Since py2 is no longer supported, built in methods can replace the
six package usage, as been done in the neutron project
Change-Id: I922963fbbcc0ab263e1f6e56907b73b007015a75
Edge appliances with different number of tunnels per vnic might exit
within the system.
That could happen due to a change in the config file after the system
has been running for a while and edge appliances already exist.
The router interface allocation logic should support this edge case.
Change-Id: I47b72072a44ad40225714295aabcc5b7198eb71f
Remove spoofguard mappings along with spoofguard on backend
when network is set without port security.
Change-Id: I03eac35ae0dfae1c716c54d972a2441c1d98f50a
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
1. List spoofguard policies with mismatching ips or mac, globally or for a specific network
nsxadmin -r spoofguard-policy -o list-mismatches (--property network=<neutron net id>)
2. Fix the spoofguard ips of a neutron port
nsxadmin -r spoofguard-policy -o fix-mismatch --property port=<neutron port id>
Change-Id: I18723007fff89ffd4a250106fed1b7ea615eb648
Implementing the Octavia support for NSX-V & NSX-T.
Follow up patches will handle the TVD plugin, Status updates,
and migration.
Since Octavia is not (yet?) in the requirements, using a hack to allow unittests
to be skipped.
Co-Authored-by: Adit Sarfaty <asarfaty@vmware.com>
Change-Id: Iadb24e7eadcab658faf3e646cc528c2a8a6976e5
The get_reader_session and get_writer_session functions are available
in neutron-lib. This patch consumes them by removing the functions
from neutron and using lib's instead in prep for
https://review.openstack.org/#/c/570603
Change-Id: Ibe2195d5c5556f5b2e97e14d12b6716f9fb6736b
Prevent the creation of several portgroup provider networks
with the same physical network.
Already existing networks will not be affected.
In addition, fix the vcns spoofguard mocks as they fail the new test
Change-Id: I5f03117ca0231536df5c43ec1a5169612b4b2364
The current implementation doesn't correctly process some port-binding
attributes such as 'portbinding:profile' and 'portbinding:vif_details'.
This patch add the required support to process and persist the missing
port-binding information.
The new fields are modified and queried by nova, and will allow us to support
for SR-IOV passthrough networking.
In order to avoid DB migrations, this implementation will utilize the
existing 'ml2_port_bindings' table to hold the extra port binding information,
current tables that contains partial information (e.g - 'portbindingports'
for port's 'binding:host_id') will be kept and maintained by the plugin to
preserve backward compatibility.
Change-Id: I779b577737565860a53461114c9822d7b3908cb3
getting the internal network per availability zone has a fallback to the
default az which should not always be used.
This patch creates a version of this db api without a fallback and uses
it when we shouldn't use the default az.
Change-Id: I2ec37e431fa08c80c19c32a50ed4e5a71222b0c2
Enable an option where the plugin would decide on the VLAN tag for
a provider network. This is done as follows:
1. In the configuration file the admin will need to add the supported
DVS's and their respective VLAN ranges. For example:
network_vlan_ranges = dvs-22,dvs-70💯102,dvs-70:110:120
This means that dvs-22 can allocate any VLAN tag. On dvs-70
tags can be selected between and including 100 and 102 and
110 and 120.
2. When the admin created the provider network she/he need only state
the provider:physical_network (must be one defined above). If they
select a VLAN id then the selected one will be used. If not one from
the ranges above will be used.
Change-Id: Ieeebc790fa5a4e9480308dcd11f495662e4c48c2
VDR-connected networks were using designated DHCP Edge appliances
to provide metadata.
That was necessary before we introduced option 121 - which can be
used for route injection, which directs metadata traffic towards the
DHCP Edge.
This change removes some redundant code which is supporting metadata
in the old manner.
The patch deprecates supports of older versions of NSX which do not
support insertion of host routes which is required for the change.
Therefore dhcp_force_metadata config parameter has been deprecated.
Change-Id: I6b5e2acf09ce61c87d8ae97471955599cddf320b
When there are several availability zones using the same metadata
configuration, the DB vnic allocation failed to find the correct
internal network becasue it belongs to the default AZ and not the
specific one.
Change-Id: If35c814b55fd5632995cbace0689e4506563059d
fwaas backend rules don't have to be in the DB, since they are never
retrieved from there.
Also the Tag of the allow-external rule should be the last one, as it
originally was, before the FWaaS feature.
Change-Id: I6acfeef780ffd6d4aecb97e4b49e7907f7eee154
Many of the constants from neutron.plugins.common.constants are now in
neutron-lib. This patch switches over to those in neutron-lib.
Change-Id: Ic266440aae034783e5371842ab293da70deeae04
This change implement's a new BGP plugin which allows BGP support in Openstack,
using NSXv service edges (ESG).
When a BGP speaker is associated with an external network, service edges which
accommodates tenant routers that have their GW port on this network would be
configured to enable BGP/Dynamic-routing.
The specific BGP configuration (e.g - localAS, neighbours) for the edge is
retrieved from the BGP speaker object and its peers.
This change also adds an extension to the BGP peer object, this
extension allows the cloud operator to associate a BGP peer with a specific
service edge that will serve as GW edge for the network, multiple GW
edges are supported by enabling ECMP on tenant service edges.
Co-Authored: yuyangbj <yangyu@vmware.com>
Change-Id: Ife69b97f3232bee378a48d91dc53bdc8837de7f5
The NSX|V will support a direct vnic type iff this port meets the
following criteria:
1. no security groups
2. no port security
3. is on a VLAN/FLAT network
The reason for this is that the direct is only support via the DVS
and there is no support for security groups and port security.
Change-Id: Iff4cc72e724d40feff2b26fc4f24596cae3a749a
The db/api get_session is deprecated.
We should use get_reader_session or get_writer_session instead.
Change-Id: I5f04bd0cfd43ae5b9c31b9ece3cf77fcef56cd3f
The next global configurations are now added also per AZ:
- mgt_net_moid
- mgt_net_proxy_ips
- mgt_net_proxy_netmask
- mgt_net_default_gateway
- external_network
- vdn_scope_id
- dvs_id
In case any of them is not defined in the AZ section, the global value will be used.
Change-Id: I5fca433fb86163cee84e3b9fc54182017a5f266b
Supporting L7 policies and rules in LBAAS-v2
Including a new db table nsxv_lbaas_l7policy_bindings
for mapping between the lbaas policy ID and the nsx application rules.
Depends-on: I3b14d107dbe0a72a6e24239f06bd6c3ac597cfbb
Change-Id: Ic760be8956cea00b972b5f11f6acff294630892d
get_subnets requires a huge number of backend calls to gather the
networks advanced_service_providers field.
This change should gather the data from DB with a single call and
process it locally at the controller.
Change-Id: Ic7c7fac46c983c1c750108d86a1adefb4c11508c
The NSX-V3 plugin will use the NSX-V3 backend IPAM.
An IP pool will be created for each subnet, and port IPs will be allocated
from this pool.
The current backend limitation is that we cannot allocate a specific IP,
so port create/update with fixed_ips will fail, unless the requested ip
is the subnet gateway ip.
To enable this option set 'ipam_driver = vmware_nsxv3_ipam' in the
neutron.conf
Change-Id: I5263555cbb776018a5d01f19d0997fd2adf6483d
New admin utility that can be used when the user changes the configuration to use
policies in security groups (use_nsx_policies=True)
This utility deletes the current rules and section of the security group,
and adds it to the policy.
usage:
nsxadmin -r security-groups -o migrate-to-policy --property policy-id=<> --property
security-group-id=<>
Output example:
==== [MIGRATE] Sg To Policy ====
Successfully established new session; session ID is 28c3f.
Deleting the rules of security group: 415ff93e-cbd4-4f49-a06d-44885eba7c88
Deleting the section of security group: 415ff93e-cbd4-4f49-a06d-44885eba7c88
Binding the NSX security group securitygroup-143 to policy policy-9
Done.
Change-Id: I7041c33b86a0ebc965e2cfcfe1c9ac9261a0318a
- separate nsxlib/v3 constants and utils from the common ones
- separate the nsxlib/v3 tests
- update the nsxlib tests to cover create_firewall_rules
- remove all of the DB calls from the nsxlib/v3
- merge security & dfw_api classes
To be done in future patches:
- Avoid using the nsx configuration values directly
- Improve nsxlib interface (as Aaron suggested in If2fe1e014b78703ff0a9cdff1e4e8d45f3a4a16d)
Change-Id: I43257f557ce1e98b4f64b8157d723cc84ea58c2b
There are edge cases with race conditions where a binding may already
exist in the DB. In this case we overwrite the existing one.
Change-Id: Ie80c57fa8d2626e984bc8a5778a25db756e95e5d
For IPv4 external networks and provider networks, NSX-V plugin will use
the NSX-V backend IPAM.
To enable this option set 'ipam_driver = vmware_nsxv_ipam' in the
neutron.conf
Change-Id: Icdc3e7d24dac08a29f045f10fcea9ec4496b8446
Add subnet extension dhcp-mtu and configure it in option26 of the dhcp binding.
Also add this column to the nsxv_subnet_ext_attributes DB table.
This option will be available only from NSX version 6.2.3
DocImpact: Added dhcp-mtu extension to subnets
Change-Id: Id2a74a3c089beb61fde6b7c0fd02b207e444c3b7
Delete a backend router edge, and move its' router/s to other edges.
Currently this utility does not support distributed routers
usage:
nsxadmin -r routers -o nsx-recreate --property edge-id=edge-307
Change-Id: Ib1ab84120aaae42dba884d4ba964a3bdd82df2fb
The availability zones support will now include also data-store ids.
The configuration will include a name for each availability zone, resource pool
ID, datastore ID and optionally also HA datastore ID.
The user can choose a hint from this list when creating a router or a network.
The relevant edge appliances will be created using this data.
DocImpact: New format for the configuration parameter availability_zones under nsxv
Should include a list of availability zones. For each of them name, resource pool id,
datastore id and optionally also HA datastore id.
Change-Id: Icb72f6f674b8610687a6be730161a206d4c76257
As bug 1568706 uncovered, we were using zuul-cloner
in our gate jobs; this was preventing our translation from
syncing.
After digging into this issue a number of changes in this
associated logic were found to not be in sync with neutron.
This patch updates out tox/tools logic to follow that of neutron.
In addition this patch fixes any pylint checks that were failing to
make pep8 pass.
IMPORTANT:
Please review closely, not only to the tools/tox updates but also
to the ignored pylint checks in the code. We only want to disable
checks where appropriate.
Change-Id: I6c5fee3ca3073ad079eac1636cc3b9ec45926a68
Closes-Bug: #1568706
This utility can be used to move all the networks from a specific
DHCP edge, to another (new or existing) edge.
This should work also for VDR router DHCP edge.
Usage:
nsxadmin -r dhcp-binding -o nsx-recreate --property edge-id=<edge-Id>
Output example:
==== [NSX] Recreate Dhcp Edge ====
ReCreating NSXv Edge: edge-222
Deleting the old DHCP edge: edge-222
Moving network a7fd0856-923e-43a6-97c7-9980e7fabd08 to a new edge
Moving subnet ae9efc04-a685-497e-aab1-1dff9abacf9c to a new edge
Creating network a7fd0856-923e-43a6-97c7-9980e7fabd08 DHCP address group
Network a7fd0856-923e-43a6-97c7-9980e7fabd08 was moved to edge edge-228
Moving network 7a484242-0261-4888-ba77-41bb7bbd4f9d to a new edge
Moving subnet 412e89ce-7c69-494d-b525-c08c8828cdfd to a new edge
Moving subnet 139f7375-afb9-41dd-bdb7-c25af772a805 to a new edge
Creating network 7a484242-0261-4888-ba77-41bb7bbd4f9d DHCP address group
Network 7a484242-0261-4888-ba77-41bb7bbd4f9d was moved to edge edge-228
Change-Id: I97ba4abfe50d634f5ba5b137a64e021575db1ead
When running tempest tests we hit this. After analysis the reason
seemed to be that the DB session was aged as a result of waiting for
subnets in parallel tests to be created.
Here we just create a new DB session prior to updating the VNIC ID's
The patch also does the following:
1. Addresses the case where the edge_bindings are not found
2. Ensure locking for the VNIC allocations
Change-Id: I0f921417e7b333575c0e99838e88a23c61f67423
Add support for availability zones hints on routers creation
- The router will be created on an edge that belongs to the requested resource pool
- The nsxv_router_binding db table has a new column for the edge resource pool
- New nsxv configuration: availability_zones which should contain a list
of resource pools ids, that can be used as hints
DocImpact: New configuration parameter availability_zones under nsxv
Change-Id: Ib34689d554dafe25f62a045feebe9eed68d2174d
Add a wrapper to the different getters of the nsxv_router_bindings table,
to log warnings in case the retrieved entries had an erroneous status.
Change-Id: If4671d2fb4a3555de3e0f27b8da44e94f4dd6981
When the load balancer is created, it will create a default firewall
rule on edge. But when the fip is created or deleted, the driver will
also update the firewall rule on this edge, at this time, the lb
firewall rule will be flushed.
Change-Id: I84bb2cf5ddcc1bb448f138e024bb361a1b4eee82
Allows admin to control security-groups rule logging
NSXv distributed firewall expose an API to control rule logging,
as for the moment, admin user can use this feature only from inside of
the distributed firewall.
This patch make use of this API to provide the cloud admin with three ways
to control security-group logging:
- log whenever security-group rule is matched
- log when a packet doesn't match any security-group rule
- log whenever security-group rule is matched for selected
security-groups
Change-Id: I2a4dbff2ecba4c6041b4aaad1f20941440a5f6b6
This patch adds support for dns search domains in the nsx-v plugin.
DNS search domain is implemented as a string attribute extension to the
Subnet object.
Usage:
subnet-create net-name 10.0.0.0/24 --name subnet-name \
--dns-search-domain eng.vmware.com
subnet-update subnet-name --dns-search-domain new-domain.com
This commit adds a new table to store bindings for subnet attributes with
the necessary migration script.
Change-Id: I3f41a123f42e5b784de3ad090cecb7d712a36542
When a VIP is configured for L4 LB only, we can use LVS to improve
performance. To achieve that, we should enable acceleration on the Edge
appliance.
Depends-On: I7f3b95b43f87b35d641f0c7535d648ee178eda41
Change-Id: I027cb1e4b5cd82006a80e17f3fd2b0feca1278a4
asarfaty