34
34
from nova import utils
35
35
from nova.api.ec2 import cloud
36
36
from nova.compute import power_state
37
from nova.compute import vm_states
37
38
from nova.virt.libvirt import connection
38
39
from nova.virt.libvirt import firewall
40
from nova.tests import fake_network
41
43
FLAGS = flags.FLAGS
45
_fake_network_info = fake_network.fake_get_instance_nw_info
46
_ipv4_like = fake_network.ipv4_like
44
49
def _concurrency(wait, done, target):
49
def _create_network_info(count=1, ipv6=None):
53
fake_ip = '10.11.12.13'
57
fake_bridge_interface = 'eth0'
58
network = {'bridge': fake,
63
'bridge_interface': fake_bridge_interface}
64
mapping = {'mac': fake,
65
'dhcp_server': '10.0.0.1',
68
'ips': [{'ip': fake_ip}, {'ip': fake_ip}]}
70
mapping['ip6s'] = [{'ip': fake_ip},
73
return [(network, mapping) for x in xrange(0, count)]
76
def _setup_networking(instance_id, ip='1.2.3.4', mac='56:12:12:12:12:12'):
77
ctxt = context.get_admin_context()
78
network_ref = db.project_get_networks(ctxt,
81
vif = {'address': mac,
82
'network_id': network_ref['id'],
83
'instance_id': instance_id}
84
vif_ref = db.virtual_interface_create(ctxt, vif)
86
fixed_ip = {'address': ip,
87
'network_id': network_ref['id'],
88
'virtual_interface_id': vif_ref['id']}
89
db.fixed_ip_create(ctxt, fixed_ip)
90
db.fixed_ip_update(ctxt, ip, {'allocated': True,
91
'instance_id': instance_id})
94
54
class CacheConcurrencyTestCase(test.TestCase):
96
56
super(CacheConcurrencyTestCase, self).setUp()
162
122
self.context = context.get_admin_context()
163
123
self.flags(instances_path='')
164
124
self.call_libvirt_dependant_setup = False
165
self.test_ip = '10.11.12.13'
167
126
test_instance = {'memory_kb': '1024000',
168
127
'basepath': '/some/path',
276
235
instance_ref = db.instance_create(self.context, self.test_instance)
278
237
result = conn._prepare_xml_info(instance_ref,
279
_create_network_info(),
238
_fake_network_info(self.stubs, 1),
281
240
self.assertTrue(len(result['nics']) == 1)
283
242
result = conn._prepare_xml_info(instance_ref,
284
_create_network_info(2),
243
_fake_network_info(self.stubs, 2),
286
245
self.assertTrue(len(result['nics']) == 2)
407
366
def test_multi_nic(self):
408
367
instance_data = dict(self.test_instance)
409
network_info = _create_network_info(2)
368
network_info = _fake_network_info(self.stubs, 2)
410
369
conn = connection.LibvirtConnection(True)
411
370
instance_ref = db.instance_create(self.context, instance_data)
412
371
xml = conn.to_xml(instance_ref, network_info, False)
416
375
parameters = interfaces[0].findall('./filterref/parameter')
417
376
self.assertEquals(interfaces[0].get('type'), 'bridge')
418
377
self.assertEquals(parameters[0].get('name'), 'IP')
419
self.assertEquals(parameters[0].get('value'), '10.11.12.13')
378
self.assertTrue(_ipv4_like(parameters[0].get('value'), '192.168'))
420
379
self.assertEquals(parameters[1].get('name'), 'DHCPSERVER')
421
self.assertEquals(parameters[1].get('value'), '10.0.0.1')
380
self.assertTrue(_ipv4_like(parameters[1].get('value'), '192.168.*.1'))
423
382
def _check_xml_and_container(self, instance):
424
383
user_context = context.RequestContext(self.user_id,
426
385
instance_ref = db.instance_create(user_context, instance)
427
_setup_networking(instance_ref['id'], self.test_ip)
429
387
self.flags(libvirt_type='lxc')
430
388
conn = connection.LibvirtConnection(True)
432
390
uri = conn.get_uri()
433
391
self.assertEquals(uri, 'lxc:///')
435
network_info = _create_network_info()
393
network_info = _fake_network_info(self.stubs, 1)
436
394
xml = conn.to_xml(instance_ref, network_info)
437
395
tree = xml_to_tree(xml)
456
414
network_ref = db.project_get_networks(context.get_admin_context(),
457
415
self.project_id)[0]
459
_setup_networking(instance_ref['id'], self.test_ip)
461
417
type_uri_map = {'qemu': ('qemu:///system',
462
418
[(lambda t: t.find('.').get('type'), 'qemu'),
463
419
(lambda t: t.find('./os/type').text, 'hvm'),
503
459
common_checks = [
504
460
(lambda t: t.find('.').tag, 'domain'),
505
461
(lambda t: t.find(parameter).get('name'), 'IP'),
506
(lambda t: t.find(parameter).get('value'), '10.11.12.13'),
462
(lambda t: _ipv4_like(t.find(parameter).get('value'), '192.168'),
507
464
(lambda t: t.findall(parameter)[1].get('name'), 'DHCPSERVER'),
508
(lambda t: t.findall(parameter)[1].get('value'), '10.0.0.1'),
465
(lambda t: _ipv4_like(t.findall(parameter)[1].get('value'),
466
'192.168.*.1'), True),
509
467
(lambda t: t.find('./devices/serial/source').get(
510
468
'path').split('/')[1], 'console.log'),
511
469
(lambda t: t.find('./memory').text, '2097152')]
530
488
uri = conn.get_uri()
531
489
self.assertEquals(uri, expected_uri)
533
network_info = _create_network_info()
491
network_info = _fake_network_info(self.stubs, 1)
534
492
xml = conn.to_xml(instance_ref, network_info, rescue)
535
493
tree = xml_to_tree(xml)
536
494
for i, (check, expected_result) in enumerate(checks):
646
604
self.create_fake_libvirt_mock()
647
605
instance_ref = db.instance_create(self.context, self.test_instance)
648
network_info = _create_network_info()
606
network_info = _fake_network_info(self.stubs, 1)
651
609
self.mox.ReplayAll()
676
634
self.compute = utils.import_object(FLAGS.compute_manager)
677
instance_dict = {'host': 'fake', 'state': power_state.RUNNING,
678
'state_description': 'running'}
635
instance_dict = {'host': 'fake',
636
'power_state': power_state.RUNNING,
637
'vm_state': vm_states.ACTIVE}
679
638
instance_ref = db.instance_create(self.context, self.test_instance)
680
639
instance_ref = db.instance_update(self.context, instance_ref['id'],
713
672
self.compute.rollback_live_migration)
715
674
instance_ref = db.instance_get(self.context, instance_ref['id'])
716
self.assertTrue(instance_ref['state_description'] == 'running')
717
self.assertTrue(instance_ref['state'] == power_state.RUNNING)
675
self.assertTrue(instance_ref['vm_state'] == vm_states.ACTIVE)
676
self.assertTrue(instance_ref['power_state'] == power_state.RUNNING)
718
677
volume_ref = db.volume_get(self.context, volume_ref['id'])
719
678
self.assertTrue(volume_ref['status'] == 'in-use')
828
787
conn.firewall_driver.setattr('setup_basic_filtering', fake_none)
829
788
conn.firewall_driver.setattr('prepare_instance_filter', fake_none)
831
network_info = _create_network_info()
790
network_info = _fake_network_info(self.stubs, 1)
834
793
conn.spawn(self.context, instance, network_info)
921
880
"""setup_basic_rules in nwfilter calls this."""
923
882
self.fake_libvirt_connection = FakeLibvirtConnection()
924
self.test_ip = '10.11.12.13'
925
883
self.fw = firewall.IptablesFirewallDriver(
926
884
get_connection=lambda: self.fake_libvirt_connection)
985
943
def test_static_filters(self):
986
944
instance_ref = self._create_instance_ref()
987
945
src_instance_ref = self._create_instance_ref()
988
src_ip = '10.11.12.14'
989
src_mac = '56:12:12:12:12:13'
990
_setup_networking(instance_ref['id'], self.test_ip, src_mac)
991
_setup_networking(src_instance_ref['id'], src_ip)
993
947
admin_ctxt = context.get_admin_context()
994
948
secgroup = db.security_group_create(admin_ctxt,
1060
1014
print cmd, kwargs
1016
def get_fixed_ips(*args, **kwargs):
1018
for network, info in network_info:
1019
ips.extend(info['ips'])
1020
return [ip['ip'] for ip in ips]
1062
1022
from nova.network import linux_net
1063
1023
linux_net.iptables_manager.execute = fake_iptables_execute
1065
network_info = _create_network_info()
1025
network_info = _fake_network_info(self.stubs, 1)
1026
self.stubs.Set(db, 'instance_get_fixed_addresses', get_fixed_ips)
1066
1027
self.fw.prepare_instance_filter(instance_ref, network_info)
1067
1028
self.fw.apply_instance_filter(instance_ref, network_info)
1076
1037
instance_chain = None
1077
1038
for rule in self.out_rules:
1078
1039
# This is pretty crude, but it'll do for now
1079
if '-d 10.11.12.13 -j' in rule:
1040
# last two octets change
1041
if re.search('-d 192.168.[0-9]{1,3}.[0-9]{1,3} -j', rule):
1080
1042
instance_chain = rule.split(' ')[-1]
1082
1044
self.assertTrue(instance_chain, "The instance chain wasn't added")
1099
1061
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
1100
1062
"ICMP Echo Request acceptance rule wasn't added")
1102
regex = re.compile('-A .* -j ACCEPT -p tcp -m multiport '
1103
'--dports 80:81 -s %s' % (src_ip,))
1104
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
1105
"TCP port 80/81 acceptance rule wasn't added")
1064
for ip in get_fixed_ips():
1065
regex = re.compile('-A .* -j ACCEPT -p tcp -m multiport '
1066
'--dports 80:81 -s %s' % ip)
1067
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
1068
"TCP port 80/81 acceptance rule wasn't added")
1107
1070
regex = re.compile('-A .* -j ACCEPT -p tcp '
1108
1071
'-m multiport --dports 80:81 -s 192.168.10.0/24')
1113
1076
def test_filters_for_instance_with_ip_v6(self):
1114
1077
self.flags(use_ipv6=True)
1115
network_info = _create_network_info()
1078
network_info = _fake_network_info(self.stubs, 1)
1116
1079
rulesv4, rulesv6 = self.fw._filters_for_instance("fake", network_info)
1117
1080
self.assertEquals(len(rulesv4), 2)
1118
self.assertEquals(len(rulesv6), 3)
1081
self.assertEquals(len(rulesv6), 1)
1120
1083
def test_filters_for_instance_without_ip_v6(self):
1121
1084
self.flags(use_ipv6=False)
1122
network_info = _create_network_info()
1085
network_info = _fake_network_info(self.stubs, 1)
1123
1086
rulesv4, rulesv6 = self.fw._filters_for_instance("fake", network_info)
1124
1087
self.assertEquals(len(rulesv4), 2)
1125
1088
self.assertEquals(len(rulesv6), 0)
1127
1090
def test_multinic_iptables(self):
1128
ipv4_rules_per_network = 2
1129
ipv6_rules_per_network = 3
1091
ipv4_rules_per_addr = 1
1092
ipv4_addr_per_network = 2
1093
ipv6_rules_per_addr = 1
1094
ipv6_addr_per_network = 1
1130
1095
networks_count = 5
1131
1096
instance_ref = self._create_instance_ref()
1132
network_info = _create_network_info(networks_count)
1097
network_info = _fake_network_info(self.stubs, networks_count,
1098
ipv4_addr_per_network)
1133
1099
ipv4_len = len(self.fw.iptables.ipv4['filter'].rules)
1134
1100
ipv6_len = len(self.fw.iptables.ipv6['filter'].rules)
1135
1101
inst_ipv4, inst_ipv6 = self.fw.instance_rules(instance_ref,
1140
1106
ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
1141
1107
ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len
1142
1108
self.assertEquals(ipv4_network_rules,
1143
ipv4_rules_per_network * networks_count)
1109
ipv4_rules_per_addr * ipv4_addr_per_network * networks_count)
1144
1110
self.assertEquals(ipv6_network_rules,
1145
ipv6_rules_per_network * networks_count)
1111
ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)
1147
1113
def test_do_refresh_security_group_rules(self):
1148
1114
instance_ref = self._create_instance_ref()
1168
1134
fakefilter.nwfilterLookupByName
1169
1135
instance_ref = self._create_instance_ref()
1171
_setup_networking(instance_ref['id'], self.test_ip)
1172
network_info = _create_network_info()
1137
network_info = _fake_network_info(self.stubs, 1)
1173
1138
self.fw.setup_basic_filtering(instance_ref, network_info)
1174
1139
self.fw.prepare_instance_filter(instance_ref, network_info)
1175
1140
self.fw.apply_instance_filter(instance_ref, network_info)
1184
1149
def test_provider_firewall_rules(self):
1185
1150
# setup basic instance data
1186
1151
instance_ref = self._create_instance_ref()
1187
_setup_networking(instance_ref['id'], self.test_ip)
1188
1152
# FRAGILE: peeks at how the firewall names chains
1189
1153
chain_name = 'inst-%s' % instance_ref['id']
1191
1155
# create a firewall via setup_basic_filtering like libvirt_conn.spawn
1192
1156
# should have a chain with 0 rules
1193
network_info = _create_network_info(1)
1157
network_info = _fake_network_info(self.stubs, 1)
1194
1158
self.fw.setup_basic_filtering(instance_ref, network_info)
1195
1159
self.assertTrue('provider' in self.fw.iptables.ipv4['filter'].chains)
1196
1160
rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
1370
1333
instance_ref = self._create_instance()
1371
1334
inst_id = instance_ref['id']
1373
_setup_networking(instance_ref['id'], self.test_ip)
1375
def _ensure_all_called():
1336
def _ensure_all_called(mac):
1376
1337
instance_filter = 'nova-instance-%s-%s' % (instance_ref['name'],
1338
mac.translate(None, ':'))
1378
1339
secgroup_filter = 'nova-secgroup-%s' % self.security_group['id']
1379
1340
for required in [secgroup_filter, 'allow-dhcp-server',
1380
1341
'no-arp-spoofing', 'no-ip-spoofing',
1390
1351
self.security_group.id)
1391
1352
instance = db.instance_get(self.context, inst_id)
1393
network_info = _create_network_info()
1354
network_info = _fake_network_info(self.stubs, 1)
1355
# since there is one (network_info) there is one vif
1356
# pass this vif's mac to _ensure_all_called()
1357
# to set the instance_filter properly
1358
mac = network_info[0][1]['mac']
1394
1360
self.fw.setup_basic_filtering(instance, network_info)
1395
1361
self.fw.prepare_instance_filter(instance, network_info)
1396
1362
self.fw.apply_instance_filter(instance, network_info)
1397
_ensure_all_called()
1363
_ensure_all_called(mac)
1398
1364
self.teardown_security_group()
1399
1365
db.instance_destroy(context.get_admin_context(), instance_ref['id'])
1401
1367
def test_create_network_filters(self):
1402
1368
instance_ref = self._create_instance()
1403
network_info = _create_network_info(3)
1369
network_info = _fake_network_info(self.stubs, 3)
1404
1370
result = self.fw._create_network_filters(instance_ref,
1424
1390
instance = db.instance_get(self.context, inst_id)
1426
_setup_networking(instance_ref['id'], self.test_ip)
1427
network_info = _create_network_info()
1392
network_info = _fake_network_info(self.stubs, 1)
1428
1393
self.fw.setup_basic_filtering(instance, network_info)
1429
1394
self.fw.prepare_instance_filter(instance, network_info)
1430
1395
self.fw.apply_instance_filter(instance, network_info)