ... These test cases are not so relevant for transparent mode, so each test case will be tagged with
4 ... "skip_if_transparent" to allow any underlying keywords to return with a PASS without risking
5 ... a false failure. The real value of this suite will be in stateful mode.
6 Suite Setup Suite Setup
7 Suite Teardown OpenStackOperations.OpenStack Suite Teardown
8 Test Setup SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
9 Test Teardown OpenStackOperations.Get Test Teardown Debugs
10 Force Tags skip_if_${SECURITY_GROUP_MODE}
11 Library OperatingSystem
12 Library RequestsLibrary
14 Resource ../../../libraries/DevstackUtils.robot
15 Resource ../../../libraries/KarafKeywords.robot
16 Resource ../../../libraries/OpenStackOperations.robot
17 Resource ../../../libraries/SetupUtils.robot
18 Resource ../../../libraries/Utils.robot
19 Resource ../../../libraries/RemoteBash.robot
20 Resource ../../../variables/netvirt/Variables.robot
23 ${SECURITY_GROUP} sg_sg
24 @{NETWORKS} sg_net_1 sg_net_2
25 @{SUBNETS} sg_sub_1 sg_sub_2
27 @{NET_1_VMS} sg_net_1_vm_1 sg_net_1_vm_2
28 @{NET_2_VMS} sg_net_2_vm_1
29 @{SUBNET_CIDRS} 51.0.0.0/24 52.0.0.0/24
32 No Ping From DHCP To Vm Instance1
33 [Documentation] Check non-reachability of vm instances by pinging to them.
34 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
36 No Ping From Vm Instance1 To Vm Instance2
37 [Documentation] Login to the vm instance and test some operations
38 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
39 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips} ping_should_succeed=False
41 No Ping From Vm Instance2 To Vm Instance1
42 [Documentation] Login to the vm instance and test operations
43 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
44 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips} ping_should_succeed=False
46 Add Ping Allow Rules With Remote SG (only between VMs)
47 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=ingress protocol=icmp remote_group_id=${SECURITY_GROUP}
48 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=egress protocol=icmp remote_group_id=${SECURITY_GROUP}
49 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
51 Verify No Ping From DHCP To Vm Instance1
52 [Documentation] Check non-reachability of vm instances by pinging to them.
53 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
55 Verify No Ping From DHCP To Vm Instance2
56 [Documentation] Check non-reachability of vm instances by pinging to them.
57 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
59 Ping From Vm Instance1 To Vm Instance2
60 [Documentation] Login to the vm instance and test some operations
61 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
62 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
64 Ping From Vm Instance2 To Vm Instance1
65 [Documentation] Login to the vm instance and test operations
66 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
67 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
70 [Documentation] Create Router and Add Interface to the subnets.
71 OpenStackOperations.Create Router ${ROUTER}
73 Add Interfaces To Router
74 FOR ${interface} IN @{SUBNETS}
75 OpenStackOperations.Add Router Interface ${ROUTER} ${interface}
78 Ping From Vm Instance1 To Vm Instance3
79 [Documentation] Login to the vm instance and test some operations
80 ${vm_ips} = BuiltIn.Create List @{NET_2_VM_IPS}[0]
81 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
83 Repeat Ping From Vm Instance1 To Vm Instance2 With a Router
84 [Documentation] Login to the vm instance and test some operations
85 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
86 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
88 Repeat Ping From Vm Instance2 To Vm Instance1 With a Router
89 [Documentation] Login to the vm instance and test operations
90 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
91 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
93 Add Additional Security Group To VMs
94 [Documentation] Add an additional security group to the VMs - this is done to test a different logic put in place for ports with multiple SGs
95 OpenStackOperations.Security Group Create Without Default Security Rules additional-sg
96 #TODO Remove this after the Newton jobs are removed, Openstack CLI with Newton lacks support to configure rule with remote_ip_prefix
97 OpenStackOperations.Neutron Security Group Rule Create additional-sg direction=ingress protocol=icmp remote_ip_prefix=${NET_1_DHCP_IP}/32
98 OpenStackOperations.Neutron Security Group Show additional-sg
99 FOR ${vm} IN @{NET_1_VMS}
100 OpenStackOperations.Add Security Group To VM ${vm} additional-sg
103 Ping From DHCP To Vm Instance1
104 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
105 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
107 Ping From DHCP To Vm Instance2
108 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
109 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
111 Repeat Ping From Vm Instance1 To Vm Instance2 With additional SG
112 [Documentation] Login to the vm instance and test some operations
113 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
114 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
116 Repeat Ping From Vm Instance2 To Vm Instance1 With additional SG
117 [Documentation] Login to the vm instance and test operations
118 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[0]
119 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
121 Test Connection when Rules Change Dynamically
122 [Documentation] Initiate ping from DHCP to VM instance and remove security rules
123 ... dynamically check the communication has stopped after removing the security group rules.
124 ${net_id}= OpenstackOperations.Get Net Id @{NETWORKS}[0]
125 Get ControlNode Connection
126 ${output}= SSHLibrary.Write sudo ip netns exec qdhcp-${net_id} ping @{NET_1_VM_IPS}[0]
127 Delete All Security Group Rules additional-sg
130 ${output}= Read Until packet loss
131 Should Not Contain ${output} ${PING_REGEXP}
133 No Ping From DHCP To Vm Instance1 With Additional Security Group Rules Removed
134 [Documentation] Check non-reachability of vm instances by pinging to them.
135 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
137 No Ping From DHCP To Vm Instance2 With Additional Security Group Rules Removed
138 [Documentation] Check non-reachability of vm instances by pinging to them.
139 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
141 Add The Rules To Additional Security Group Again
142 OpenStackOperations.Neutron Security Group Rule Create additional-sg direction=ingress protocol=icmp remote_ip_prefix=${NET_1_DHCP_IP}/32
144 Ping From DHCP To Vm Instance1 After Rules Are Added Again
145 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
146 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
148 Ping From DHCP To Vm Instance2 After Rules Are Added Again
149 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
150 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
152 Remove the additional Security Group from First Vm
153 OpenStackOperations.Remove Security Group From VM @{NET_1_VMS}[0] additional-sg
155 Repeat Ping From Vm Instance1 To Vm Instance2 With Additional SG Removed From Vm1
156 [Documentation] Login to the vm instance and test some operations
157 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
158 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
160 Repeat Ping From Vm Instance2 To Vm Instance1 With Additional SG Removed From Vm1
161 [Documentation] Login to the vm instance and test operations
162 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
163 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
165 Remove Router Interfaces
166 FOR ${interface} IN @{SUBNETS}
167 OpenStackOperations.Remove Interface ${ROUTER} ${interface}
171 OpenStackOperations.Delete Router ${ROUTER}
173 Repeat Ping From Vm Instance1 To Vm Instance2 With Router Removed
174 [Documentation] Login to the vm instance and test some operations
175 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
176 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
178 Repeat Ping From Vm Instance2 To Vm Instance1 With Router Removed
179 [Documentation] Login to the vm instance and test operations
180 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[0]
181 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
183 Delete Vm Instances In net_2
184 FOR ${vm} IN @{NET_2_VMS}
185 OpenStackOperations.Delete Vm Instance ${vm}
188 Repeat Ping From Vm Instance1 To Vm Instance2 With net_2 VM Deleted
189 [Documentation] Login to the vm instance and test some operations
190 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
191 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
193 Repeat Ping From Vm Instance2 To Vm Instance1 With net_2 VM Deleted
194 [Documentation] Login to the vm instance and test operations
195 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
196 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
200 OpenStackOperations.OpenStack Suite Setup
201 OpenStackOperations.Create Network @{NETWORKS}[0]
202 OpenStackOperations.Create Network @{NETWORKS}[1]
203 BuiltIn.Wait Until Keyword Succeeds 10s 2s Utils.Check For Elements At URI ${NETWORK_URL} ${NETWORKS}
204 OpenStackOperations.Create SubNet @{NETWORKS}[0] @{SUBNETS}[0] @{SUBNET_CIDRS}[0]
205 OpenStackOperations.Create SubNet @{NETWORKS}[1] @{SUBNETS}[1] @{SUBNET_CIDRS}[1]
206 BuiltIn.Wait Until Keyword Succeeds 10s 2s Utils.Check For Elements At URI ${SUBNETWORK_URL} ${SUBNETS}
207 OpenStackOperations.Security Group Create Without Default Security Rules ${SECURITY_GROUP}
208 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=ingress port_range_max=65535 port_range_min=1 protocol=tcp
209 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=egress port_range_max=65535 port_range_min=1 protocol=tcp
210 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
211 OpenStackOperations.Create Vm Instance On Compute Node @{NETWORKS}[0] @{NET_1_VMS}[0] ${OS_CMP1_HOSTNAME} sg=${SECURITY_GROUP}
212 OpenStackOperations.Create Vm Instance On Compute Node @{NETWORKS}[0] @{NET_1_VMS}[1] ${OS_CMP2_HOSTNAME} sg=${SECURITY_GROUP}
213 OpenStackOperations.Create Vm Instance On Compute Node @{NETWORKS}[1] @{NET_2_VMS}[0] ${OS_CMP1_HOSTNAME} sg=${SECURITY_GROUP}
214 @{NET_1_VM_IPS} ${NET_1_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_1_VMS}
215 @{NET_2_VM_IPS} ${NET_2_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_2_VMS}
216 BuiltIn.Set Suite Variable @{NET_1_VM_IPS}
217 BuiltIn.Set Suite Variable ${NET_1_DHCP_IP}
218 BuiltIn.Set Suite Variable @{NET_2_VM_IPS}
219 BuiltIn.Should Not Contain ${NET_1_VM_IPS} None
220 BuiltIn.Should Not Contain ${NET_2_VM_IPS} None
221 BuiltIn.Should Not Contain ${NET_1_DHCP_IP} None
222 BuiltIn.Should Not Contain ${NET_2_DHCP_IP} None
223 OpenStackOperations.Show Debugs @{NET_1_VMS} @{NET_2_VMS}
224 OpenStackOperations.Get Suite Debugs