1. List spoofguard policies with mismatching ips or mac, globally or for a specific network
nsxadmin -r spoofguard-policy -o list-mismatches (--property network=<neutron net id>)
2. Fix the spoofguard ips of a neutron port
nsxadmin -r spoofguard-policy -o fix-mismatch --property port=<neutron port id>
Change-Id: I18723007fff89ffd4a250106fed1b7ea615eb648
Implement the loadbalancer delete cascade for NSX-V3, and NSX-V
The NSX-V implementation is the naive one, and should be improved in
the future.
Change-Id: Ia055d06790fc841fa41ab13d08334424a560b940
This patch adds a driver for FWaaS V2 support in the NSX-V plugin.
It supports setting firewall rules per router interface port on the router
edge firewall.
In addition, the FWaaS TVD driver will now support NSX-V as well.
The driver code is a combination of the NSX-V3 FWaas-V2 code, and the old
NSX-V FWaaS-V1 code that is being deleted.
Change-Id: Iacc7eaff0c70b68156516008cf0277c154edd76b
- Fix devstck doc to enable the python client for octavia
- Support health monitor expected codes
- fix error handling on failure to create loadbalancer
- add logging for status updates
- remove extra logging for statistics updates (which overload the logs)
- Fix error handling in case lb service creation failed
- Fix driver pool translation to include the loadbalancer in the listener
Change-Id: If7d554a92d9df62ffb55e882a575da63221ee8ec
Enabling Standby relocation in the plugin
and adding adminUtil to enable it on routers
that were created without it.
Change-Id: I6e8525ba06f03ac6c593922f271f10052cb3fdf7
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
Adding devstack support for policy plugin with certificate and the certificate
admin utilis which are needed for the devstack support.
Change-Id: I5c9d23c7f0a83cbf4cb71fed4da488bafa230be4
The use needs to configure nsx-policies using their IDs, which are hard
to find in the VC. The new admin utility will make this easier.
Change-Id: I8869272ff02389193ba546833b52734cf4b71ff2
Adding the infrastracture for the policy plugin admin utils with one
example utility to list the security groups, networks & routers.
Depend-on: I10a3f691b33e37e1cd8ec8094f4bfa89d7a96f35
Change-Id: I8094b241255537a1668837ed4ca1dad8094dcc41
The LB VIP should be advertised by the Tier1 router only if it is on the
external network.
To do that, the global advertise vp flag will not be set, and instead a rule with a
filter to advertise only the VIPs on the external network is added.
In addition, an admin utility is added to update already existing routers with
loadbalancers.
Since VPNaaS also uses the router advertisement rules, its code was also updated so
that each application will handle only its own rules.
Change-Id: Ibfac0406a8c3009c323828cc42c96012e70cb0a9
Implementing the Octavia support for NSX-V & NSX-T.
Follow up patches will handle the TVD plugin, Status updates,
and migration.
Since Octavia is not (yet?) in the requirements, using a hack to allow unittests
to be skipped.
Co-Authored-by: Adit Sarfaty <asarfaty@vmware.com>
Change-Id: Iadb24e7eadcab658faf3e646cc528c2a8a6976e5
The VPNaaS plugin expects the driver to update the connection status
from a separate process/thread/agent.
When the user requests a connection/list, the status is retrived from the VPNaaS DB,
without calling the driver.
To avoid adding a process to actively query and update all connections statuses, this
patch creates a new VPNaaS plugin, to be used instead of hte default one.
This plugin (vmware_nsx_vpnaas) will issue a get-statuses call to the driver,
update the current statuses in the DB, and call the original plugin.
Change-Id: Ib750bfb8f0c8ad12265fa71506182ff5d7e8030a
The LBaaS V2 plugin expects the driver to update the LB objects operating
status from a separate process/thread.
When the user requests the LB status (or just the LB object itself with GET),
the operating status is retrived from the LBaaS DB, without calling the driver.
To avoid adding a process to actively query and update all objects statuses,
this patch creates a new LBaaSV2 plugin, to be used instead of the default one.
This plugin (vmware_nsx_lbaasv2) will issue a get-statuses call to the driver,
update the current statuses in the DB, and call the original plugin.
Depends-on: I71a56b87144aad743795ad1295ec636b17429035
Change-Id: I3c4e75d92a1bacdb14292a8db727deb4923a85d9
On the plugin init there is a side process going over all the security
group rules in the NSX DFW checking if their logging flag should be
updated according to the global configuration flag.
Since this is relevant only in case the global config flag
log_security_groups_allowed_traffic was updated by the user, which is very rare,
this patch removed it from the code, and replaced it with an admin utility
that can be used.
This will make the plugin initialization process quicker and prevent unnecessary
load on the NSX.
Change-Id: I233915e589b53ccb4b76a3ef3d24bb56c0459e92
NSX-T is the common name, not "Transformers" or "v3". This makes that
change throughout the docs and conf help. It also fixes a broken link
to the NSX-T pubs.
This change does not rename conf groups and options that use "v3".
That should be considered for a follow-on effort (with appropriate
deprecation).
Change-Id: I466f60e4476cedc439e17cba39a333a3853a32d9
The housekeeper GET will run the job with readonly mode
The PUT command will run it with readonly=False (unless it is globally
configured as readonlyi, which will cause a failure)
Change-Id: Ifcac0bbe6f447ae431c75f66f3c7f8682c9e9408
- Refactor nsx-v3 admin utilities by moving some of the code to a different
file which will later be consumed by the housekeeper code as well
- Adding orphaned firewall sections list/clean utilities
- Adding a capability to detect problems in logical port address bindings
- Update the documentation
Change-Id: If6aba167c2dd1234d1bb10a8a115fcdfe13cf2f0
2 new admin utilities added to helo manage the NSX leftover
portgroups at cleanup
- List all NSX portgroups on the configured dvs
nsxadmin -r nsx-portgroups -o list
- Delete all NSX portgroups on the configured dvs
nsxadmin -r nsx-portgroups -o nsx-cleanup <--force>
Change-Id: I04359b984474dc5215658783bdab7039149a855d
When Neutron server is deleted, we need to clean up all backup
edges created by neutron server. The current clean-all cannot address
the scenario that many neutron servers are using same NSXv backend.
Change-Id: I4f4d19adf7293c2c91c2cd8b52359bb1eb338b84
The patch does the following:
1. set instance vNIC to a common network interface
2. Live migrates to T cluster
3. Updates the instance vNIC to opaque network
Example:
nsxadmin -r ports -o nsx-migrate-v-v3 \
--property project-id=01dd52ff4c7047f79f6259f916c83790 \
--property host-moref=host-11 --property respool-moref=resgroup-9 \
--property datastore-moref=datastore-22 \
--plugin nsxv3
There is also an option to use net-name. The default here is 'VM Network'
Change-Id: I24d9df3f7a3dbd11dffb86427367b809e2b49409
1. Better explain the security groups / nsx security groups / firewall sections
admiun utilities.
2. Also remove the unrelated firewall sections reorder form the fix-mismatch utility
3. fix some warnings that appeared when runnin g the utilities
4. Add new utilities to list/clean unused NSX sections:
- List NSX firewall sections that does not have a matching neutron security group::
nsxadmin -r firewall-section -o list-unused
- Delete NSX firewall sections that does not have a matching neutron security group::
nsxadmin -r firewall-section -o nsx-clean
Change-Id: Ie9868d1fb196964ce479bca2c42d4a6eea7ef427
Initial version for an admin utility for migration of a project
from V to T
This code will first dump all the objects to a file, so the data
will not be lost.
Then it will delete each object using the V plugin,
move the project to the T plugin and recreate each object.
Usage:
nsxadmin -r projects -o nsx-migrate-v-v3 --property project-id=<V project to be migrated>
--property external-net=<T external network to be used>
Change-Id: I816b63f40ada945d321db4566224f8a964a39a8f
Adding service plugins for QoS, VPNaaS and L2Gateway
and updating the BGP plugin
to prevent users from getting objects belonging to a different
plugin
Change-Id: I3545c3acefaf50ca6937a0b7a65c131c569317cd
