apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-12-16 10:32:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-5257: Fixed Network ACL issue related to Egress traffic

Browse Source 
Signed-off-by: Girish Shilamkar <girish@clogeny.com>
This commit is contained in:
Ashutosh K 2013-11-26 11:46:56 +05:30 committed by Girish Shilamkar
parent 764dec45fd
commit d6298302a1
1 changed files with 136 additions and 225 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

337
test/integration/component/test_vpc_vms_deployment.py
View File

@ -18,14 +18,33 @@
""" Component tests VM deployment in VPC network functionality """ Component tests VM deployment in VPC network functionality
""" """
#Import Local Modules #Import Local Modules
import marvin
from nose.plugins.attrib import attr from nose.plugins.attrib import attr
from marvin.cloudstackTestCase import * from marvin.cloudstackTestCase import cloudstackTestCase, unittest
from marvin.cloudstackAPI import * from marvin.integration.lib.base import (VirtualMachine,
from marvin.integration.lib.utils import * NetworkOffering,
from marvin.integration.lib.base import * VpcOffering,
from marvin.integration.lib.common import * VPC,
import datetime NetworkACL,
PrivateGateway,
StaticRoute,
Router,
Network,
Account,
ServiceOffering,
PublicIPAddress,
NATRule,
StaticNATRule,
Configurations)
from marvin.integration.lib.common import (get_domain,
get_zone,
get_template,
wait_for_cleanup,
get_free_vlan)
from marvin.integration.lib.utils import cleanup_resources
from marvin.cloudstackAPI import rebootRouter
class Services: class Services:
@ -105,18 +124,6 @@ class Services:
# Max networks allowed as per hypervisor # Max networks allowed as per hypervisor
# Xenserver -> 5, VMWare -> 9 # Xenserver -> 5, VMWare -> 9
}, },
"lbrule": {
"name": "SSH",
"alg": "leastconn",
# Algorithm used for load balancing
"privateport": 22,
"publicport": 2222,
"openfirewall": False,
"startport": 22,
"endport": 2222,
"protocol": "TCP",
"cidrlist": '0.0.0.0/0',
},
"natrule": { "natrule": {
"privateport": 22, "privateport": 22,
"publicport": 22, "publicport": 22,
@ -132,11 +139,9 @@ class Services:
# Any network (For creating FW rule) # Any network (For creating FW rule)
"protocol": "TCP" "protocol": "TCP"
}, },
"http_rule": { "icmp_rule": {
"startport": 80,
"endport": 80,
"cidrlist": '0.0.0.0/0', "cidrlist": '0.0.0.0/0',
"protocol": "TCP" "protocol": "ICMP"
}, },
"virtual_machine": { "virtual_machine": {
"displayname": "Test VM", "displayname": "Test VM",
@ -1893,7 +1898,7 @@ class TestVMDeployVPC(cloudstackTestCase):
network_1.id network_1.id
)) ))
nat_rule = NATRule.create( NATRule.create(
self.apiclient, self.apiclient,
vm_1, vm_1,
self.services["natrule"], self.services["natrule"],
@ -1903,14 +1908,6 @@ class TestVMDeployVPC(cloudstackTestCase):
vpcid=vpc.id vpcid=vpc.id
) )
self.debug("Adding NetwrokACl rules to make NAT rule accessible")
nwacl_nat = NetworkACL.create(
self.apiclient,
networkid=network_1.id,
services=self.services["natrule"],
traffictype='Ingress'
)
self.debug("Associating public IP for network: %s" % network_1.name) self.debug("Associating public IP for network: %s" % network_1.name)
public_ip_2 = PublicIPAddress.create( public_ip_2 = PublicIPAddress.create(
self.apiclient, self.apiclient,
@ -1972,26 +1969,92 @@ class TestVMDeployVPC(cloudstackTestCase):
network_2.id network_2.id
)) ))
self.debug("Adding NetworkACl rules to make PF accessible") NATRule.create(
nwacl_lb = NetworkACL.create( self.apiclient,
vm_3,
self.services["natrule"],
ipaddressid=public_ip_3.ipaddress.id,
openfirewall=False,
networkid=network_2.id,
vpcid=vpc.id
)
self.debug("Associating public IP for network: %s" % network_2.name)
public_ip_4 = PublicIPAddress.create(
self.apiclient,
accountid=self.account.name,
zoneid=self.zone.id,
domainid=self.account.domainid,
networkid=network_2.id,
vpcid=vpc.id
)
self.debug("Associated %s with network %s" % (
public_ip_4.ipaddress.ipaddress,
network_2.id
))
self.debug("Enabling static NAT for IP: %s" %
public_ip_4.ipaddress.ipaddress)
try:
StaticNATRule.enable(
self.apiclient,
ipaddressid=public_ip_4.ipaddress.id,
virtualmachineid=vm_3.id,
networkid=network_2.id
)
self.debug("Static NAT enabled for IP: %s" %
public_ip_4.ipaddress.ipaddress)
except Exception as e:
self.fail("Failed to enable static NAT on IP: %s - %s" % (
public_ip_4.ipaddress.ipaddress, e))
public_ips = PublicIPAddress.list(
self.apiclient, self.apiclient,
networkid=network_2.id, networkid=network_2.id,
services=self.services["lbrule"], listall=True,
isstaticnat=True,
account=self.account.name,
domainid=self.account.domainid
)
self.assertEqual(
isinstance(public_ips, list),
True,
"List public Ip for network should list the Ip addr"
)
self.assertEqual(
public_ips[0].ipaddress,
public_ip_4.ipaddress.ipaddress,
"List public Ips %s for network should list the Ip addr %s"
% (public_ips[0].ipaddress, public_ip_4.ipaddress.ipaddress )
)
self.debug("Adding NetwrokACl rules to make NAT rule accessible with network %s" % network_1.id)
NetworkACL.create(
self.apiclient,
networkid=network_1.id,
services=self.services["natrule"],
traffictype='Ingress'
)
self.debug("Adding NetworkACl rules to make NAT rule accessible with network: %s" % network_2.id)
NetworkACL.create(
self.apiclient,
networkid=network_2.id,
services=self.services["natrule"],
traffictype='Ingress' traffictype='Ingress'
) )
self.debug( self.debug(
"Adding Egress rules to network to allow access to internet") "Adding Egress rules to network to allow access to internet")
nwacl_internet_1 = NetworkACL.create( NetworkACL.create(
self.apiclient, self.apiclient,
networkid=network_1.id, networkid=network_1.id,
services=self.services["http_rule"], services=self.services["icmp_rule"],
traffictype='Egress' traffictype='Egress'
) )
nwacl_internet_2 = NetworkACL.create( NetworkACL.create(
self.apiclient, self.apiclient,
networkid=network_2.id, networkid=network_2.id,
services=self.services["http_rule"], services=self.services["icmp_rule"],
traffictype='Egress' traffictype='Egress'
) )
@ -2037,165 +2100,6 @@ class TestVMDeployVPC(cloudstackTestCase):
"List static route should return a valid response" "List static route should return a valid response"
) )
self.debug("Associating public IP for network: %s" % network_2.name)
public_ip_5 = PublicIPAddress.create(
self.apiclient,
accountid=self.account.name,
zoneid=self.zone.id,
domainid=self.account.domainid,
networkid=network_2.id,
vpcid=vpc.id
)
self.debug("Associated %s with network %s" % (
public_ip_5.ipaddress.ipaddress,
network_2.id
))
nat_rule = NATRule.create(
self.apiclient,
vm_3,
self.services["natrule"],
ipaddressid=public_ip_5.ipaddress.id,
openfirewall=False,
networkid=network_2.id,
vpcid=vpc.id
)
self.debug("Adding NetworkACl rules to make NAT rule accessible")
nwacl_nat = NetworkACL.create(
self.apiclient,
networkid=network_2.id,
services=self.services["natrule"],
traffictype='Ingress'
)
self.debug("Associating public IP for network: %s" % network_2.name)
public_ip_6 = PublicIPAddress.create(
self.apiclient,
accountid=self.account.name,
zoneid=self.zone.id,
domainid=self.account.domainid,
networkid=network_2.id,
vpcid=vpc.id
)
self.debug("Associated %s with network %s" % (
public_ip_6.ipaddress.ipaddress,
network_2.id
))
self.debug("Enabling static NAT for IP: %s" %
public_ip_6.ipaddress.ipaddress)
try:
StaticNATRule.enable(
self.apiclient,
ipaddressid=public_ip_6.ipaddress.id,
virtualmachineid=vm_3.id,
networkid=network_2.id
)
self.debug("Static NAT enabled for IP: %s" %
public_ip_6.ipaddress.ipaddress)
except Exception as e:
self.fail("Failed to enable static NAT on IP: %s - %s" % (
public_ip_6.ipaddress.ipaddress, e))
public_ips = PublicIPAddress.list(
self.apiclient,
networkid=network_2.id,
listall=True,
isstaticnat=True,
account=self.account.name,
domainid=self.account.domainid
)
self.assertEqual(
isinstance(public_ips, list),
True,
"List public Ip for network should list the Ip addr"
)
self.assertEqual(
public_ips[0].ipaddress,
public_ip_6.ipaddress.ipaddress,
"List public Ips %s for network should list the Ip addr %s"
% (public_ips[0].ipaddress, public_ip_6.ipaddress.ipaddress )
)
self.debug("Associating public IP for network: %s" % vpc.name)
public_ip_7 = PublicIPAddress.create(
self.apiclient,
accountid=self.account.name,
zoneid=self.zone.id,
domainid=self.account.domainid,
networkid=network_2.id,
vpcid=vpc.id
)
self.debug("Associated %s with network %s" % (
public_ip_7.ipaddress.ipaddress,
network_2.id
))
self.debug("Adding NetwrokACl rules to make PF accessible")
nwacl_lb = NetworkACL.create(
self.apiclient,
networkid=network_2.id,
services=self.services["lbrule"],
traffictype='Ingress'
)
self.debug(
"Adding Egress rules to network to allow access to internet")
nwacl_internet_3 = NetworkACL.create(
self.apiclient,
networkid=network_1.id,
services=self.services["http_rule"],
traffictype='Egress'
)
nwacl_internet_4 = NetworkACL.create(
self.apiclient,
networkid=network_2.id,
services=self.services["http_rule"],
traffictype='Egress'
)
vlan = get_free_vlan(self.api_client, self.zone.id)[1]
if vlan is None:
self.fail("Failed to get free vlan id in the zone")
self.debug("Creating private gateway in VPC: %s" % vpc.name)
private_gateway = PrivateGateway.create(
self.apiclient,
gateway='10.2.4.1',
ipaddress='10.2.4.2',
netmask='255.255.255.0',
vlan=vlan,
vpcid=vpc.id
)
self.debug("Check if the private gateway created successfully?")
gateways = PrivateGateway.list(
self.apiclient,
id=private_gateway.id,
listall=True
)
self.assertEqual(
isinstance(gateways, list),
True,
"List private gateways should return a valid response"
)
self.debug("Creating static route for this gateway")
static_route = StaticRoute.create(
self.apiclient,
cidr='10.2.4.0/24',
gatewayid=private_gateway.id
)
self.debug("Check if the static route created successfully?")
static_routes = StaticRoute.list(
self.apiclient,
id=static_route.id,
listall=True
)
self.assertEqual(
isinstance(static_routes, list),
True,
"List static route should return a valid response"
)
self.debug("Restaring the network 1 (%s) with cleanup=True" % self.debug("Restaring the network 1 (%s) with cleanup=True" %
network_1.name) network_1.name)
try: try:
@ -2298,10 +2202,19 @@ class TestVMDeployVPC(cloudstackTestCase):
except Exception as e: except Exception as e:
self.fail("Failed to delete network: %s, %s" % (network_1.name, e)) self.fail("Failed to delete network: %s, %s" % (network_1.name, e))
self.debug("Restaring the network 2 (%s) with cleanup=True" %
network_2.name)
try:
network_2.restart(self.apiclient, cleanup=True)
except Exception as e:
self.fail(
"Failed to restart network: %s, %s" %
(network_2.name, e))
self.debug("Checking if we can SSH into VM_3?") self.debug("Checking if we can SSH into VM_3?")
try: try:
ssh_4 = vm_3.get_ssh_client( ssh_3 = vm_3.get_ssh_client(
ipaddress=public_ip_5.ipaddress.ipaddress, ipaddress=public_ip_3.ipaddress.ipaddress,
reconnect=True, reconnect=True,
port=self.services["natrule"]["publicport"] port=self.services["natrule"]["publicport"]
) )
@ -2309,7 +2222,7 @@ class TestVMDeployVPC(cloudstackTestCase):
self.debug("Verifying if we can ping to outside world from VM?") self.debug("Verifying if we can ping to outside world from VM?")
# Ping to outsite world # Ping to outsite world
res = ssh_4.execute("ping -c 1 www.google.com") res = ssh_3.execute("ping -c 1 www.google.com")
# res = 64 bytes from maa03s17-in-f20.1e100.net (74.125.236.212): # res = 64 bytes from maa03s17-in-f20.1e100.net (74.125.236.212):
# icmp_req=1 ttl=57 time=25.9 ms # icmp_req=1 ttl=57 time=25.9 ms
# --- www.l.google.com ping statistics --- # --- www.l.google.com ping statistics ---
@ -2317,7 +2230,7 @@ class TestVMDeployVPC(cloudstackTestCase):
# rtt min/avg/max/mdev = 25.970/25.970/25.970/0.000 ms # rtt min/avg/max/mdev = 25.970/25.970/25.970/0.000 ms
except Exception as e: except Exception as e:
self.fail("Failed to SSH into VM - %s, %s" % self.fail("Failed to SSH into VM - %s, %s" %
(public_ip_5.ipaddress.ipaddress, e)) (public_ip_3.ipaddress.ipaddress, e))
result = str(res) result = str(res)
self.assertEqual( self.assertEqual(
@ -2326,20 +2239,20 @@ class TestVMDeployVPC(cloudstackTestCase):
"Ping to outside world from VM should be successful" "Ping to outside world from VM should be successful"
) )
self.debug("Checking if we can SSH into VM_2?") self.debug("Checking if we can SSH into VM_4?")
try: try:
ssh_5 = vm_3.get_ssh_client( ssh_4 = vm_4.get_ssh_client(
ipaddress=public_ip_6.ipaddress.ipaddress, ipaddress=public_ip_4.ipaddress.ipaddress,
reconnect=True, reconnect=True,
port=self.services["natrule"]["publicport"] port=self.services["natrule"]["publicport"]
) )
self.debug("SSH into VM is successfully") self.debug("SSH into VM is successfully")
self.debug("Verifying if we can ping to outside world from VM?") self.debug("Verifying if we can ping to outside world from VM?")
res = ssh_5.execute("ping -c 1 www.google.com") res = ssh_4.execute("ping -c 1 www.google.com")
except Exception as e: except Exception as e:
self.fail("Failed to SSH into VM - %s, %s" % self.fail("Failed to SSH into VM - %s, %s" %
(public_ip_6.ipaddress.ipaddress, e)) (public_ip_4.ipaddress.ipaddress, e))
result = str(res) result = str(res)
self.assertEqual( self.assertEqual(
@ -2369,15 +2282,13 @@ class TestVMDeployVPC(cloudstackTestCase):
None, None,
"List VPC network should not return a valid list" "List VPC network should not return a valid list"
) )
networks = Network.list(
self.debug("Trying to list the networks in the account, this should fail as account does not exist now")
with self.assertRaises(Exception):
Network.list(
self.apiclient, self.apiclient,
account=self.account.name, account=self.account.name,
domainid=self.account.domainid domainid=self.account.domainid
) )
self.assertEqual(
networks,
None,
"List networks shall not return any response"
)
return return