From 4f8f68dea9b168a933b1e05d89ed30e1bb4d8fbd Mon Sep 17 00:00:00 2001 From: Ross Brattain Date: Wed, 5 Jul 2017 01:36:47 -0700 Subject: heat: port_security_enabled, allowed_address_pairs, disable gateway_ip xe0: cidr: '10.0.2.0/24' vld_id: public allowed_address_pairs: - ip_address: '0.0.0.0/0' xe1: cidr: '10.0.3.0/24' vld_id: private allowed_address_pairs: - ip_address: '0.0.0.0/0' We need to disable gateways on data plane interfaces With TGs and VFNs we probably don't need gateway on data interfaces Change-Id: I276a7d591a0a3ff03877c4f525303fc2874de683 Signed-off-by: Ross Brattain --- tests/unit/benchmark/contexts/test_model.py | 35 ++++++++++++++++++++++------ yardstick/benchmark/contexts/heat.py | 7 ++++-- yardstick/benchmark/contexts/model.py | 29 +++++++++++++++++++---- yardstick/orchestrator/heat.py | 36 +++++++++++++++++++---------- 4 files changed, 81 insertions(+), 26 deletions(-) diff --git a/tests/unit/benchmark/contexts/test_model.py b/tests/unit/benchmark/contexts/test_model.py index 3fb186b9b..1ce550306 100644 --- a/tests/unit/benchmark/contexts/test_model.py +++ b/tests/unit/benchmark/contexts/test_model.py @@ -161,6 +161,23 @@ class NetworkTestCase(unittest.TestCase): self.assertEqual(model.Network.find_external_network(), 'ext_net') + def test_construct_gateway_ip_is_null(self): + + attrs = {'gateway_ip': 'null'} + test_network = model.Network('foo', self.mock_context, attrs) + self.assertEqual(test_network.gateway_ip, 'null') + + def test_construct_gateway_ip_is_none(self): + + attrs = {'gateway_ip': None} + test_network = model.Network('foo', self.mock_context, attrs) + self.assertEqual(test_network.gateway_ip, 'null') + + def test_construct_gateway_ip_is_absent(self): + + attrs = {} + test_network = model.Network('foo', self.mock_context, attrs) + self.assertIsNone(test_network.gateway_ip) class ServerTestCase(unittest.TestCase): @@ -214,11 +231,12 @@ class ServerTestCase(unittest.TestCase): attrs = {'image': 'some-image', 'flavor': 'some-flavor', 'floating_ip': '192.168.1.10', 'floating_ip_assoc': 'some-vm'} test_server = model.Server('foo', self.mock_context, attrs) - self.mock_context.flavors = ['flavor1', 'flavor2', 'some-flavor'] + self.mock_context.flavors = ['flavor1', 'flavor2', 'some-flavor'] mock_network = mock.Mock() mock_network.name = 'some-network' mock_network.stack_name = 'some-network-stack' + mock_network.allowed_address_pairs = ["1", "2"] mock_network.subnet_stack_name = 'some-network-stack-subnet' mock_network.provider = 'sriov' mock_network.external_network = 'ext_net' @@ -232,7 +250,8 @@ class ServerTestCase(unittest.TestCase): mock_network.stack_name, mock_network.subnet_stack_name, sec_group_id=self.mock_context.secgroup_name, - provider=mock_network.provider) + provider=mock_network.provider, + allowed_address_pairs=mock_network.allowed_address_pairs) mock_template.add_floating_ip.assert_called_with( 'some-server-fip', @@ -290,11 +309,12 @@ class ServerTestCase(unittest.TestCase): } test_server = model.Server('ServerFlavor-2', self.mock_context, attrs) - self.mock_context.flavors = ['flavor2'] + self.mock_context.flavors = ['flavor2'] mock_network = mock.Mock() - mock_network.configure_mock(name='some-network', stack_name= 'some-network-stack', - subnet_stack_name = 'some-network-stack-subnet', - provider = 'some-provider') + mock_network.allowed_address_pairs = ["1", "2"] + mock_network.configure_mock(name='some-network', stack_name='some-network-stack', + subnet_stack_name='some-network-stack-subnet', + provider='some-provider') test_server._add_instance(mock_template, 'ServerFlavor-2', [mock_network], 'hints') @@ -304,7 +324,8 @@ class ServerTestCase(unittest.TestCase): mock_network.stack_name, mock_network.subnet_stack_name, provider=mock_network.provider, - sec_group_id=self.mock_context.secgroup_name) + sec_group_id=self.mock_context.secgroup_name, + allowed_address_pairs=mock_network.allowed_address_pairs) mock_template.add_server.assert_called_with( 'ServerFlavor-2', 'some-image', diff --git a/yardstick/benchmark/contexts/heat.py b/yardstick/benchmark/contexts/heat.py index 0a94dd976..d5349eab5 100644 --- a/yardstick/benchmark/contexts/heat.py +++ b/yardstick/benchmark/contexts/heat.py @@ -152,9 +152,12 @@ class HeatContext(Context): template.add_network(network.stack_name, network.physical_network, network.provider, - network.segmentation_id) + network.segmentation_id, + network.port_security_enabled) template.add_subnet(network.subnet_stack_name, network.stack_name, - network.subnet_cidr) + network.subnet_cidr, + network.enable_dhcp, + network.gateway_ip) if network.router: template.add_router(network.router.stack_name, diff --git a/yardstick/benchmark/contexts/model.py b/yardstick/benchmark/contexts/model.py index 06538d8a9..6601ecf3b 100644 --- a/yardstick/benchmark/contexts/model.py +++ b/yardstick/benchmark/contexts/model.py @@ -104,11 +104,24 @@ class Network(Object): self.stack_name = context.name + "-" + self.name self.subnet_stack_name = self.stack_name + "-subnet" self.subnet_cidr = attrs.get('cidr', '10.0.1.0/24') + self.enable_dhcp = attrs.get('enable_dhcp', 'true') self.router = None self.physical_network = attrs.get('physical_network', 'physnet1') self.provider = attrs.get('provider') self.segmentation_id = attrs.get('segmentation_id') self.network_type = attrs.get('network_type') + self.port_security_enabled = attrs.get('port_security_enabled', True) + self.allowed_address_pairs = attrs.get('allowed_address_pairs', []) + try: + # we require 'null' or '' to disable setting gateway_ip + self.gateway_ip = attrs['gateway_ip'] + except KeyError: + # default to explicit None + self.gateway_ip = None + else: + # null is None in YAML, so we have to convert back to string + if self.gateway_ip is None: + self.gateway_ip = "null" if "external_network" in attrs: self.router = Router("router", self.name, @@ -234,10 +247,16 @@ class Server(Object): # pragma: no cover for network in networks: port_name = server_name + "-" + network.name + "-port" self.ports[network.name] = {"stack_name": port_name} - template.add_port(port_name, network.stack_name, - network.subnet_stack_name, - sec_group_id=self.secgroup_name, - provider=network.provider) + # we can't use secgroups if port_security_enabled is False + if network.port_security_enabled: + sec_group_id = self.secgroup_name + else: + sec_group_id = None + # don't refactor to pass in network object, that causes JSON + # circular ref encode errors + template.add_port(port_name, network.stack_name, network.subnet_stack_name, + sec_group_id=sec_group_id, provider=network.provider, + allowed_address_pairs=network.allowed_address_pairs) port_name_list.append(port_name) if self.floating_ip: @@ -248,7 +267,7 @@ class Server(Object): # pragma: no cover external_network, port_name, network.router.stack_if_name, - self.secgroup_name) + sec_group_id) self.floating_ip_assoc["stack_name"] = \ server_name + "-fip-assoc" template.add_floating_ip_association( diff --git a/yardstick/orchestrator/heat.py b/yardstick/orchestrator/heat.py index 2a907d124..57b23d393 100644 --- a/yardstick/orchestrator/heat.py +++ b/yardstick/orchestrator/heat.py @@ -231,13 +231,16 @@ name (i.e. %s).\ } def add_network(self, name, physical_network='physnet1', provider=None, - segmentation_id=None): + segmentation_id=None, port_security_enabled=True): """add to the template a Neutron Net""" log.debug("adding Neutron::Net '%s'", name) if provider is None: self.resources[name] = { 'type': 'OS::Neutron::Net', - 'properties': {'name': name} + 'properties': { + 'name': name, + 'port_security_enabled': port_security_enabled, + } } else: self.resources[name] = { @@ -245,12 +248,12 @@ name (i.e. %s).\ 'properties': { 'name': name, 'network_type': 'vlan', - 'physical_network': physical_network - } + 'physical_network': physical_network, + 'port_security_enabled': port_security_enabled, + }, } if segmentation_id: - seg_id_dit = {'segmentation_id': segmentation_id} - self.resources[name]["properties"].update(seg_id_dit) + self.resources[name]['properties']['segmentation_id'] = segmentation_id def add_server_group(self, name, policies): # pragma: no cover """add to the template a ServerGroup""" @@ -262,8 +265,9 @@ name (i.e. %s).\ 'policies': policies} } - def add_subnet(self, name, network, cidr): - """add to the template a Neutron Subnet""" + def add_subnet(self, name, network, cidr, enable_dhcp='true', gateway_ip=None): + """add to the template a Neutron Subnet + """ log.debug("adding Neutron::Subnet '%s' in network '%s', cidr '%s'", name, network, cidr) self.resources[name] = { @@ -272,9 +276,12 @@ name (i.e. %s).\ 'properties': { 'name': name, 'cidr': cidr, - 'network_id': {'get_resource': network} + 'network_id': {'get_resource': network}, + 'enable_dhcp': enable_dhcp, } } + if gateway_ip is not None: + self.resources[name]['properties']['gateway_ip'] = gateway_ip self._template['outputs'][name] = { 'description': 'subnet %s ID' % name, @@ -316,9 +323,10 @@ name (i.e. %s).\ } } - def add_port(self, name, network_name, subnet_name, sec_group_id=None, - provider=None): - """add to the template a named Neutron Port""" + def add_port(self, name, network_name, subnet_name, sec_group_id=None, provider=None, + allowed_address_pairs=None): + """add to the template a named Neutron Port + """ log.debug("adding Neutron::Port '%s', network:'%s', subnet:'%s', " "secgroup:%s", name, network_name, subnet_name, sec_group_id) self.resources[name] = { @@ -341,6 +349,10 @@ name (i.e. %s).\ self.resources[name]['properties']['security_groups'] = \ [sec_group_id] + if allowed_address_pairs: + self.resources[name]['properties'][ + 'allowed_address_pairs'] = allowed_address_pairs + self._template['outputs'][name] = { 'description': 'Address for interface %s' % name, 'value': {'get_attr': [name, 'fixed_ips', 0, 'ip_address']} -- cgit 1.2.3-korg