-
Notifications
You must be signed in to change notification settings - Fork 245
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add fortigate node * rename to fortios and use fortinet_fortios kind name * add fortinet_fortios to register.go and register the new type * modify fortinet example lab * streamline launch command * rename to fortigate * added link to download portal * added kind references * adapt lab example * added fortigate test * try running on hosted * use ghcr image * added login step --------- Co-authored-by: Roman Dodin <dodin.roman@gmail.com>
- Loading branch information
Showing
14 changed files
with
316 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
name: fortigate-test | ||
|
||
"on": | ||
workflow_call: | ||
inputs: | ||
py_ver: | ||
required: true | ||
type: string | ||
|
||
jobs: | ||
fortigate-tests: | ||
runs-on: ubuntu-22.04 | ||
strategy: | ||
matrix: | ||
runtime: | ||
- "docker" | ||
test-suite: | ||
- "01*.robot" | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- uses: actions/download-artifact@v4 | ||
with: | ||
name: containerlab | ||
|
||
- name: Move containerlab to usr/bin | ||
run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab | ||
|
||
- uses: actions/setup-python@v5 | ||
with: | ||
python-version: ${{ inputs.py_ver }} | ||
cache: pip | ||
cache-dependency-path: "tests/requirements.txt" | ||
|
||
- name: Install robotframework | ||
run: | | ||
pip install -r tests/requirements.txt | ||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Sanitize test-suite name | ||
run: echo "TEST_SUITE=$(echo ${{ matrix.test-suite }} | tr -d '*')" >> $GITHUB_ENV | ||
|
||
- name: Run tests | ||
run: | | ||
bash ./tests/rf-run.sh ${{ matrix.runtime }} ./tests/09-fortigate/${{ matrix.test-suite }} | ||
# upload test reports as a zip file | ||
- uses: actions/upload-artifact@v4 | ||
if: always() | ||
with: | ||
name: 09-fortigate-log-${{ env.TEST_SUITE }}-${{ matrix.runtime }} | ||
path: ./tests/out/*.html | ||
|
||
# upload coverage report from unit tests, as they are then | ||
# merged with e2e tests coverage | ||
- name: Upload coverage report | ||
uses: actions/upload-artifact@v4 | ||
if: always() | ||
with: | ||
name: coverage-fortigate-tests-${{ env.TEST_SUITE }}-${{ matrix.runtime }} | ||
path: /tmp/clab-tests/coverage/* | ||
retention-days: 7 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
--- | ||
search: | ||
boost: 4 | ||
--- | ||
# Fortinet Fortigate | ||
|
||
Fortinet Fortigate virtualized security appliance is identified with the `fortinet_fortigate` kind in the [topology file](../topo-def-file.md). It is built using the [hellt/vrnetlab](../vrnetlab.md) project and essentially is a Qemu VM packaged in a docker container format. | ||
|
||
## Getting Fortinet Fortigate disk image | ||
|
||
Users can obtain the qcow2 disk image for Fortinet Fortigate VM from the [official support site](https://support.fortinet.com/Download/VMImages.aspx); a free account required. Download the "New deployment" variant of the FGVM64 VM for the KVM platform. | ||
|
||
Extract the downloaded zip file and rename the `fortios.qcow2` to `fortios-vX.Y.Z.qcow2` where `X.Y.Z` is the version of the Fortigate VM. Put the renamed file in the `fortigate` directory of the cloned [hellt/vrnetlab](https://github.com/hellt/vrnetlab) project and run `make` to build the container image. | ||
|
||
## Managing Fortinet Fortigate nodes | ||
|
||
/// note | ||
Containers with Fortinet Fortigate VM inside will take ~2min to fully boot. | ||
You can monitor the progress with the `docker logs -f <container-name>` command. | ||
/// | ||
|
||
Fortinet Fortigate node launched with containerlab can be managed via the following interfaces: | ||
|
||
/// tab | bash | ||
to connect to a `bash` shell of a running fortigate container: | ||
|
||
```bash | ||
docker exec -it <container-name/id> bash | ||
``` | ||
|
||
/// | ||
/// tab | CLI | ||
to connect to the Fortigate CLI | ||
|
||
```bash | ||
ssh admin@<container-name/id/IP-addr> | ||
``` | ||
|
||
/// | ||
/// tab | Web UI (HTTP) | ||
Fortigate VM comes with HTTP(S) server with a GUI manager app. You can access the Web UI using http schema. | ||
|
||
```bash | ||
http://<container-name/id/IP-addr> | ||
``` | ||
|
||
You can expose container's port 80 with the [`ports`](../nodes.md#ports) setting in containerlab and get access to the Web UI using your containerlab host IP. | ||
/// | ||
/// note | ||
Default login credentials: `admin:admin` | ||
/// | ||
|
||
## Interfaces mapping | ||
|
||
Fortinet Fortigate interfaces are named as follows in the topology file: | ||
|
||
* `eth0` - management interface connected to the containerlab management network (rendered as `port1` in the CLI) | ||
* `eth1` - first data interface, mapped to the first data port of the VM (rendered as `port2`) | ||
* `eth2+` - second and subsequent data interface | ||
|
||
When containerlab launches Fortigate node the `port1` interface of the VM gets assigned `10.0.0.15/24` address from the QEMU DHCP server. This interface is transparently stitched with container's `eth0` interface such that users can reach the management plane of the Fortigate using containerlab's assigned IP. | ||
|
||
Data interfaces `eth1+` need to be configured with IP addressing manually using CLI or other available management interfaces. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
name: fortigate | ||
topology: | ||
nodes: | ||
forti1: | ||
kind: fortinet_fortigate | ||
image: vrnetlab/vr-fortigate:7.0.14 | ||
forti2: | ||
kind: fortinet_fortigate | ||
image: vrnetlab/vr-fortigate:7.0.14 | ||
links: | ||
- endpoints: ["forti1:eth1", "forti2:eth1"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
// Copyright 2020 Nokia | ||
// Licensed under the BSD 3-Clause License. | ||
// SPDX-License-Identifier: BSD-3-Clause | ||
|
||
package fortinet_fortigate | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"path" | ||
|
||
"github.com/srl-labs/containerlab/nodes" | ||
"github.com/srl-labs/containerlab/types" | ||
"github.com/srl-labs/containerlab/utils" | ||
) | ||
|
||
var ( | ||
kindnames = []string{"fortinet_fortigate"} | ||
defaultCredentials = nodes.NewCredentials("admin", "admin") | ||
) | ||
|
||
const ( | ||
// scrapligo doesn't have a driver for fortigate, can be copied from scrapli community | ||
// scrapliPlatformName = "fortinet_fortigate" | ||
configDirName = "config" | ||
startupCfgFName = "startup-config.cfg" | ||
) | ||
|
||
// Register registers the node in the NodeRegistry. | ||
func Register(r *nodes.NodeRegistry) { | ||
r.Register(kindnames, func() nodes.Node { | ||
return new(fortigate) | ||
}, defaultCredentials) | ||
} | ||
|
||
type fortigate struct { | ||
nodes.DefaultNode | ||
} | ||
|
||
func (n *fortigate) Init(cfg *types.NodeConfig, opts ...nodes.NodeOption) error { | ||
// Init DefaultNode | ||
n.DefaultNode = *nodes.NewDefaultNode(n) | ||
// set virtualization requirement | ||
n.HostRequirements.VirtRequired = true | ||
|
||
n.Cfg = cfg | ||
for _, o := range opts { | ||
o(n) | ||
} | ||
// env vars are used to set launch.py arguments in vrnetlab container | ||
defEnv := map[string]string{ | ||
"USERNAME": defaultCredentials.GetUsername(), | ||
"PASSWORD": defaultCredentials.GetPassword(), | ||
"CONNECTION_MODE": nodes.VrDefConnMode, | ||
"VCPU": "2", | ||
"RAM": "2048", | ||
"DOCKER_NET_V4_ADDR": n.Mgmt.IPv4Subnet, | ||
"DOCKER_NET_V6_ADDR": n.Mgmt.IPv6Subnet, | ||
} | ||
|
||
n.Cfg.Env = utils.MergeStringMaps(defEnv, n.Cfg.Env) | ||
|
||
// mount config dir to support startup-config functionality | ||
n.Cfg.Binds = append(n.Cfg.Binds, fmt.Sprint(path.Join(n.Cfg.LabDir, configDirName), ":/config")) | ||
|
||
if n.Cfg.Env["CONNECTION_MODE"] == "macvtap" { | ||
// mount dev dir to enable macvtap | ||
n.Cfg.Binds = append(n.Cfg.Binds, "/dev:/dev") | ||
} | ||
|
||
n.Cfg.Cmd = fmt.Sprintf("--username %s --password %s --hostname %s --connection-mode %s --trace", | ||
defaultCredentials.GetUsername(), defaultCredentials.GetPassword(), n.Cfg.ShortName, n.Cfg.Env["CONNECTION_MODE"]) | ||
|
||
return nil | ||
} | ||
|
||
func (n *fortigate) PreDeploy(_ context.Context, params *nodes.PreDeployParams) error { | ||
utils.CreateDirectory(n.Cfg.LabDir, 0777) | ||
_, err := n.LoadOrGenerateCertificate(params.Cert, params.TopologyName) | ||
if err != nil { | ||
return nil | ||
} | ||
|
||
return nodes.LoadStartupConfigFileVr(n, configDirName, startupCfgFName) | ||
} | ||
|
||
// CheckInterfaceName checks if a name of the interface referenced in the topology file correct. | ||
func (n *fortigate) CheckInterfaceName() error { | ||
return nodes.GenericVMInterfaceCheck(n.Cfg.ShortName, n.Endpoints) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -98,7 +98,8 @@ | |
"cisco_c8000", | ||
"cvx", | ||
"cumulus_cvx", | ||
"openbsd" | ||
"openbsd", | ||
"fortinet_fortigate" | ||
] | ||
}, | ||
"license": { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
*** Settings *** | ||
Library OperatingSystem | ||
Resource ../common.robot | ||
|
||
Suite Teardown Run Keyword Cleanup | ||
|
||
|
||
*** Variables *** | ||
${lab-name} forti | ||
${lab-file-name} fortigates.clab.yml | ||
${runtime} docker | ||
|
||
|
||
*** Test Cases *** | ||
Deploy ${lab-name} lab | ||
Log ${CURDIR} | ||
${rc} ${output} = Run And Return Rc And Output | ||
... sudo -E ${CLAB_BIN} --runtime ${runtime} deploy -t ${CURDIR}/${lab-file-name} | ||
Log ${output} | ||
Should Be Equal As Integers ${rc} 0 | ||
IF ${rc} != 0 Fatal Error Failed to deploy ${lab-name} lab | ||
|
||
Wait for VM to reach running state | ||
Sleep 30s | ||
Wait Until Keyword Succeeds 120 5s VM is healthy | ||
|
||
|
||
*** Keywords *** | ||
VM is healthy | ||
${rc} ${output} = Run And Return Rc And Output | ||
... sudo -E ${runtime} exec clab-${lab-name}-forti1 cat /health | ||
Log ${output} | ||
|
||
Should Be Equal As Integers ${rc} 0 | ||
Should Contain ${output} 0 running | ||
|
||
${rc2} ${output2} = Run And Return Rc And Output | ||
... sudo -E ${runtime} exec clab-${lab-name}-forti2 cat /health | ||
Log ${output2} | ||
|
||
Should Be Equal As Integers ${rc2} 0 | ||
Should Contain ${output2} 0 running | ||
|
||
Cleanup | ||
# dump logs from VM | ||
Run sudo -E ${runtime} logs clab-${lab-name}-forti1 &> /tmp/${lab-name}-forti1.log | ||
${contents} = OperatingSystem.Get File /tmp/${lab-name}-forti1.log | ||
Log ${contents} | ||
|
||
Run sudo -E ${CLAB_BIN} --runtime ${runtime} destroy -t ${CURDIR}/${lab-file-name} --cleanup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
name: forti | ||
topology: | ||
nodes: | ||
forti1: | ||
kind: fortinet_fortigate | ||
image: ghcr.io/srl-labs/fortigate:7.0.14 | ||
# image: registry.srlinux.dev/pub/fortinet_fortigate:7.0.14 | ||
forti2: | ||
kind: fortinet_fortigate | ||
image: ghcr.io/srl-labs/fortigate:7.0.14 | ||
# image: registry.srlinux.dev/pub/fortinet_fortigate:7.0.14 | ||
links: | ||
- endpoints: ["forti1:eth1", "forti2:eth1"] |