2 Documentation Test suite to verify security groups basic and advanced functionalities, including negative tests.
3 ... These test cases are not so relevant for transparent mode, so each test case will be tagged with
4 ... "skip_if_transparent" to allow any underlying keywords to return with a PASS without risking
5 ... a false failure. The real value of this suite will be in stateful mode.
6 Suite Setup OpenStackOperations.OpenStack Suite Setup
7 Suite Teardown OpenStackOperations.OpenStack Suite Teardown
8 Test Setup SetupUtils.Setup_Test_With_Logging_And_Without_Fast_Failing
9 Test Teardown OpenStackOperations.Get Test Teardown Debugs
10 Force Tags skip_if_${SECURITY_GROUP_MODE}
11 Library OperatingSystem
12 Library RequestsLibrary
14 Resource ../../../libraries/DevstackUtils.robot
15 Resource ../../../libraries/KarafKeywords.robot
16 Resource ../../../libraries/OpenStackOperations.robot
17 Resource ../../../libraries/SetupUtils.robot
18 Resource ../../../libraries/Utils.robot
19 Resource ../../../libraries/RemoteBash.robot
20 Resource ../../../variables/netvirt/Variables.robot
23 ${SECURITY_GROUP} sg_sg
24 @{NETWORKS} sg_net_1 sg_net_2
25 @{SUBNETS} sg_sub_1 sg_sub_2
27 @{NET_1_VMS} sg_net_1_vm_1 sg_net_1_vm_2
28 @{NET_2_VMS} sg_net_2_vm_1
29 @{SUBNET_CIDRS} 51.0.0.0/24 52.0.0.0/24
33 OpenStackOperations.Create Network @{NETWORKS}[0]
34 OpenStackOperations.Create Network @{NETWORKS}[1]
35 BuiltIn.Wait Until Keyword Succeeds 10s 2s Utils.Check For Elements At URI ${NETWORK_URL} ${NETWORKS}
36 OpenStackOperations.Create SubNet @{NETWORKS}[0] @{SUBNETS}[0] @{SUBNET_CIDRS}[0]
37 OpenStackOperations.Create SubNet @{NETWORKS}[1] @{SUBNETS}[1] @{SUBNET_CIDRS}[1]
38 BuiltIn.Wait Until Keyword Succeeds 10s 2s Utils.Check For Elements At URI ${SUBNETWORK_URL} ${SUBNETS}
41 [Documentation] Allow only TCP packets for this suite
42 OpenStackOperations.Security Group Create Without Default Security Rules ${SECURITY_GROUP}
43 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=ingress port_range_max=65535 port_range_min=1 protocol=tcp
44 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=egress port_range_max=65535 port_range_min=1 protocol=tcp
45 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
47 Create Vm Instances For net_1
48 [Documentation] Create VM instances using flavor and image names for a network.
49 OpenStackOperations.Create Vm Instance On Compute Node @{NETWORKS}[0] @{NET_1_VMS}[0] ${OS_CMP1_HOSTNAME} sg=${SECURITY_GROUP}
50 OpenStackOperations.Create Vm Instance On Compute Node @{NETWORKS}[0] @{NET_1_VMS}[1] ${OS_CMP2_HOSTNAME} sg=${SECURITY_GROUP}
52 Create Vm Instances For net_2
53 [Documentation] Create VM instances using flavor and image names for a network.
54 OpenStackOperations.Create Vm Instance On Compute Node @{NETWORKS}[1] @{NET_2_VMS}[0] ${OS_CMP1_HOSTNAME} sg=${SECURITY_GROUP}
56 Check Vm Instances Have Ip Address
57 @{NET_1_VM_IPS} ${NET_1_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_1_VMS}
58 @{NET_2_VM_IPS} ${NET_2_DHCP_IP} = OpenStackOperations.Get VM IPs @{NET_2_VMS}
59 BuiltIn.Set Suite Variable @{NET_1_VM_IPS}
60 BuiltIn.Set Suite Variable ${NET_1_DHCP_IP}
61 BuiltIn.Set Suite Variable @{NET_2_VM_IPS}
62 BuiltIn.Should Not Contain ${NET_1_VM_IPS} None
63 BuiltIn.Should Not Contain ${NET_2_VM_IPS} None
64 BuiltIn.Should Not Contain ${NET_1_DHCP_IP} None
65 BuiltIn.Should Not Contain ${NET_2_DHCP_IP} None
66 [Teardown] BuiltIn.Run Keywords OpenStackOperations.Show Debugs @{NET_1_VMS}
67 ... AND OpenStackOperations.Get Test Teardown Debugs
69 No Ping From DHCP To Vm Instance1
70 [Documentation] Check non-reachability of vm instances by pinging to them.
71 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
73 No Ping From Vm Instance1 To Vm Instance2
74 [Documentation] Login to the vm instance and test some operations
75 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
76 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips} ping_should_succeed=False
78 No Ping From Vm Instance2 To Vm Instance1
79 [Documentation] Login to the vm instance and test operations
80 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
81 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips} ping_should_succeed=False
83 Add Ping Allow Rules With Remote SG (only between VMs)
84 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=ingress protocol=icmp remote_group_id=${SECURITY_GROUP}
85 OpenStackOperations.Neutron Security Group Rule Create ${SECURITY_GROUP} direction=egress protocol=icmp remote_group_id=${SECURITY_GROUP}
86 OpenStackOperations.Neutron Security Group Show ${SECURITY_GROUP}
88 Verify No Ping From DHCP To Vm Instance1
89 [Documentation] Check non-reachability of vm instances by pinging to them.
90 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
92 Verify No Ping From DHCP To Vm Instance2
93 [Documentation] Check non-reachability of vm instances by pinging to them.
94 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
96 Ping From Vm Instance1 To Vm Instance2
97 [Documentation] Login to the vm instance and test some operations
98 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
99 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
101 Ping From Vm Instance2 To Vm Instance1
102 [Documentation] Login to the vm instance and test operations
103 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
104 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
107 [Documentation] Create Router and Add Interface to the subnets.
108 OpenStackOperations.Create Router ${ROUTER}
110 Add Interfaces To Router
111 : FOR ${interface} IN @{SUBNETS}
112 \ OpenStackOperations.Add Router Interface ${ROUTER} ${interface}
114 Ping From Vm Instance1 To Vm Instance3
115 [Documentation] Login to the vm instance and test some operations
116 ${vm_ips} = BuiltIn.Create List @{NET_2_VM_IPS}[0]
117 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
119 Repeat Ping From Vm Instance1 To Vm Instance2 With a Router
120 [Documentation] Login to the vm instance and test some operations
121 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
122 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
124 Repeat Ping From Vm Instance2 To Vm Instance1 With a Router
125 [Documentation] Login to the vm instance and test operations
126 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
127 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
129 Add Additional Security Group To VMs
130 [Documentation] Add an additional security group to the VMs - this is done to test a different logic put in place for ports with multiple SGs
131 OpenStackOperations.Security Group Create Without Default Security Rules additional-sg
132 #TODO Remove this after the Newton jobs are removed, Openstack CLI with Newton lacks support to configure rule with remote_ip_prefix
133 OpenStackOperations.Neutron Security Group Rule Create additional-sg direction=ingress protocol=icmp remote_ip_prefix=${NET_1_DHCP_IP}/32
134 OpenStackOperations.Neutron Security Group Show additional-sg
135 : FOR ${vm} IN @{NET_1_VMS}
136 \ OpenStackOperations.Add Security Group To VM ${vm} additional-sg
138 Ping From DHCP To Vm Instance1
139 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
140 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
142 Ping From DHCP To Vm Instance2
143 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
144 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
146 Repeat Ping From Vm Instance1 To Vm Instance2 With additional SG
147 [Documentation] Login to the vm instance and test some operations
148 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
149 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
151 Repeat Ping From Vm Instance2 To Vm Instance1 With additional SG
152 [Documentation] Login to the vm instance and test operations
153 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[0]
154 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
156 Test Connection when Rules Change Dynamically
157 [Documentation] Initiate ping from DHCP to VM instance and remove security rules
158 ... dynamically check the communication has stopped after removing the security group rules.
159 ${net_id}= OpenstackOperations.Get Net Id @{NETWORKS}[0]
160 Get ControlNode Connection
161 ${output}= SSHLibrary.Write sudo ip netns exec qdhcp-${net_id} ping @{NET_1_VM_IPS}[0]
162 Delete All Security Group Rules additional-sg
165 ${output}= Read Until packet loss
166 Should Not Contain ${output} received, 0% packet loss
168 No Ping From DHCP To Vm Instance1 With Additional Security Group Rules Removed
169 [Documentation] Check non-reachability of vm instances by pinging to them.
170 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
172 No Ping From DHCP To Vm Instance2 With Additional Security Group Rules Removed
173 [Documentation] Check non-reachability of vm instances by pinging to them.
174 OpenStackOperations.Ping From DHCP Should Not Succeed @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
176 Add The Rules To Additional Security Group Again
177 OpenStackOperations.Neutron Security Group Rule Create additional-sg direction=ingress protocol=icmp remote_ip_prefix=${NET_1_DHCP_IP}/32
179 Ping From DHCP To Vm Instance1 After Rules Are Added Again
180 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
181 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[0]
183 Ping From DHCP To Vm Instance2 After Rules Are Added Again
184 [Documentation] Check reachability of vm instances by pinging to them from DHCP.
185 OpenStackOperations.Ping Vm From DHCP Namespace @{NETWORKS}[0] @{NET_1_VM_IPS}[1]
187 Remove the additional Security Group from First Vm
188 OpenStackOperations.Remove Security Group From VM @{NET_1_VMS}[0] additional-sg
190 Repeat Ping From Vm Instance1 To Vm Instance2 With Additional SG Removed From Vm1
191 [Documentation] Login to the vm instance and test some operations
192 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[1]
193 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
195 Repeat Ping From Vm Instance2 To Vm Instance1 With Additional SG Removed From Vm1
196 [Documentation] Login to the vm instance and test operations
197 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
198 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
200 Remove Router Interfaces
201 : FOR ${interface} IN @{SUBNETS}
202 \ OpenStackOperations.Remove Interface ${ROUTER} ${interface}
205 OpenStackOperations.Delete Router ${ROUTER}
207 Repeat Ping From Vm Instance1 To Vm Instance2 With Router Removed
208 [Documentation] Login to the vm instance and test some operations
209 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
210 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
212 Repeat Ping From Vm Instance2 To Vm Instance1 With Router Removed
213 [Documentation] Login to the vm instance and test operations
214 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[0]
215 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
217 Delete Vm Instances In net_2
218 : FOR ${vm} IN @{NET_2_VMS}
219 \ OpenStackOperations.Delete Vm Instance ${vm}
221 Repeat Ping From Vm Instance1 To Vm Instance2 With net_2 VM Deleted
222 [Documentation] Login to the vm instance and test some operations
223 ${vm_ips} BuiltIn.Create List @{NET_1_VM_IPS}[1]
224 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[0] ${vm_ips}
226 Repeat Ping From Vm Instance2 To Vm Instance1 With net_2 VM Deleted
227 [Documentation] Login to the vm instance and test operations
228 ${vm_ips} = BuiltIn.Create List @{NET_1_VM_IPS}[0]
229 OpenStackOperations.Test Operations From Vm Instance @{NETWORKS}[0] @{NET_1_VM_IPS}[1] ${vm_ips}
231 Delete Vm Instances In net_1
232 : FOR ${VmElement} IN @{NET_1_VMS}
233 \ OpenStackOperations.Delete Vm Instance ${VmElement}
235 Delete Security Groups
236 OpenStackOperations.Delete SecurityGroup additional-sg
237 OpenStackOperations.Delete SecurityGroup ${SECURITY_GROUP}