From ac4587e04248eb53c4df9519b6f918567949bedc Mon Sep 17 00:00:00 2001 From: rexlee8776 Date: Wed, 8 Aug 2018 08:54:59 +0000 Subject: [PATCH] Make security group configurable - dovetail Make sercurity group can be configured via the context. The format would be: context: name: demo image: yardstick-image flavor: yardstick-flavor user: ubuntu security_group: rules: - remote_ip_prefix: "0.0.0.0/0" protocol: "tcp" port_range_min: 1 port_range_max: 65535 - remote_ip_prefix: "0.0.0.0/0" protocol: "udp" port_range_min: 1 port_range_max: 65535 - remote_ip_prefix: "0.0.0.0/0" protocol: "icmp" JIRA: YARDSTICK-1360 Change-Id: I00c45767ee2d70b790590e824599d5a4c274bced Signed-off-by: rexlee8776 (cherry picked from commit cea576574ac0554c1320179bffe6965ac1333972) --- samples/ping-security-group.yaml | 74 +++++++++++++ yardstick/benchmark/contexts/heat.py | 6 +- yardstick/orchestrator/heat.py | 121 +++++++++++---------- .../tests/unit/benchmark/contexts/test_heat.py | 3 +- yardstick/tests/unit/orchestrator/test_heat.py | 19 ++++ 5 files changed, 165 insertions(+), 58 deletions(-) create mode 100644 samples/ping-security-group.yaml diff --git a/samples/ping-security-group.yaml b/samples/ping-security-group.yaml new file mode 100644 index 000000000..1545ee1cf --- /dev/null +++ b/samples/ping-security-group.yaml @@ -0,0 +1,74 @@ +############################################################################## +# Copyright (c) 2018 Huawei Technologies Co.,Ltd and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +# Sample ping test case using custom security group +# measure network latency using ping + +schema: "yardstick:task:0.1" + +{% set provider = provider or none %} +{% set physical_network = physical_network or 'physnet1' %} +{% set segmentation_id = segmentation_id or none %} +scenarios: +- + type: Ping + options: + packetsize: 200 + host: athena.demo + target: ares.demo + + runner: + type: Duration + duration: 60 + interval: 1 + + sla: + max_rtt: 10 + action: monitor + +context: + name: demo + image: yardstick-image + flavor: yardstick-flavor + user: ubuntu + security_group: + rules: + - remote_ip_prefix: "0.0.0.0/0" + protocol: "tcp" + port_range_min: 1 + port_range_max: 65535 + - remote_ip_prefix: "0.0.0.0/0" + protocol: "udp" + port_range_min: 1 + port_range_max: 65535 + - remote_ip_prefix: "0.0.0.0/0" + protocol: "icmp" + + placement_groups: + pgrp1: + policy: "availability" + + servers: + athena: + floating_ip: true + placement: "pgrp1" + ares: + placement: "pgrp1" + + + networks: + test: + cidr: '10.0.1.0/24' + {% if provider == "vlan" %} + provider: {{provider}} + physical_network: {{physical_network}} + {% if segmentation_id %} + segmentation_id: {{segmentation_id}} + {% endif %} + {% endif %} diff --git a/yardstick/benchmark/contexts/heat.py b/yardstick/benchmark/contexts/heat.py index ac85b6ffe..1be746bf3 100644 --- a/yardstick/benchmark/contexts/heat.py +++ b/yardstick/benchmark/contexts/heat.py @@ -58,6 +58,7 @@ class HeatContext(Context): self.server_groups = [] self.keypair_name = None self.secgroup_name = None + self.security_group = None self._server_map = {} self.attrs = {} self._image = None @@ -117,8 +118,11 @@ class HeatContext(Context): return self.keypair_name = h_join(self.name, "key") + self.secgroup_name = h_join(self.name, "secgroup") + self.security_group = attrs.get("security_group") + self._image = attrs.get("image") self._flavor = attrs.get("flavor") @@ -184,7 +188,7 @@ class HeatContext(Context): self.flavors.add(flavor) template.add_keypair(self.keypair_name, self.name) - template.add_security_group(self.secgroup_name) + template.add_security_group(self.secgroup_name, self.security_group) for network in self.networks.values(): # Using existing network diff --git a/yardstick/orchestrator/heat.py b/yardstick/orchestrator/heat.py index bfc1f7061..d2d13aaeb 100644 --- a/yardstick/orchestrator/heat.py +++ b/yardstick/orchestrator/heat.py @@ -479,68 +479,77 @@ name (i.e. %s). 'value': {'get_resource': name} } - def add_security_group(self, name): + def add_security_group(self, name, security_group=None): """add to the template a Neutron SecurityGroup""" log.debug("adding Neutron::SecurityGroup '%s'", name) + description = ("Group allowing IPv4 and IPv6 for icmp and upd/tcp on" + "all ports") + rules = [ + {'remote_ip_prefix': '0.0.0.0/0', + 'protocol': 'tcp', + 'port_range_min': '1', + 'port_range_max': '65535'}, + {'remote_ip_prefix': '0.0.0.0/0', + 'protocol': 'udp', + 'port_range_min': '1', + 'port_range_max': '65535'}, + {'remote_ip_prefix': '0.0.0.0/0', + 'protocol': 'icmp'}, + {'remote_ip_prefix': '::/0', + 'ethertype': 'IPv6', + 'protocol': 'tcp', + 'port_range_min': '1', + 'port_range_max': '65535'}, + {'remote_ip_prefix': '::/0', + 'ethertype': 'IPv6', + 'protocol': 'udp', + 'port_range_min': '1', + 'port_range_max': '65535'}, + {'remote_ip_prefix': '::/0', + 'ethertype': 'IPv6', + 'protocol': 'ipv6-icmp'}, + {'remote_ip_prefix': '0.0.0.0/0', + 'direction': 'egress', + 'protocol': 'tcp', + 'port_range_min': '1', + 'port_range_max': '65535'}, + {'remote_ip_prefix': '0.0.0.0/0', + 'direction': 'egress', + 'protocol': 'udp', + 'port_range_min': '1', + 'port_range_max': '65535'}, + {'remote_ip_prefix': '0.0.0.0/0', + 'direction': 'egress', + 'protocol': 'icmp'}, + {'remote_ip_prefix': '::/0', + 'direction': 'egress', + 'ethertype': 'IPv6', + 'protocol': 'tcp', + 'port_range_min': '1', + 'port_range_max': '65535'}, + {'remote_ip_prefix': '::/0', + 'direction': 'egress', + 'ethertype': 'IPv6', + 'protocol': 'udp', + 'port_range_min': '1', + 'port_range_max': '65535'}, + {'remote_ip_prefix': '::/0', + 'direction': 'egress', + 'ethertype': 'IPv6', + 'protocol': 'ipv6-icmp'}, + ] + if security_group: + description = "Custom security group rules defined by the user" + rules = security_group.get('rules') + + log.debug("The security group rules is %s", rules) + self.resources[name] = { 'type': 'OS::Neutron::SecurityGroup', 'properties': { 'name': name, - 'description': "Group allowing IPv4 and IPv6 for icmp and upd/tcp on all ports", - 'rules': [ - {'remote_ip_prefix': '0.0.0.0/0', - 'protocol': 'tcp', - 'port_range_min': '1', - 'port_range_max': '65535'}, - {'remote_ip_prefix': '0.0.0.0/0', - 'protocol': 'udp', - 'port_range_min': '1', - 'port_range_max': '65535'}, - {'remote_ip_prefix': '0.0.0.0/0', - 'protocol': 'icmp'}, - {'remote_ip_prefix': '::/0', - 'ethertype': 'IPv6', - 'protocol': 'tcp', - 'port_range_min': '1', - 'port_range_max': '65535'}, - {'remote_ip_prefix': '::/0', - 'ethertype': 'IPv6', - 'protocol': 'udp', - 'port_range_min': '1', - 'port_range_max': '65535'}, - {'remote_ip_prefix': '::/0', - 'ethertype': 'IPv6', - 'protocol': 'ipv6-icmp'}, - {'remote_ip_prefix': '0.0.0.0/0', - 'direction': 'egress', - 'protocol': 'tcp', - 'port_range_min': '1', - 'port_range_max': '65535'}, - {'remote_ip_prefix': '0.0.0.0/0', - 'direction': 'egress', - 'protocol': 'udp', - 'port_range_min': '1', - 'port_range_max': '65535'}, - {'remote_ip_prefix': '0.0.0.0/0', - 'direction': 'egress', - 'protocol': 'icmp'}, - {'remote_ip_prefix': '::/0', - 'direction': 'egress', - 'ethertype': 'IPv6', - 'protocol': 'tcp', - 'port_range_min': '1', - 'port_range_max': '65535'}, - {'remote_ip_prefix': '::/0', - 'direction': 'egress', - 'ethertype': 'IPv6', - 'protocol': 'udp', - 'port_range_min': '1', - 'port_range_max': '65535'}, - {'remote_ip_prefix': '::/0', - 'direction': 'egress', - 'ethertype': 'IPv6', - 'protocol': 'ipv6-icmp'}, - ] + 'description': description, + 'rules': rules } } diff --git a/yardstick/tests/unit/benchmark/contexts/test_heat.py b/yardstick/tests/unit/benchmark/contexts/test_heat.py index df57ca4b3..c72844bbe 100644 --- a/yardstick/tests/unit/benchmark/contexts/test_heat.py +++ b/yardstick/tests/unit/benchmark/contexts/test_heat.py @@ -72,6 +72,7 @@ class HeatContextTestCase(unittest.TestCase): self.assertEqual(self.test_context.server_groups, []) self.assertIsNone(self.test_context.keypair_name) self.assertIsNone(self.test_context.secgroup_name) + self.assertIsNone(self.test_context.security_group) self.assertEqual(self.test_context._server_map, {}) self.assertIsNone(self.test_context._image) self.assertIsNone(self.test_context._flavor) @@ -190,7 +191,7 @@ class HeatContextTestCase(unittest.TestCase): mock_template.add_keypair.assert_called_with( "ctx-key", "ctx-12345678") - mock_template.add_security_group.assert_called_with("ctx-secgroup") + mock_template.add_security_group.assert_called_with("ctx-secgroup", None) mock_template.add_network.assert_called_with( "ctx-12345678-mynet", 'physnet1', None, None, None, None) mock_template.add_router.assert_called_with( diff --git a/yardstick/tests/unit/orchestrator/test_heat.py b/yardstick/tests/unit/orchestrator/test_heat.py index 3ec59a3c2..2e60a72cb 100644 --- a/yardstick/tests/unit/orchestrator/test_heat.py +++ b/yardstick/tests/unit/orchestrator/test_heat.py @@ -256,6 +256,25 @@ class HeatTemplateTestCase(unittest.TestCase): self.assertEqual(self.template.resources['some-server-group'][ 'properties']['policies'], ['anti-affinity']) + def test_add_security_group(self): + security_group = { + 'rules': [ + {'remote_ip_prefix': '0.0.0.0/0', + 'port_range_max': 65535, + 'port_range_min': 1, + 'protocol': 'custom'}, + ] + } + self.template.add_security_group('some-security-group', security_group) + + secgroup_rsc = self.template.resources['some-security-group'] + + self.assertEqual(secgroup_rsc['type'], "OS::Neutron::SecurityGroup") + self.assertEqual(secgroup_rsc['properties']['description'], + "Custom security group rules defined by the user") + self.assertEqual(secgroup_rsc['properties']['rules'][0]['protocol'], + 'custom') + def test__add_resources_to_template_raw(self): test_context = node.NodeContext() self.addCleanup(test_context._delete_context) -- 2.16.6