193 Commits

Author SHA1 Message Date
Adit Sarfaty
d753ec6945 Remove neutron-lbaas support & dependencies
Commit Ia4f4b335295c0e6add79fe0db5dd31b4327fdb54 removed all the
neutron-lbaas code from the master (Train) branch

Change-Id: I9035f6238773aad0591436c856550b7a5e01e687
2019-05-19 11:16:45 +03:00
Adit Sarfaty
c479499f97 NSX|V3: Admin utility for reusing existing default section
To support the case of 2 instalations on teh same NSX backend,
The newer installation should reuse the default Os section & NS group.

Usage:
nsxadmin -r firewall-sections -o reuse

Change-Id: I0e187cea6ffa9ca3cdb6d215530426e611c8ae20
2019-05-13 07:52:47 +03:00
Boden R
4dfb2ecd50 cleanup openstack git refs and lower constraints
This patch:
- Updates git.openstack based URLs to use opendev.
- Cleans up the lower-constraints.txt file to only include what we
really need.

Change-Id: I3eecd97c313c33c820ca2be8f01f6848244cd52a
2019-04-30 07:16:41 -06:00
Adit Sarfaty
032b6b8e46 NSX|V adminUtils: detect and clean orphaned section rules
nsxadmin -r orphaned-rules -o list/nsx-clean will detect/delete orphaned
rules inside nsx sections that belong to neutron security groups.

Change-Id: I18ee55e70b8e3a97d7d5d2453b7994bc07d2c97c
2019-04-28 10:01:46 +00:00
Zuul
e730b80738 Merge "Fix devstack documentation for Octavia" 2019-04-22 12:03:46 +00:00
Adit Sarfaty
7550c3098d Fix devstack doc FWaaS v2 sections
Change-Id: Ie8106b971e72d4d328a0c59414c0b55bf0541a58
2019-04-22 08:44:52 +03:00
Kobi Samoray
5a4ef0f69b Fix devstack documentation for Octavia
Devstack documentation suggests using noop driver for Octavia
networking.

Change-Id: I6531a4fd2a38013194fd083dca3bfb60505707ab
2019-04-21 15:59:07 +03:00
Adit Sarfaty
edac5ce48c NSX|V3 adminUtils: detect and clean orphaned section rules
nsxadmin -r orphaned-firewall-sections -o nsx-list/clean will now
also detect/delete orphaned rules inside nsx sections that belong to
neutron security groups.

Change-Id: I7f733676e29f6a2b1177b4155e5b36aee3670438
2019-04-11 14:09:59 +03:00
Kobi Samoray
4f413ab2a9 Octavia: add o-da to required service list
Update documentation as Octavia now requires the driver agent to
operate.

Change-Id: I1a798fdf1478bf808bffc39e7b0e389f7ec7db15
2019-04-08 11:53:42 +03:00
Adit Sarfaty
8b48578f69 Retire oslosphinx
Change-Id: I83f84d0b9feccbe042d9119564744e955bc0b54b
2019-04-03 11:12:40 +03:00
Kobi Samoray
e98a41d8d2 NSXP: LBaaS/Octavia support
Change-Id: I2bd7b01f921243d65f68ec328173e949607e7842
2019-04-01 14:41:02 +03:00
Zuul
d951d25526 Merge "NSXv: admin util metadata breakage recovery" 2019-03-24 13:49:14 +00:00
Kobi Samoray
0e97278c8a NSXv: admin util metadata breakage recovery
Due to neutron bug, some metadata components in the various backend Edge
appliances are missing. The patch is supposed to address these
issues.

Admin util command can run per Edge, per AZ or for the whole cloud.

Cases handled by the utility:
- Existing metadata proxies' internal IP is different than the IPs which are
defined in the Edge's loadbalancer object.
This case can happen when the metadata proxies are recreated for some reason.

- Edge appliance is lacking the metadata network connectivity, and the
loadbalancer objects.
This case can happen while a router or a DHCP was created by the Neutron
parent process, which failed to initialize with metadata due to a bug.

- The Edge is missing the metadata firewall rules.
This case can happen while the first interface attachment to the router was
done in the Neutron parent process context due to the bug described above.

Command syntax:
Update AZ:
    nsxadmin -r metadata -o nsx-update --property az-name=az123

Update single Edge appliance:
    nsxadmin -r metadata -o nsx-update --property edge-id=edge-15

Update entire cloud:
    nsxadmin -r metadata -o nsx-update

Change-Id: I77de9e0a0c627e43d3b1c95573d151e0414a34a9
2019-03-15 12:06:50 +02:00
Adit Sarfaty
d55e6c3503 NSX|P FWaaS V2 support
Adding FWaaS support for the Policy plugin, implementing hte NSX gateway policy

Depends-on: I97bcbd99fcced02592a6e5f10d0d43a3e99efbe6
Change-Id: I486a6f4ab766233942008b5677722fb14b8553d7
2019-03-13 11:59:15 +02:00
Adit Sarfaty
fd8500ba42 NSX|V admin utils: Find and fix spoofguard policies mismatches
1. List spoofguard policies with mismatching ips or mac, globally or for a specific network
    nsxadmin -r spoofguard-policy -o list-mismatches (--property network=<neutron net id>)
2. Fix the spoofguard ips of a neutron port
    nsxadmin -r spoofguard-policy -o fix-mismatch --property port=<neutron port id>

Change-Id: I18723007fff89ffd4a250106fed1b7ea615eb648
2019-03-04 12:05:20 +02:00
Adit Sarfaty
f36d7ce7b4 NSX|V+V3: support octavia delete cascade
Implement the loadbalancer delete cascade for NSX-V3, and NSX-V
The NSX-V implementation is the naive one, and should be improved in
the future.

Change-Id: Ia055d06790fc841fa41ab13d08334424a560b940
2019-02-14 10:56:54 +02:00
Zuul
90dda43b04 Merge "Octavia driver: various fixes" 2019-02-13 06:27:09 +00:00
Adit Sarfaty
a36a1dba74 NSX|V: FWaaS-V2 driver
This patch adds a driver for FWaaS V2 support in the NSX-V plugin.
It supports setting firewall rules per router interface port on the router
edge firewall.

In addition, the FWaaS TVD driver will now support NSX-V as well.

The driver code is a combination of the NSX-V3 FWaas-V2 code, and the old
NSX-V FWaaS-V1 code that is being deleted.

Change-Id: Iacc7eaff0c70b68156516008cf0277c154edd76b
2019-02-11 09:09:44 +00:00
Adit Sarfaty
abc6a9450d Octavia driver: various fixes
- Fix devstck doc to enable the python client for octavia
- Support health monitor expected codes
- fix error handling on failure to create loadbalancer
- add logging for status updates
- remove extra logging for statistics updates (which overload the logs)
- Fix error handling in case lb service creation failed
- Fix driver pool translation to include the loadbalancer in the listener

Change-Id: If7d554a92d9df62ffb55e882a575da63221ee8ec
2019-02-11 07:05:54 +00:00
Adit Sarfaty
df47dde1cc Remove FWaaS V1 code
FWaaS is about to be removed from neutron, and should be removed from
vmware_nsx as well.

Change-Id: I6e621e63896dc6a6e6bbacc464c79319fce1f92d
2019-02-05 06:21:45 +00:00
Adit Sarfaty
e8306c813c Update Octavia doc to use noop network driver
Change-Id: Ic5034717f7d1f0506b410625ccc0490aca06c3f8
2019-01-13 10:38:27 +02:00
Zuul
2f61af4101 Merge "NSX|T: Add enable standby relocation" 2019-01-08 13:51:37 +00:00
Michal Kelner Mishali
2ce50df04b NSX|T: Add enable standby relocation
Enabling Standby relocation in the plugin
and adding adminUtil to enable it on routers
that were created without it.

Change-Id: I6e8525ba06f03ac6c593922f271f10052cb3fdf7
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
2019-01-07 13:13:03 +00:00
Adit Sarfaty
74f3831027 NSX|P: QoS support
Change-Id: I719c1adfa94676b5e8b3a7b60f8d9d034d54eeb3
2019-01-07 13:07:23 +02:00
Adit Sarfaty
ed7f735d9c Fix Octavia devstack instructions
Change-Id: I06cf1246a7573ff7f23fdb8df21bca732d1d8fa8
2019-01-02 08:43:54 +02:00
Adit Sarfaty
57776776d4 Policy plugin: Add devstack/admin-utils for client auth
Adding devstack support for policy plugin with certificate and the certificate
admin utilis which are needed for the devstack support.

Change-Id: I5c9d23c7f0a83cbf4cb71fed4da488bafa230be4
2018-12-09 13:15:55 +02:00
Adit Sarfaty
5e5af50640 NSX|V New admin utility to list existing NSX policies
The use needs to configure nsx-policies using their IDs, which are hard
to find in the VC. The new admin utility will make this easier.

Change-Id: I8869272ff02389193ba546833b52734cf4b71ff2
2018-11-29 07:22:17 +00:00
Adit Sarfaty
30f3d4a31d Fix devstack docs for advanced services
Change-Id: Icce27bcfda465f95c9a4bca16ea3e69e4bf0def0
2018-11-22 15:00:15 +02:00
Zuul
a78306f15f Merge "NSX|P: Initial admin utilities" 2018-11-21 06:58:05 +00:00
Adit Sarfaty
f7795e275d NSX|P: Initial admin utilities
Adding the infrastracture for the policy plugin admin utils with one
example utility to list the security groups, networks & routers.

Depend-on: I10a3f691b33e37e1cd8ec8094f4bfa89d7a96f35
Change-Id: I8094b241255537a1668837ed4ca1dad8094dcc41
2018-11-14 12:29:14 +00:00
Adit Sarfaty
b263b592b9 NSX|V3: Fix LB VIP advertisement
The LB VIP should be advertised by the Tier1 router only if it is on the
external network.
To do that, the global advertise vp flag will not be set, and instead a rule with a
filter to advertise only the VIPs on the external network is added.
In addition, an admin utility is added to update already existing routers with
loadbalancers.
Since VPNaaS also uses the router advertisement rules, its code was also updated so
that each application will handle only its own rules.

Change-Id: Ibfac0406a8c3009c323828cc42c96012e70cb0a9
2018-11-11 08:59:54 +00:00
Adit Sarfaty
563ed756bc Fix admin utils doc formatting
Change-Id: If6ca0f94cee81f6e01f98fae9d56a33a1575a576
2018-10-15 09:57:11 +03:00
Kobi Samoray
83d9b3abdd NSX|V+V3: Octavia driver
Implementing the Octavia support for NSX-V & NSX-T.
Follow up patches will handle the TVD plugin, Status updates,
and migration.

Since Octavia is not (yet?) in the requirements, using a hack to allow unittests
to be skipped.

Co-Authored-by: Adit Sarfaty <asarfaty@vmware.com>
Change-Id: Iadb24e7eadcab658faf3e646cc528c2a8a6976e5
2018-10-02 11:19:55 +03:00
Zuul
9d99f0f06d Merge "NSX|V3: VPN connection status update" 2018-08-27 08:43:00 +00:00
Zuul
18fac22e9f Merge "NSX|V3: LBaaS operating status support" 2018-08-26 08:34:46 +00:00
Adit Sarfaty
e3f103f269 NSX|V3: VPN connection status update
The VPNaaS plugin expects the driver to update the connection status
from a separate process/thread/agent.
When the user requests a connection/list, the status is retrived from the VPNaaS DB,
without calling the driver.

To avoid adding a process to actively query and update all connections statuses, this
patch creates a new VPNaaS plugin, to be used instead of hte default one.
This plugin (vmware_nsx_vpnaas) will issue a get-statuses call to the driver,
update the current statuses in the DB, and call the original plugin.

Change-Id: Ib750bfb8f0c8ad12265fa71506182ff5d7e8030a
2018-08-20 14:21:24 +03:00
Adit Sarfaty
bb0ea37a57 NSX|V3: LBaaS operating status support
The LBaaS V2 plugin expects the driver to update the LB objects operating
status from a separate process/thread.
When the user requests the LB status (or just the LB object itself with GET),
the operating status is retrived from the LBaaS DB, without calling the driver.

To avoid adding a process to actively query and update all objects statuses,
this patch creates a new LBaaSV2 plugin, to be used instead of the default one.
This plugin (vmware_nsx_lbaasv2) will issue a get-statuses call to the driver,
update the current statuses in the DB, and call the original plugin.

Depends-on: I71a56b87144aad743795ad1295ec636b17429035
Change-Id: I3c4e75d92a1bacdb14292a8db727deb4923a85d9
2018-08-20 11:13:30 +00:00
Adit Sarfaty
caa451920b NSX|V3: New admin utility to show MP cluster managers IPs
Usage:
nsxadmin -r cluster -o show

Output example:
NSX Cluster has 3 manager nodes:
10.192.210.183
10.192.210.184
10.192.210.185

Change-Id: I1a138c759c52e25481fdf34f1ed3d861470adf3e
2018-08-09 05:37:14 +00:00
Adit Sarfaty
dac109662e NSX|V+V3: Move FW section logging update to admin utility
On the plugin init there is a side process going over all the security
group rules in the NSX DFW checking if their logging flag should be
updated according to the global configuration flag.
Since this is relevant only in case the global config flag
log_security_groups_allowed_traffic was updated by the user, which is very rare,
this patch removed it from the code, and replaced it with an admin utility
that can be used.
This will make the plugin initialization process quicker and prevent unnecessary
load on the NSX.

Change-Id: I233915e589b53ccb4b76a3ef3d24bb56c0459e92
2018-08-01 04:32:13 +00:00
Adit Sarfaty
f2589aefb2 NSX|V3: Add housekeeping jobs
Adding houskeeper for NSX V3 including handling orphaned DHCP server,
logical swithces, firewall sections & logical routers, and handling
mismatched logical ports.

Change-Id: Id5e038a5c713796a83e485343cdc1672d0c1fd24
2018-07-20 12:30:17 +03:00
Matthew Edmonds
042b6a6600 Clarify NSX-V vs. NSX-T
NSX-T is the common name, not "Transformers" or "v3". This makes that
change throughout the docs and conf help. It also fixes a broken link
to the NSX-T pubs.

This change does not rename conf groups and options that use "v3".
That should be considered for a follow-on effort (with appropriate
deprecation).

Change-Id: I466f60e4476cedc439e17cba39a333a3853a32d9
2018-07-10 09:41:33 -04:00
Adit Sarfaty
7179642aea Add housekeeper GET/PUT run options
The housekeeper GET will run the job with readonly mode
The PUT command will run it with readonly=False (unless it is globally
configured as readonlyi, which will cause a failure)

Change-Id: Ifcac0bbe6f447ae431c75f66f3c7f8682c9e9408
2018-07-04 13:40:35 +00:00
Zuul
6aa96a83d7 Merge "NSX|V3 add lbass_pending housekeeping job to doc" 2018-07-03 08:56:36 +00:00
Adit Sarfaty
7cbffc011a NSX|V3 add lbass_pending housekeeping job to doc
Change-Id: Ia136ef1457a4866a7bab9161e9872684aee1d576
2018-07-03 08:59:42 +03:00
Adit Sarfaty
c0f3149c40 NSX|v3 Admin utils refactor + additions
- Refactor nsx-v3 admin utilities by moving some of the code to a different
file which will later be consumed by the housekeeper code as well
- Adding orphaned firewall sections list/clean utilities
- Adding a capability to detect problems in logical port address bindings
- Update the documentation

Change-Id: If6aba167c2dd1234d1bb10a8a115fcdfe13cf2f0
2018-06-28 08:35:54 +00:00
Adit Sarfaty
28700a0117 Integrate with FWaaS plugable driver
FWaaS-v2 configuration & pathes changed.
This patch updates the import actions and devstack instructions.

Change-Id: Ib3d216c818d0477b3cb6cbe6c4fae10bec94fad9
Depends-On: I4ebd24f1b13eb823c4d63452fd37cace5bcf5481
2018-05-21 07:27:44 +00:00
Adit Sarfaty
0f9fa16c4d NSX|V adminUtils: List & clean NSX portgroups
2 new admin utilities added to helo manage the NSX leftover
portgroups at cleanup

- List all NSX portgroups on the configured dvs

    nsxadmin -r nsx-portgroups -o list

- Delete all NSX portgroups on the configured dvs

    nsxadmin -r nsx-portgroups -o nsx-cleanup <--force>

Change-Id: I04359b984474dc5215658783bdab7039149a855d
2018-05-10 14:06:11 +03:00
yuyangbj
998a245512 Add script to clean up all backup edges owned by Neutron
When Neutron server is deleted, we need to clean up all backup
edges created by neutron server. The current clean-all cannot address
the scenario that many neutron servers are using same NSXv backend.

Change-Id: I4f4d19adf7293c2c91c2cd8b52359bb1eb338b84
2018-04-20 10:18:59 +08:00
Adit Sarfaty
ea43183892 Fix vmware_nsx documentation
Fix documentation warnings

Change-Id: Icf2c01c6b4814b69221de4ad432d092164205b28
2018-04-18 05:04:46 +00:00
yuyangbj
2ffa65f5b9 Adding --force support for nsxadmin backup-edges resources
Change-Id: Ic4d55c734230460225091c8e002cc68dbb785efb
2018-04-10 11:03:49 +08:00