45 Commits

Author SHA1 Message Date
Adit Sarfaty
bc0ca46f8e NSX|V: fix vnic allocation for AZ and metadata
When there are several availability zones using the same metadata
configuration, the DB vnic allocation failed to find the correct
internal network becasue it belongs to the default AZ and not the
specific one.

Change-Id: If35c814b55fd5632995cbace0689e4506563059d
2017-06-08 08:32:41 +00:00
Adit Sarfaty
6b6e9c7721 NSX-v| Fix FWAAS rules in DB
fwaas backend rules don't have to be in the DB, since they are never
retrieved from there.
Also the Tag of the allow-external rule should be the last one, as it
originally was, before the FWaaS feature.

Change-Id: I6acfeef780ffd6d4aecb97e4b49e7907f7eee154
2017-05-07 11:06:15 +03:00
Boden R
b87406fb6e use neutron-lib constants rather than plugin constants
Many of the constants from neutron.plugins.common.constants are now in
neutron-lib. This patch switches over to those in neutron-lib.

Change-Id: Ic266440aae034783e5371842ab293da70deeae04
2017-05-04 06:56:51 -06:00
Roey Chen
81f9380765 NSXv BGP support
This change implement's a new BGP plugin which allows BGP support in Openstack,
using NSXv service edges (ESG).
When a BGP speaker is associated with an external network, service edges which
accommodates tenant routers that have their GW port on this network would be
configured to enable BGP/Dynamic-routing.
The specific BGP configuration (e.g - localAS, neighbours) for the edge is
retrieved from the BGP speaker object and its peers.

This change also adds an extension to the BGP peer object, this
extension allows the cloud operator to associate a BGP peer with a specific
service edge that will serve as GW edge for the network, multiple GW
edges are supported by enabling ECMP on tenant service edges.

Co-Authored: yuyangbj <yangyu@vmware.com>
Change-Id: Ife69b97f3232bee378a48d91dc53bdc8837de7f5
2017-04-13 06:09:53 -07:00
Gary Kotton
6228a06399 Drop log translations
Log messages are no longer being translated. This removes all use of
the _LE, _LI, and _LW translation markers to simplify logging and to
avoid confusion with new contributions.

See:
http://lists.openstack.org/pipermail/openstack-i18n/2016-November/002574.html
http://lists.openstack.org/pipermail/openstack-dev/2017-March/113365.html

Change-Id: I9d37ae28a3fecbe910e60dc7f22e229a7b65940c
2017-03-26 05:09:02 -07:00
Gary Kotton
c615e8ce0e NSX|V: Add support for 'direct' vnic types
The NSX|V will support a direct vnic type iff this port meets the
following criteria:
1. no security groups
2. no port security
3. is on a VLAN/FLAT network

The reason for this is that the direct is only support via the DVS
and there is no support for security groups and port security.

Change-Id: Iff4cc72e724d40feff2b26fc4f24596cae3a749a
2017-02-22 06:48:11 -08:00
Adit Sarfaty
20c55bcac4 Replace db get_session with get_reader/writer_session
The db/api get_session is deprecated.
We should use get_reader_session or get_writer_session instead.

Change-Id: I5f04bd0cfd43ae5b9c31b9ece3cf77fcef56cd3f
2017-02-15 13:44:15 +02:00
Adit Sarfaty
2808ededb7 NSXv: Add metadata configuration to the availability zones
The next global configurations are now added also per AZ:
- mgt_net_moid
- mgt_net_proxy_ips
- mgt_net_proxy_netmask
- mgt_net_default_gateway
- external_network
- vdn_scope_id
- dvs_id

In case any of them is not defined in the AZ section, the global value will be used.

Change-Id: I5fca433fb86163cee84e3b9fc54182017a5f266b
2017-02-12 08:44:33 +02:00
Jenkins
b732473565 Merge "NSXv: Support update dvs list for VLAN provider networks" 2017-02-09 07:26:00 +00:00
Jenkins
464f4fdc0d Merge "NSX-v| LBAAS L7 support" 2017-02-08 07:46:10 +00:00
Adit Sarfaty
2256459aa1 NSX-v| LBAAS L7 support
Supporting L7 policies and rules in LBAAS-v2
Including a new db table nsxv_lbaas_l7policy_bindings
for mapping between the lbaas policy ID and the nsx application rules.

Depends-on: I3b14d107dbe0a72a6e24239f06bd6c3ac597cfbb
Change-Id: Ic760be8956cea00b972b5f11f6acff294630892d
2017-02-07 11:33:17 +02:00
Gary Kotton
ef0eda4076 NSX|V: ensure that static bindings are consistent
Ensure that the bindings in the DB are consistent with those
configured on the edge.

Change-Id: I53d819d1e9f873971802ba96e5264c390385610a
2017-02-06 06:42:20 +02:00
Adit Sarfaty
15bd7fad2d NSXv: Support update dvs list for VLAN provider networks
Change-Id: I8b1e2dee482504c9a27ab369d158beb3589fb005
2017-01-31 08:32:41 +00:00
Kobi Samoray
52c88252de NSXv: Reduce DB calls while gathering network edges
get_subnets requires a huge number of backend calls to gather the
networks advanced_service_providers field.
This change should gather the data from DB with a single call and
process it locally at the controller.

Change-Id: Ic7c7fac46c983c1c750108d86a1adefb4c11508c
2017-01-17 12:30:29 +02:00
Adit Sarfaty
1266099049 NSX|V3 IPAM support
The NSX-V3 plugin will use the NSX-V3 backend IPAM.
An IP pool will be created for each subnet, and port IPs will be allocated
from this pool.
The current backend limitation is that we cannot allocate a specific IP,
so port create/update with fixed_ips will fail, unless the requested ip
is the subnet gateway ip.

To enable this option set 'ipam_driver = vmware_nsxv3_ipam' in the
neutron.conf

Change-Id: I5263555cbb776018a5d01f19d0997fd2adf6483d
2017-01-15 12:49:00 +00:00
Adit Sarfaty
9d0e903139 [Admin-util] NSX|V admin util to use a policy in a security group
New admin utility that can be used when the user changes the configuration to use
policies in security groups (use_nsx_policies=True)
This utility deletes the current rules and section of the security group,
and adds it to the policy.

usage:
nsxadmin -r security-groups -o migrate-to-policy --property policy-id=<> --property
         security-group-id=<>

Output example:
==== [MIGRATE] Sg To Policy ====
Successfully established new session; session ID is 28c3f.
Deleting the rules of security group: 415ff93e-cbd4-4f49-a06d-44885eba7c88
Deleting the section of security group: 415ff93e-cbd4-4f49-a06d-44885eba7c88
Binding the NSX security group securitygroup-143 to policy policy-9
Done.

Change-Id: I7041c33b86a0ebc965e2cfcfe1c9ac9261a0318a
2016-11-14 16:39:15 +02:00
Adit Sarfaty
a7b5bfafcc nsxlib refactor continue
- separate nsxlib/v3 constants and utils from the common ones
- separate the nsxlib/v3 tests
- update the nsxlib tests to cover create_firewall_rules
- remove all of the DB calls from the nsxlib/v3
- merge security & dfw_api classes

To be done in future patches:
- Avoid using the nsx configuration values directly
- Improve nsxlib interface (as Aaron suggested in If2fe1e014b78703ff0a9cdff1e4e8d45f3a4a16d)

Change-Id: I43257f557ce1e98b4f64b8157d723cc84ea58c2b
2016-09-29 15:59:13 +03:00
Gary Kotton
7d1ff0e5b7 NSX|V: make DHCP DB binding creation more robust
There are edge cases with race conditions where a binding may already
exist in the DB. In this case we overwrite the existing one.

Change-Id: Ie80c57fa8d2626e984bc8a5778a25db756e95e5d
2016-09-08 10:32:58 +00:00
Adit Sarfaty
d2e50bdfb7 NSX|v IPAM support for external & provider networks
For IPv4 external networks and provider networks, NSX-V plugin will use
the NSX-V backend IPAM.
To enable this option set 'ipam_driver = vmware_nsxv_ipam' in the
neutron.conf

Change-Id: Icdc3e7d24dac08a29f045f10fcea9ec4496b8446
2016-09-06 12:32:57 +03:00
Kobi Samoray
4383b9d391 NSXv: LBaaSv2 shared pools
Support shared pool fuctionality of LBaaSv2 for NSXv driver.

Change-Id: If3368b341658fe0f6073d19e6d2ca2eadb2222d3
2016-08-22 10:09:30 +03:00
Adit Sarfaty
d4fa95168c NSX|V add dhcp-mtu extension to subnet
Add subnet extension dhcp-mtu and configure it in option26 of the dhcp binding.
Also add this column to the nsxv_subnet_ext_attributes DB table.
This option will be available only from NSX version 6.2.3

DocImpact: Added dhcp-mtu extension to subnets

Change-Id: Id2a74a3c089beb61fde6b7c0fd02b207e444c3b7
2016-07-31 09:10:32 +03:00
Adit Sarfaty
aba3ade22f [Admin-Util] recreate NSX|v router edge
Delete a backend router edge, and move its' router/s to other edges.
Currently this utility does not support distributed routers

usage:
nsxadmin -r routers -o nsx-recreate --property edge-id=edge-307

Change-Id: Ib1ab84120aaae42dba884d4ba964a3bdd82df2fb
2016-07-19 08:24:01 +03:00
Jenkins
10297ef88b Merge "[Admin-utils] NSXv recreate DHCP edge" 2016-07-18 14:44:51 +00:00
Adit Sarfaty
654b12fd55 NSX|V Extend Availability Zones to support data stores
The availability zones support will now include also data-store ids.
The configuration will include a name for each availability zone, resource pool
ID, datastore ID and optionally also HA datastore ID.
The user can choose a hint from this list when creating a router or a network.
The relevant edge appliances will be created using this data.

DocImpact: New format for the configuration parameter availability_zones under nsxv
Should include a list of availability zones. For each of them name, resource pool id,
datastore id and optionally also HA datastore id.

Change-Id: Icb72f6f674b8610687a6be730161a206d4c76257
2016-07-13 11:33:12 +03:00
Boden R
28c14f567e Update gate logic
As bug 1568706 uncovered, we were using zuul-cloner
in our gate jobs; this was preventing our translation from
syncing.

After digging into this issue a number of changes in this
associated logic were found to not be in sync with neutron.
This patch updates out tox/tools logic to follow that of neutron.
In addition this patch fixes any pylint checks that were failing to
make pep8 pass.

IMPORTANT:
Please review closely, not only to the tools/tox updates but also
to the ignored pylint checks in the code. We only want to disable
checks where appropriate.

Change-Id: I6c5fee3ca3073ad079eac1636cc3b9ec45926a68
Closes-Bug: #1568706
2016-07-12 09:05:22 -06:00
Adit Sarfaty
37660fce9c [Admin-utils] NSXv recreate DHCP edge
This utility can be used to move all the networks from a specific
DHCP edge, to another (new or existing) edge.
This should work also for VDR router DHCP edge.

Usage:
nsxadmin -r dhcp-binding -o nsx-recreate --property edge-id=<edge-Id>

Output example:
==== [NSX] Recreate Dhcp Edge ====
ReCreating NSXv Edge: edge-222
Deleting the old DHCP edge: edge-222
Moving network a7fd0856-923e-43a6-97c7-9980e7fabd08 to a new edge
Moving subnet ae9efc04-a685-497e-aab1-1dff9abacf9c to a new edge
Creating network a7fd0856-923e-43a6-97c7-9980e7fabd08 DHCP address group
Network a7fd0856-923e-43a6-97c7-9980e7fabd08 was moved to edge edge-228
Moving network 7a484242-0261-4888-ba77-41bb7bbd4f9d to a new edge
Moving subnet 412e89ce-7c69-494d-b525-c08c8828cdfd to a new edge
Moving subnet 139f7375-afb9-41dd-bdb7-c25af772a805 to a new edge
Creating network 7a484242-0261-4888-ba77-41bb7bbd4f9d DHCP address group
Network 7a484242-0261-4888-ba77-41bb7bbd4f9d was moved to edge edge-228

Change-Id: I97ba4abfe50d634f5ba5b137a64e021575db1ead
2016-07-12 08:22:09 +03:00
Gary Kotton
9b1f596324 NSX|V: address DB lock wait timeouts in the plugin
When running tempest tests we hit this. After analysis the reason
seemed to be that the DB session was aged as a result of waiting for
subnets in parallel tests to be created.

Here we just create a new DB session prior to updating the VNIC ID's

The patch also does the following:
1. Addresses the case where the edge_bindings are not found
2. Ensure locking for the VNIC allocations

Change-Id: I0f921417e7b333575c0e99838e88a23c61f67423
2016-06-28 23:31:44 -07:00
Adit Sarfaty
b2858f8719 NSX|V router create with availability zones hints
Add support for availability zones hints on routers creation
- The router will be created on an edge that belongs to the requested resource pool
- The nsxv_router_binding db table has a new column for the edge resource pool
- New nsxv configuration: availability_zones which should contain a list
of resource pools ids, that can be used as hints

DocImpact: New configuration parameter availability_zones under nsxv

Change-Id: Ib34689d554dafe25f62a045feebe9eed68d2174d
2016-05-24 08:38:26 +03:00
Adit Sarfaty
b20c3180b4 NSX|V log warning when getting a router-binding entry with bad status
Add a wrapper to the different getters of the nsxv_router_bindings table,
to log warnings in case the retrieved entries had an erroneous status.

Change-Id: If4671d2fb4a3555de3e0f27b8da44e94f4dd6981
2016-04-12 09:05:45 +03:00
yuyangbj
f072b73781 Keeping the load balancer firewall on edge
When the load balancer is created, it will create a default firewall
rule on edge. But when the fip is created or deleted, the driver will
also update the firewall rule on this edge, at this time, the lb
firewall rule will be flushed.

Change-Id: I84bb2cf5ddcc1bb448f138e024bb361a1b4eee82
2016-04-06 01:49:46 +00:00
Roey Chen
1ac25e8896 NsxV3: Fine grained logging for security-groups
Also migrates security group logging for NSXv to new model

Change-Id: I0d6a90e0d8531156e06817cba431c72db0c81bde
2016-03-29 18:27:36 +00:00
Roey Chen
1f9d16fe8d NSXv: Fine grained control for logging security-group rules
Allows admin to control security-groups rule logging

NSXv distributed firewall expose an API to control rule logging,
as for the moment, admin user can use this feature only from inside of
the distributed firewall.
This patch make use of this API to provide the cloud admin with three ways
to control security-group logging:

    - log whenever security-group rule is matched
    - log when a packet doesn't match any security-group rule
    - log whenever security-group rule is matched for selected
      security-groups

Change-Id: I2a4dbff2ecba4c6041b4aaad1f20941440a5f6b6
2016-03-29 04:54:58 -07:00
Abhishek Raut
d9f3ee826a [NSXv]: Add support for dns search domains in NSXv plugin
This patch adds support for dns search domains in the nsx-v plugin.
DNS search domain is implemented as a string attribute extension to the
Subnet object.
Usage:
subnet-create net-name 10.0.0.0/24 --name subnet-name \
    --dns-search-domain eng.vmware.com
subnet-update subnet-name --dns-search-domain new-domain.com

This commit adds a new table to store bindings for subnet attributes with
the necessary migration script.

Change-Id: I3f41a123f42e5b784de3ad090cecb7d712a36542
2016-02-03 14:22:25 -08:00
Kobi Samoray
feb2dc9d04 LBaaS Layer4 TCP VIP should use LVS
When a VIP is configured for L4 LB only, we can use LVS to improve
performance. To achieve that, we should enable acceleration on the Edge
appliance.

Depends-On: I7f3b95b43f87b35d641f0c7535d648ee178eda41
Change-Id: I027cb1e4b5cd82006a80e17f3fd2b0feca1278a4
2016-01-12 21:56:00 +00:00
Gary Kotton
4afa13c3c4 Switch to internal _i18n pattern, as per oslo_i18n guidelines
- Guidelines referenced from:
  http://docs.openstack.org/developer/oslo.i18n/usage.html

Change-Id: I938919958525b2db0c8a517b951a23f974a7762e
2015-12-02 06:59:23 -08:00
Aaron Rosen
97eef172cf Fix typos with topy
$ topy -a vmware-nsx

Change-Id: I681a842b4d9309d499052f33cf756228ad850113
2015-11-19 12:53:12 -08:00
Amey Bhide
58e4471372 Admin utility: List missing DHCP bindings on NSXv
Sample Output:
NSX Plugin in use: nsxv
==== [LIST] Missing Dhcp Bindings ====
============================================================
For edge: edge-61
Missing DHCP bindings:
set([])
============================================================
For edge: edge-63
Missing DHCP bindings:
set([(u'edge-63', u'fa:16:3e:ee:ce:4d', u'binding-1')])

Change-Id: I659f43428260ca08e72a7de6555b3e6e32b23163
2015-11-02 16:42:26 -08:00
Amey Bhide
12af89ab3d NSXv: Add method to get dhcp bindings count per edge
This method will be used by admin_utility

Change-Id: Ic3fea8302c8a750cfacaf422f5ed38afd5beda84
2015-11-02 10:55:19 -08:00
Jenkins
0b4fd956e0 Merge "LBaaSv2 driver" 2015-10-29 01:48:33 +00:00
Kobi Samoray
9b6d3b1b47 LBaaSv2 driver
Implement LBaaSv2 driver for NSXv Edge appliance load balancer.
Includes TLS support for Edge appliance, and certificate management
For SSL termination.

Change-Id: I60093c0186cce3e99fb26e1fc6bd5175cbd1a560
2015-10-27 07:42:47 +02:00
Amey Bhide
fe66930442 [NSXv]: Adds method to get all spoofguard policy mappings
Change-Id: I684b9fb369c944b21bd09588d0d3c9a7c05dc1b0
2015-10-21 15:39:57 -07:00
linb
b189f2719c Fix dhcp_router_id DB integration error
dhcp_router_id column is useless in nsxv_vdr_dhcp_bindings and would
lead to DB integration error. So the patch removes this column.

Change-Id: I882c46e07f588d0106503075bc2de3116256cd73
2015-10-01 17:06:00 -07:00
Bo Lin
668a581682 Revert "Fix subnet use vdr dhcp edge for dhcp service"
This reverts commit cacf38b3d183223daafc1ef095bd2bf8d9c86a08.

Change-Id: I8de0bbfed4237197ae9a55f6676728474cca1fd8
2015-09-25 13:52:56 +08:00
Shih-Hao Li
09d19bb138 Divide vmware_nsx/plugins into plugin-specific subdirectories
This patch will create:
vmware_nsx/plugins/dvs for DVS specific files
vmware_nsx/plugins/nsx_mh for MH specific files
vmware_nsx/plugins/nsx_v for nsx_v specific files
vmware_nsx/plugins/nsx_v3 for nsx_v3 specific files

also move vmware_nsx/vsphere/ to vmware_nsx/plugins/nsx_v/vsphere/.

This is part of new vmware_nsx directory structure proposed in
https://goo.gl/GdWXyH.

Change-Id: I00ee12da2eea0add988bae3d4f3e12940ea829bb
2015-09-16 16:14:47 -07:00
Shih-Hao Li
d8eeda9baf Move vmware_nsx/neutron/plugins/vmware to vmware_nsx
This is part of new vmware_nsx directory structure proposed in
https://goo.gl/GdWXyH.

Change-Id: I60d6ef62eb724df71dfda90137e00f107e220971
2015-09-14 18:51:57 -07:00