Use nsxlib to check if a feature is available at hte current
backend version.
Change-Id: Iabe06f23a6d78c202f2854521565c1f4063cc174
Depends-on: I947d40fbfa574295982744ba06918894b2459fd9
In NSX 2.0.0 onwards we are able to make use of the tags
for the exclude list. Prior to this we need to make use of the
exclude list directly.
Co-Authored-By: Shih-Hao Li <shihli@vmware.com>
Change-Id: I31fec57ec7db7db5066c446251917720a043339e
Leverage the NSX VXLAN support for transparent VLANS. NOTE that the
feature needs the configuration variable cfg.CONF.vlan_transparent
to be set to True (this is in the neutron configuration file)
This is currently only supported with VXLAN backing networks.
This is supported from NSX 6.3 onwards.
Change-Id: I1fe9724b0618e4cc2565d500ea2eb6198e1945ed
We are replacing all usages of the retrying package with
tenacity with an end goal of removing the retrying package
from our requirements.
This patch also demonstrate how to use the new api to retry only for some
of the exception error codes
Change-Id: Ie1b082848ac6153d29af7779de914071dc8c1ba5
- separate nsxlib/v3 constants and utils from the common ones
- separate the nsxlib/v3 tests
- update the nsxlib tests to cover create_firewall_rules
- remove all of the DB calls from the nsxlib/v3
- merge security & dfw_api classes
To be done in future patches:
- Avoid using the nsx configuration values directly
- Improve nsxlib interface (as Aaron suggested in If2fe1e014b78703ff0a9cdff1e4e8d45f3a4a16d)
Change-Id: I43257f557ce1e98b4f64b8157d723cc84ea58c2b
This patch implements the provider security-groups extension for NsxV
Neutron plugin.
For more details, please refer to the feature
change: I57b130437327b0bbe5cc0068695f226b76b4e2ba.
Change-Id: I0efa29893eff7d76ee69496210cda33f79742cfd
As bug 1568706 uncovered, we were using zuul-cloner
in our gate jobs; this was preventing our translation from
syncing.
After digging into this issue a number of changes in this
associated logic were found to not be in sync with neutron.
This patch updates out tox/tools logic to follow that of neutron.
In addition this patch fixes any pylint checks that were failing to
make pep8 pass.
IMPORTANT:
Please review closely, not only to the tools/tox updates but also
to the ignored pylint checks in the code. We only want to disable
checks where appropriate.
Change-Id: I6c5fee3ca3073ad079eac1636cc3b9ec45926a68
Closes-Bug: #1568706
CH release adds new way to associate resources with nsgroups by
creating specific tags on the resources.
We would like to support this feature in the plugin for better performance.
This patch make use of this feature to associate logical-ports with nsgroups
(Neutron ports with security-groups), for every LP-NSGroup association,
a special tag will be added to the LP.
The plugin will use this NSX feature only when supported by the NSX
version, and given that the designated boolean config option is set to True.
Change-Id: I2a802bc314d98dba9ecc54191fcbd7330f183e12
NSX-v plugin has support for provider network type 'portgroup'.
This patch adds support for portgroup type binding in DVS plugin.
Creating a portgroup type network refers to an existing dvportgroup
in vSphere. Deleting this network would not delete the dvportgroup
similar to NSX-v plugin.
This functionality is required to import VMs on vSphere
connected to an existing dvportgroup.
Change-Id: I6fd1f3efdd258b5d4d5042d0f76d0a4b52cd69ee
Commit Ib56ee8bfd182c031e468c503acb0cd75daea8c40 refactored code
in L2 gateway base plugin. This patch makes appropriate changes
in NSX plugin and v3 driver.
Change-Id: I45d546e59e99d49d2a9b18258af94d90e91333ca
Partial-Bug: #1591413
neutron_lib should be used instead of the attributes and constants
imports. This patch moves to using neutron_lib. This removes all of
the deprecated warnings (there are still some from neutron and
l2gw - those are addressed in other patches).
Change-Id: I796d749c46a69107a1a484e8774c5d501fc4704f
Commit 87a79256c494c36f2d9597313f430b24c0110161 added neutron_lib
for shared exceptions. This patch moves us to make use of the
aforementioned library.
Change-Id: I9fe014c5da85faca87bf88a80c4ee19f7f123123
NSX v3 does not support CIDR notated IP addresses for
port IP address bindings; thus something like
9.10.11.12/24 is an invalid IP address to use for an address
pair. This patch adds a check to ensure IP address are
of the proper format.
Additionally this patch adds logic to the port update
flow in the case where a backend error occurs on port
update. The logic contained herein now reverts the
address pairs to ensure they are in sync with neutron.
Unit tests are also included.
Change-Id: Ia0c9187b1f6e304690e1a56e94c47fe069179645
Closes-Bug: #1531558
Ensure that the instance UUID and router UUID are
correctly used.
In addition this also change the router port name to have only
one separating _ and not 2.
Closes-bug: #1531507
Change-Id: I73f76b3a86865b99deb8f7b26fce42983bcb7293
When a port is created, for example via nova, the port will contain
the device id. In this case lets add a tag that will help identify
the instance.
Closes-bug: #1530629
Change-Id: I75bd24d4cb3a42e0d4fad00fc9bec05c08b2ccbf
The NSX plugin adds "tags" for each NS-Group it creates and should
ignore such NS-Groups which doesn't contain tags at all.
Change-Id: I749b0c28a13c771e8778353cbf63ead567b68f1b
Closes-Bug: #1529463
Rename logical port with router attachment from <NSX-UUID> to
<OS-Router-Name>_Port_<short-OS-Router-Port-UUID>.
Change-Id: I5f700e008afb9135a052937e6b29329032f34c15
For Neutron security-group integration we need to be able to configure some
default FW rules which will be enforced on all logical-ports (which are
associated with at least one SG), to achieve that, we place all security-group
objects in a nested NSGroup and apply the default rules on it.
The problem with this strategy is that the nested NSGroup has a
limited capacity and can't contain the expected number of security-group which
exists simultaneously.
To address this issue, we create multiple nested NSGroup (instead of one only)
and evenly distribute security-groups between them, rules in
the default section are applied on these nested groups.
Closes-Bug: #1522021
Change-Id: I78c59a0b58bce14e04f7517e0d0db32cd105ff74
Add resource type and project name tags to qos switching profile.
Make maximum length of resource type name a constant. Fix some typos.
Change-Id: Ibd793894ca65320fa5fcf49e5dfa1872f534b7fe
Add in a resource type to the tags. This will enable the
admin to know what the correspoinding neutron resource is.
Th elength of the scope is also validate to not exceed 20.
That is the maximum length on the backend.
Closes-bug: #1527208
Change-Id: I3a9a8cac6e7e42a424717d58380b56d32ce5b4f6
On the backend we would like the name to be:
name_<5bytesuuid>...<last5byttesuuid>
Problem is that the backend currently does not support ','.
So we will use '_' as a stop gap. This will enable us to be
able to differentiate between networks that have the same name.
Closes-bug: #1527155
Change-Id: I355801ffc2a1d94c2865f5990a74d5e41d7a69fb
Ensure that internal resource created on the NSX do not have data
that is not relevant, for example tenant_id.
Change-Id: Ib5f32f55d87fe1a41e7aba4550294fbfb6e4d367
Closes-bug: #1527084
Metadata service in the NSX-V plugin is handled by a Edge DHCP or
router VM. Currently the traffic between nova and the metadata service
is insecure. This patch adds the SSL support for metadata service
which will make the connection secure.
The certificate used for secure communication will be created on the
VC under the edge scope. If user does not supply the certificate and
private key for secure communication, a self signed certificate will be
generated in the backend. This self signed certificate will last for a
period of 10yrs.
A certifcate with the given details will be created in the backend if
such a configuration exists in nsx.ini
Appropriate config is pushed for the loadbalancer with the protocol set
to HTTPS if SSL is enabled for metadata service.
DocImpact
Change-Id: I5582cc1186ef4b8451f999b46e55bc2c684b1be3