Commit Ia4f4b335295c0e6add79fe0db5dd31b4327fdb54 removed all the
neutron-lbaas code from the master (Train) branch
Change-Id: I9035f6238773aad0591436c856550b7a5e01e687
To support the case of 2 instalations on teh same NSX backend,
The newer installation should reuse the default Os section & NS group.
Usage:
nsxadmin -r firewall-sections -o reuse
Change-Id: I0e187cea6ffa9ca3cdb6d215530426e611c8ae20
This patch:
- Updates git.openstack based URLs to use opendev.
- Cleans up the lower-constraints.txt file to only include what we
really need.
Change-Id: I3eecd97c313c33c820ca2be8f01f6848244cd52a
nsxadmin -r orphaned-firewall-sections -o nsx-list/clean will now
also detect/delete orphaned rules inside nsx sections that belong to
neutron security groups.
Change-Id: I7f733676e29f6a2b1177b4155e5b36aee3670438
Due to neutron bug, some metadata components in the various backend Edge
appliances are missing. The patch is supposed to address these
issues.
Admin util command can run per Edge, per AZ or for the whole cloud.
Cases handled by the utility:
- Existing metadata proxies' internal IP is different than the IPs which are
defined in the Edge's loadbalancer object.
This case can happen when the metadata proxies are recreated for some reason.
- Edge appliance is lacking the metadata network connectivity, and the
loadbalancer objects.
This case can happen while a router or a DHCP was created by the Neutron
parent process, which failed to initialize with metadata due to a bug.
- The Edge is missing the metadata firewall rules.
This case can happen while the first interface attachment to the router was
done in the Neutron parent process context due to the bug described above.
Command syntax:
Update AZ:
nsxadmin -r metadata -o nsx-update --property az-name=az123
Update single Edge appliance:
nsxadmin -r metadata -o nsx-update --property edge-id=edge-15
Update entire cloud:
nsxadmin -r metadata -o nsx-update
Change-Id: I77de9e0a0c627e43d3b1c95573d151e0414a34a9
1. List spoofguard policies with mismatching ips or mac, globally or for a specific network
nsxadmin -r spoofguard-policy -o list-mismatches (--property network=<neutron net id>)
2. Fix the spoofguard ips of a neutron port
nsxadmin -r spoofguard-policy -o fix-mismatch --property port=<neutron port id>
Change-Id: I18723007fff89ffd4a250106fed1b7ea615eb648
Implement the loadbalancer delete cascade for NSX-V3, and NSX-V
The NSX-V implementation is the naive one, and should be improved in
the future.
Change-Id: Ia055d06790fc841fa41ab13d08334424a560b940
This patch adds a driver for FWaaS V2 support in the NSX-V plugin.
It supports setting firewall rules per router interface port on the router
edge firewall.
In addition, the FWaaS TVD driver will now support NSX-V as well.
The driver code is a combination of the NSX-V3 FWaas-V2 code, and the old
NSX-V FWaaS-V1 code that is being deleted.
Change-Id: Iacc7eaff0c70b68156516008cf0277c154edd76b
- Fix devstck doc to enable the python client for octavia
- Support health monitor expected codes
- fix error handling on failure to create loadbalancer
- add logging for status updates
- remove extra logging for statistics updates (which overload the logs)
- Fix error handling in case lb service creation failed
- Fix driver pool translation to include the loadbalancer in the listener
Change-Id: If7d554a92d9df62ffb55e882a575da63221ee8ec
Enabling Standby relocation in the plugin
and adding adminUtil to enable it on routers
that were created without it.
Change-Id: I6e8525ba06f03ac6c593922f271f10052cb3fdf7
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
Adding devstack support for policy plugin with certificate and the certificate
admin utilis which are needed for the devstack support.
Change-Id: I5c9d23c7f0a83cbf4cb71fed4da488bafa230be4
The use needs to configure nsx-policies using their IDs, which are hard
to find in the VC. The new admin utility will make this easier.
Change-Id: I8869272ff02389193ba546833b52734cf4b71ff2
Adding the infrastracture for the policy plugin admin utils with one
example utility to list the security groups, networks & routers.
Depend-on: I10a3f691b33e37e1cd8ec8094f4bfa89d7a96f35
Change-Id: I8094b241255537a1668837ed4ca1dad8094dcc41
The LB VIP should be advertised by the Tier1 router only if it is on the
external network.
To do that, the global advertise vp flag will not be set, and instead a rule with a
filter to advertise only the VIPs on the external network is added.
In addition, an admin utility is added to update already existing routers with
loadbalancers.
Since VPNaaS also uses the router advertisement rules, its code was also updated so
that each application will handle only its own rules.
Change-Id: Ibfac0406a8c3009c323828cc42c96012e70cb0a9
Implementing the Octavia support for NSX-V & NSX-T.
Follow up patches will handle the TVD plugin, Status updates,
and migration.
Since Octavia is not (yet?) in the requirements, using a hack to allow unittests
to be skipped.
Co-Authored-by: Adit Sarfaty <asarfaty@vmware.com>
Change-Id: Iadb24e7eadcab658faf3e646cc528c2a8a6976e5
The VPNaaS plugin expects the driver to update the connection status
from a separate process/thread/agent.
When the user requests a connection/list, the status is retrived from the VPNaaS DB,
without calling the driver.
To avoid adding a process to actively query and update all connections statuses, this
patch creates a new VPNaaS plugin, to be used instead of hte default one.
This plugin (vmware_nsx_vpnaas) will issue a get-statuses call to the driver,
update the current statuses in the DB, and call the original plugin.
Change-Id: Ib750bfb8f0c8ad12265fa71506182ff5d7e8030a
The LBaaS V2 plugin expects the driver to update the LB objects operating
status from a separate process/thread.
When the user requests the LB status (or just the LB object itself with GET),
the operating status is retrived from the LBaaS DB, without calling the driver.
To avoid adding a process to actively query and update all objects statuses,
this patch creates a new LBaaSV2 plugin, to be used instead of the default one.
This plugin (vmware_nsx_lbaasv2) will issue a get-statuses call to the driver,
update the current statuses in the DB, and call the original plugin.
Depends-on: I71a56b87144aad743795ad1295ec636b17429035
Change-Id: I3c4e75d92a1bacdb14292a8db727deb4923a85d9
On the plugin init there is a side process going over all the security
group rules in the NSX DFW checking if their logging flag should be
updated according to the global configuration flag.
Since this is relevant only in case the global config flag
log_security_groups_allowed_traffic was updated by the user, which is very rare,
this patch removed it from the code, and replaced it with an admin utility
that can be used.
This will make the plugin initialization process quicker and prevent unnecessary
load on the NSX.
Change-Id: I233915e589b53ccb4b76a3ef3d24bb56c0459e92
NSX-T is the common name, not "Transformers" or "v3". This makes that
change throughout the docs and conf help. It also fixes a broken link
to the NSX-T pubs.
This change does not rename conf groups and options that use "v3".
That should be considered for a follow-on effort (with appropriate
deprecation).
Change-Id: I466f60e4476cedc439e17cba39a333a3853a32d9
The housekeeper GET will run the job with readonly mode
The PUT command will run it with readonly=False (unless it is globally
configured as readonlyi, which will cause a failure)
Change-Id: Ifcac0bbe6f447ae431c75f66f3c7f8682c9e9408
- Refactor nsx-v3 admin utilities by moving some of the code to a different
file which will later be consumed by the housekeeper code as well
- Adding orphaned firewall sections list/clean utilities
- Adding a capability to detect problems in logical port address bindings
- Update the documentation
Change-Id: If6aba167c2dd1234d1bb10a8a115fcdfe13cf2f0
2 new admin utilities added to helo manage the NSX leftover
portgroups at cleanup
- List all NSX portgroups on the configured dvs
nsxadmin -r nsx-portgroups -o list
- Delete all NSX portgroups on the configured dvs
nsxadmin -r nsx-portgroups -o nsx-cleanup <--force>
Change-Id: I04359b984474dc5215658783bdab7039149a855d
When Neutron server is deleted, we need to clean up all backup
edges created by neutron server. The current clean-all cannot address
the scenario that many neutron servers are using same NSXv backend.
Change-Id: I4f4d19adf7293c2c91c2cd8b52359bb1eb338b84