When there are several availability zones using the same metadata
configuration, the DB vnic allocation failed to find the correct
internal network becasue it belongs to the default AZ and not the
specific one.
Change-Id: If35c814b55fd5632995cbace0689e4506563059d
fwaas backend rules don't have to be in the DB, since they are never
retrieved from there.
Also the Tag of the allow-external rule should be the last one, as it
originally was, before the FWaaS feature.
Change-Id: I6acfeef780ffd6d4aecb97e4b49e7907f7eee154
Many of the constants from neutron.plugins.common.constants are now in
neutron-lib. This patch switches over to those in neutron-lib.
Change-Id: Ic266440aae034783e5371842ab293da70deeae04
This change implement's a new BGP plugin which allows BGP support in Openstack,
using NSXv service edges (ESG).
When a BGP speaker is associated with an external network, service edges which
accommodates tenant routers that have their GW port on this network would be
configured to enable BGP/Dynamic-routing.
The specific BGP configuration (e.g - localAS, neighbours) for the edge is
retrieved from the BGP speaker object and its peers.
This change also adds an extension to the BGP peer object, this
extension allows the cloud operator to associate a BGP peer with a specific
service edge that will serve as GW edge for the network, multiple GW
edges are supported by enabling ECMP on tenant service edges.
Co-Authored: yuyangbj <yangyu@vmware.com>
Change-Id: Ife69b97f3232bee378a48d91dc53bdc8837de7f5
The NSX|V will support a direct vnic type iff this port meets the
following criteria:
1. no security groups
2. no port security
3. is on a VLAN/FLAT network
The reason for this is that the direct is only support via the DVS
and there is no support for security groups and port security.
Change-Id: Iff4cc72e724d40feff2b26fc4f24596cae3a749a
The db/api get_session is deprecated.
We should use get_reader_session or get_writer_session instead.
Change-Id: I5f04bd0cfd43ae5b9c31b9ece3cf77fcef56cd3f
The next global configurations are now added also per AZ:
- mgt_net_moid
- mgt_net_proxy_ips
- mgt_net_proxy_netmask
- mgt_net_default_gateway
- external_network
- vdn_scope_id
- dvs_id
In case any of them is not defined in the AZ section, the global value will be used.
Change-Id: I5fca433fb86163cee84e3b9fc54182017a5f266b
Supporting L7 policies and rules in LBAAS-v2
Including a new db table nsxv_lbaas_l7policy_bindings
for mapping between the lbaas policy ID and the nsx application rules.
Depends-on: I3b14d107dbe0a72a6e24239f06bd6c3ac597cfbb
Change-Id: Ic760be8956cea00b972b5f11f6acff294630892d
get_subnets requires a huge number of backend calls to gather the
networks advanced_service_providers field.
This change should gather the data from DB with a single call and
process it locally at the controller.
Change-Id: Ic7c7fac46c983c1c750108d86a1adefb4c11508c
The NSX-V3 plugin will use the NSX-V3 backend IPAM.
An IP pool will be created for each subnet, and port IPs will be allocated
from this pool.
The current backend limitation is that we cannot allocate a specific IP,
so port create/update with fixed_ips will fail, unless the requested ip
is the subnet gateway ip.
To enable this option set 'ipam_driver = vmware_nsxv3_ipam' in the
neutron.conf
Change-Id: I5263555cbb776018a5d01f19d0997fd2adf6483d
New admin utility that can be used when the user changes the configuration to use
policies in security groups (use_nsx_policies=True)
This utility deletes the current rules and section of the security group,
and adds it to the policy.
usage:
nsxadmin -r security-groups -o migrate-to-policy --property policy-id=<> --property
security-group-id=<>
Output example:
==== [MIGRATE] Sg To Policy ====
Successfully established new session; session ID is 28c3f.
Deleting the rules of security group: 415ff93e-cbd4-4f49-a06d-44885eba7c88
Deleting the section of security group: 415ff93e-cbd4-4f49-a06d-44885eba7c88
Binding the NSX security group securitygroup-143 to policy policy-9
Done.
Change-Id: I7041c33b86a0ebc965e2cfcfe1c9ac9261a0318a
- separate nsxlib/v3 constants and utils from the common ones
- separate the nsxlib/v3 tests
- update the nsxlib tests to cover create_firewall_rules
- remove all of the DB calls from the nsxlib/v3
- merge security & dfw_api classes
To be done in future patches:
- Avoid using the nsx configuration values directly
- Improve nsxlib interface (as Aaron suggested in If2fe1e014b78703ff0a9cdff1e4e8d45f3a4a16d)
Change-Id: I43257f557ce1e98b4f64b8157d723cc84ea58c2b
There are edge cases with race conditions where a binding may already
exist in the DB. In this case we overwrite the existing one.
Change-Id: Ie80c57fa8d2626e984bc8a5778a25db756e95e5d
For IPv4 external networks and provider networks, NSX-V plugin will use
the NSX-V backend IPAM.
To enable this option set 'ipam_driver = vmware_nsxv_ipam' in the
neutron.conf
Change-Id: Icdc3e7d24dac08a29f045f10fcea9ec4496b8446
Add subnet extension dhcp-mtu and configure it in option26 of the dhcp binding.
Also add this column to the nsxv_subnet_ext_attributes DB table.
This option will be available only from NSX version 6.2.3
DocImpact: Added dhcp-mtu extension to subnets
Change-Id: Id2a74a3c089beb61fde6b7c0fd02b207e444c3b7
Delete a backend router edge, and move its' router/s to other edges.
Currently this utility does not support distributed routers
usage:
nsxadmin -r routers -o nsx-recreate --property edge-id=edge-307
Change-Id: Ib1ab84120aaae42dba884d4ba964a3bdd82df2fb
The availability zones support will now include also data-store ids.
The configuration will include a name for each availability zone, resource pool
ID, datastore ID and optionally also HA datastore ID.
The user can choose a hint from this list when creating a router or a network.
The relevant edge appliances will be created using this data.
DocImpact: New format for the configuration parameter availability_zones under nsxv
Should include a list of availability zones. For each of them name, resource pool id,
datastore id and optionally also HA datastore id.
Change-Id: Icb72f6f674b8610687a6be730161a206d4c76257
As bug 1568706 uncovered, we were using zuul-cloner
in our gate jobs; this was preventing our translation from
syncing.
After digging into this issue a number of changes in this
associated logic were found to not be in sync with neutron.
This patch updates out tox/tools logic to follow that of neutron.
In addition this patch fixes any pylint checks that were failing to
make pep8 pass.
IMPORTANT:
Please review closely, not only to the tools/tox updates but also
to the ignored pylint checks in the code. We only want to disable
checks where appropriate.
Change-Id: I6c5fee3ca3073ad079eac1636cc3b9ec45926a68
Closes-Bug: #1568706
This utility can be used to move all the networks from a specific
DHCP edge, to another (new or existing) edge.
This should work also for VDR router DHCP edge.
Usage:
nsxadmin -r dhcp-binding -o nsx-recreate --property edge-id=<edge-Id>
Output example:
==== [NSX] Recreate Dhcp Edge ====
ReCreating NSXv Edge: edge-222
Deleting the old DHCP edge: edge-222
Moving network a7fd0856-923e-43a6-97c7-9980e7fabd08 to a new edge
Moving subnet ae9efc04-a685-497e-aab1-1dff9abacf9c to a new edge
Creating network a7fd0856-923e-43a6-97c7-9980e7fabd08 DHCP address group
Network a7fd0856-923e-43a6-97c7-9980e7fabd08 was moved to edge edge-228
Moving network 7a484242-0261-4888-ba77-41bb7bbd4f9d to a new edge
Moving subnet 412e89ce-7c69-494d-b525-c08c8828cdfd to a new edge
Moving subnet 139f7375-afb9-41dd-bdb7-c25af772a805 to a new edge
Creating network 7a484242-0261-4888-ba77-41bb7bbd4f9d DHCP address group
Network 7a484242-0261-4888-ba77-41bb7bbd4f9d was moved to edge edge-228
Change-Id: I97ba4abfe50d634f5ba5b137a64e021575db1ead
When running tempest tests we hit this. After analysis the reason
seemed to be that the DB session was aged as a result of waiting for
subnets in parallel tests to be created.
Here we just create a new DB session prior to updating the VNIC ID's
The patch also does the following:
1. Addresses the case where the edge_bindings are not found
2. Ensure locking for the VNIC allocations
Change-Id: I0f921417e7b333575c0e99838e88a23c61f67423
Add support for availability zones hints on routers creation
- The router will be created on an edge that belongs to the requested resource pool
- The nsxv_router_binding db table has a new column for the edge resource pool
- New nsxv configuration: availability_zones which should contain a list
of resource pools ids, that can be used as hints
DocImpact: New configuration parameter availability_zones under nsxv
Change-Id: Ib34689d554dafe25f62a045feebe9eed68d2174d
Add a wrapper to the different getters of the nsxv_router_bindings table,
to log warnings in case the retrieved entries had an erroneous status.
Change-Id: If4671d2fb4a3555de3e0f27b8da44e94f4dd6981
When the load balancer is created, it will create a default firewall
rule on edge. But when the fip is created or deleted, the driver will
also update the firewall rule on this edge, at this time, the lb
firewall rule will be flushed.
Change-Id: I84bb2cf5ddcc1bb448f138e024bb361a1b4eee82
Allows admin to control security-groups rule logging
NSXv distributed firewall expose an API to control rule logging,
as for the moment, admin user can use this feature only from inside of
the distributed firewall.
This patch make use of this API to provide the cloud admin with three ways
to control security-group logging:
- log whenever security-group rule is matched
- log when a packet doesn't match any security-group rule
- log whenever security-group rule is matched for selected
security-groups
Change-Id: I2a4dbff2ecba4c6041b4aaad1f20941440a5f6b6
This patch adds support for dns search domains in the nsx-v plugin.
DNS search domain is implemented as a string attribute extension to the
Subnet object.
Usage:
subnet-create net-name 10.0.0.0/24 --name subnet-name \
--dns-search-domain eng.vmware.com
subnet-update subnet-name --dns-search-domain new-domain.com
This commit adds a new table to store bindings for subnet attributes with
the necessary migration script.
Change-Id: I3f41a123f42e5b784de3ad090cecb7d712a36542
When a VIP is configured for L4 LB only, we can use LVS to improve
performance. To achieve that, we should enable acceleration on the Edge
appliance.
Depends-On: I7f3b95b43f87b35d641f0c7535d648ee178eda41
Change-Id: I027cb1e4b5cd82006a80e17f3fd2b0feca1278a4
Implement LBaaSv2 driver for NSXv Edge appliance load balancer.
Includes TLS support for Edge appliance, and certificate management
For SSL termination.
Change-Id: I60093c0186cce3e99fb26e1fc6bd5175cbd1a560
dhcp_router_id column is useless in nsxv_vdr_dhcp_bindings and would
lead to DB integration error. So the patch removes this column.
Change-Id: I882c46e07f588d0106503075bc2de3116256cd73
This patch will create:
vmware_nsx/plugins/dvs for DVS specific files
vmware_nsx/plugins/nsx_mh for MH specific files
vmware_nsx/plugins/nsx_v for nsx_v specific files
vmware_nsx/plugins/nsx_v3 for nsx_v3 specific files
also move vmware_nsx/vsphere/ to vmware_nsx/plugins/nsx_v/vsphere/.
This is part of new vmware_nsx directory structure proposed in
https://goo.gl/GdWXyH.
Change-Id: I00ee12da2eea0add988bae3d4f3e12940ea829bb