Add per-node libvirt port forwarding (#2592)

* Move the clab-specific port forwarding functions into the common
  provider module
* Use the same functions to build clab- and libvirt ports list
* Use the node libvirt.ports list when building forwarding ports in
  the Vagrantfile
* Update libvirt documentation, adding the fun fact that vagrant-libvirt
  module sets up SSH port forwarding (not a NAT rule)
* Add platform integration tests. The 'clab' test can be tested with
  a host script, I'm clueless about testing the SSH port forwarding

Also:
* Fix libvirt import into virtualbox provider module (the imported
  class name must start with an underscore)
* Update the libvirt port forwarding transformation test

Author: ipspace

docs/labs/libvirt.md

@@ -211,9 +211,18 @@ You can change the IPv4 address of a device's management interface with the **mg
 (libvirt-port-forwarding)=
 ### Port Forwarding
 
-*netlab* supports *vagrant-libvirt* port forwarding -- mapping of TCP ports on VM management IP address to ports on the host. You can use port forwarding to access the lab devices via the host's external IP address without exposing the management network to the outside world.
+*netlab* supports *vagrant-libvirt* port forwarding -- SSH forwarding of TCP ports on the VM management IP address to ports on the host (see *vagrant-libvirt documentation* for more details). Thus, you can access the lab devices via the host's external IP address without exposing the management network to the outside world.
 
-Port forwarding is turned off by default and can be enabled by configuring the **defaults.providers.libvirt.forwarded** dictionary. Dictionary keys are TCP port names (`ssh`, `http`, `https`, or `netconf`), and dictionary values are the start values of host ports. *netlab* assigns a unique host port to every VM's forwarded port based on the start value and VM node ID.
+Port forwarding is turned off by default. It can be configured for a single node with the **libvirt.ports** node parameter -- a list of port mappings in the `host_port:vm_port` format. For example, the following topology maps the SSH port on node R1 to the host port 2001:
+
+```
+nodes:
+  r1:
+    libvirt.ports:
+    - 2001:22
+```
+
+Port forwarding can also be enabled for all libvirt nodes with the **defaults.providers.libvirt.forwarded** dictionary. Dictionary keys are TCP port names (`ssh`, `http`, `https`, or `netconf`), and dictionary values are the start values of host ports. *netlab* assigns a unique host port to every VM's forwarded port based on the start value and VM node ID, and adds the port mapping to the node **libvirt.ports** list.
 
 For example, when given the following topology...
 

netsim/providers/__init__.py

@@ -17,7 +17,7 @@
 
 from ..utils.callback import Callback
 from ..augment import devices,links
-from ..data import get_box,get_empty_box,filemaps
+from ..data import get_box,get_empty_box,append_to_list,filemaps
 from ..utils import files as _files
 from ..utils import templates,log,strings
 from ..outputs.ansible import get_host_addresses
@@ -364,9 +364,9 @@ def select_topology(topology: Box, provider: str) -> Box:
   return topology
 
 """
-get_forwarded_ports -- build a list of forwarded ports for the specified node
+get_forwarded_ports -- build a list of default provider forwarded ports for the specified node
 """
-def get_forwarded_ports(node: Box, topology: Box) -> list:
+def get_provider_forwarded_ports(node: Box, topology: Box) -> list:
   p = devices.get_provider(node,topology.defaults)
   fmap = topology.defaults.providers[p].get('forwarded',{})     # Provider-specific forwarded ports
   if not fmap:                                                  # No forwarded ports?
@@ -382,6 +382,15 @@ def get_forwarded_ports(node: Box, topology: Box) -> list:
 
   return node_fp
 
+def node_add_forwarded_ports(node: Box, fplist: list, topology: Box) -> None:
+  if not fplist:
+    return
+
+  p = devices.get_provider(node,topology.defaults)
+  for port_map in fplist:                                       # Iterate over forwarded port mappings
+    port_map_string = f'{port_map[0]}:{port_map[1]}'            # Build the provider-compatible map entry
+    append_to_list(node[p],'ports',port_map_string)             # ... and add it to the list of forwarded ports
+
 """
 validate_images -- check the images used by individual nodes against provider image repo
 """

netsim/providers/clab.py

@@ -7,7 +7,7 @@
 import pathlib
 import argparse
 
-from . import _Provider,get_forwarded_ports,validate_mgmt_ip
+from . import _Provider,get_provider_forwarded_ports,node_add_forwarded_ports,validate_mgmt_ip
 from ..utils import log, strings, linuxbridge
 from ..data import filemaps, get_empty_box, append_to_list
 from ..data.types import must_be_dict
@@ -87,16 +87,6 @@ def destroy_ovs_bridge( brname: str ) -> bool:
 
 GENERATED_CONFIG_PATH = "clab_files"
 
-def add_forwarded_ports(node: Box, fplist: list) -> None:
-  if not fplist:
-    return
-  
-  node.clab.ports = node.clab.ports or []                       # Make sure the list of forwarded ports is a list
-  for port_map in fplist:                                       # Iterate over forwarded port mappings
-    port_map_string = f'{port_map[0]}:{port_map[1]}'            # Build the containerlab-compatible map entry
-    if not port_map_string in node.clab.ports:                  # ... and add it to the list of forwarded ports
-      node.clab.ports.append(port_map_string)                   # ... if the user didn't do it manually
-
 '''
 normalize_clab_filemaps: convert clab templates and file binds into host:target lists
 '''
@@ -176,9 +166,9 @@ class Containerlab(_Provider):
 
   def augment_node_data(self, node: Box, topology: Box) -> None:
     node.hostname = self.get_node_name(node.name,topology)
-    node_fp = get_forwarded_ports(node,topology)
+    node_fp = get_provider_forwarded_ports(node,topology)
     if node_fp:
-      add_forwarded_ports(node,node_fp)
+      node_add_forwarded_ports(node,node_fp,topology)
 
   def node_post_transform(self, node: Box, topology: Box) -> None:
     add_daemon_filemaps(node,topology)

netsim/providers/libvirt.py

@@ -16,7 +16,7 @@
 from ..data import types,get_empty_box,get_box
 from ..utils import log,strings,linuxbridge
 from ..utils import files as _files
-from . import _Provider,validate_mgmt_ip
+from . import _Provider,validate_mgmt_ip,node_add_forwarded_ports,get_provider_forwarded_ports
 from ..augment import devices
 from ..augment.links import get_link_by_index
 from ..cli import is_dry_run,external_commands
@@ -292,6 +292,14 @@ def pre_transform(self, topology: Box) -> None:
         if not 'bridge' in l:
           l.bridge = "%s_%d" % (topology.name[0:10],l.linkindex)
 
+  """
+  Add default provider forwarded ports to node data
+  """
+  def augment_node_data(self, node: Box, topology: Box) -> None:
+    node_fp = get_provider_forwarded_ports(node,topology)
+    if node_fp:
+      node_add_forwarded_ports(node,node_fp,topology)
+
   def node_post_transform(self, node: Box, topology: Box) -> None:
     if node.get('_set_ifindex'):
       pad_node_interfaces(node,topology)

netsim/providers/libvirt.yml

@@ -34,6 +34,7 @@ attributes:
     nic_adapter_count: int
     image: str
     uuid: str
+    ports: list
   link:
     permanent: bool
     public: { type: str, valid_values: [ bridge, vepa, passthrough, private ], true_value: bridge }

netsim/providers/virtualbox.py

@@ -5,7 +5,7 @@
 import typing
 
 from . import _Provider
-from .libvirt import Libvirt
+from .libvirt import Libvirt as _Libvirt
 from box import Box
 
 class Virtualbox(_Provider):

netsim/templates/provider/libvirt/define-domain.j2

@@ -39,6 +39,7 @@
 {%   if 'uuid' in n.libvirt %}
       domain.uuid = '{{ n.libvirt.uuid }}'
 {%   endif %}
+{%   include 'forwarded-ports.j2' %}
 {% endif %}
     end
 
@@ -50,5 +51,4 @@
 {%   endif %}
 
 {% endfor %}
-{% include 'forwarded-ports.j2' %}  
   end

netsim/templates/provider/libvirt/forwarded-ports.j2

@@ -2,12 +2,10 @@
   Forwarded Libvirt Ports
 #}
 
-{% if defaults.providers.libvirt.forwarded is defined %}
-    {{ name }}.vm.provider :libvirt do |libvirt|
-      libvirt.forward_ssh_port = true
-    end
-{%   for port,base in defaults.providers.libvirt.forwarded.items() %}
+{% if n.libvirt.ports is defined %}
+{%   for p_fwd in n.libvirt.ports %}
+{%     set p_list = p_fwd.split(':') %}
     {{ name }}.vm.network "forwarded_port",
-      guest: {{ defaults.ports[port] }}, host: {{ base + n.id }}, id: "{{ port }}"
+      guest: {{ p_list[1] }}, host: {{ p_list[0] }}, host_ip: "0.0.0.0", gateway_ports: true
 {%   endfor %}
 {% endif %}

tests/platform-integration/clab/03-port-fwd-validate.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+status=0
+for port in 2001 2002; do
+  echo "Checking SSH port forwarding on port $port"
+  if ! (sshpass -p admin \
+    ssh -p $port \
+      -o UserKnownHostsFile=/dev/null \
+      -o StrictHostKeyChecking=no \
+      -o LogLevel=ERROR \
+      admin@127.0.0.1 show ver | grep EOS >/dev/null && echo "Forwarding on port $port works"); then
+    echo "Forwarding on port $port failed"
+    status=1
+  fi
+done
+
+echo "Checking HTTP port forwarding on 8080"
+if ! (curl -s http://localhost:8080 >/dev/null && echo "HTTP port forwarding works"); then
+  echo "HTTP forwarding to R1 failed"
+  status=1
+fi
+
+exit $status

tests/platform-integration/clab/03-port-fwd.yml

@@ -0,0 +1,21 @@
+message: |
+  This lab sets up forwarded SSH and HTTP ports for two EOS devices. It
+  tests the container port forwarding functionality
+
+defaults.device: eos
+provider: clab
+plugin: [ files ]
+
+defaults.providers.clab.forwarded:
+  ssh: 2000
+
+nodes:
+  r1:
+    clab.ports:
+    - 8080:80
+    config.inline: |
+      management http-server
+        protocol http
+  r2:
+
+links: [ r1-r2 ]