This patch adds a check that specified BGP peer ip address matches one
of the corresponding ESG interfaces.
Change-Id: Id106e7560cf314d5a24559581d5586183c862a5f
Not every bgp peer object required to have a valid 'esg_id', it could be
left blank if the bgp peer doesn't correspond with any NSX ESG.
Change-Id: I33b655b047a0f2b1cb22f5625a90fda180bcfeec
This change implement's a new BGP plugin which allows BGP support in Openstack,
using NSXv service edges (ESG).
When a BGP speaker is associated with an external network, service edges which
accommodates tenant routers that have their GW port on this network would be
configured to enable BGP/Dynamic-routing.
The specific BGP configuration (e.g - localAS, neighbours) for the edge is
retrieved from the BGP speaker object and its peers.
This change also adds an extension to the BGP peer object, this
extension allows the cloud operator to associate a BGP peer with a specific
service edge that will serve as GW edge for the network, multiple GW
edges are supported by enabling ECMP on tenant service edges.
Co-Authored: yuyangbj <yangyu@vmware.com>
Change-Id: Ife69b97f3232bee378a48d91dc53bdc8837de7f5
Need this as commit cf34df857273d3be289e00590d80498cc11149ee broke
the plugin.
Changes from the above:
1. The delete network is removed from withing a transaction
2. dynamic extension are treated outside of the port create
transaction
In addition to this commit 4f4d9ad3d33da85df2530347617b9dbc33543e54
broke us.
Change-Id: I8444aa09dc80dc44ce5dd9561e94989f9780f9cb
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I0448c7bc0294db867bc1766da7aaf07912575dbe
ExtensionDescriptor has been rehomed to neutron-lib and is being
removed from neutron core.
See https://review.openstack.org/398113
Depends-On: I5a111e0033e518e39b3042f047ee9eebba77a0d5
Change-Id: I0f8b11bebed9bbb06273c0f9257ec1916e0201ea
This extension will list/show nsx security policies, that can be used
in the security groups for the Admin policy feature
In addition, we are using this new api for policy validation in the
security group create/update
Change-Id: I66f75ae24c814c0d644f1fc4c6b9c52b24ddc77c
The following _MAX_LEN constants are being removed from
neutron/api/v2/attributes.py in [1]. The corresponding DB field size
constants from neutron_lib.db.constants should be used instead.
NAME_MAX_LEN --> NAME_FIELD_SIZE
TENANT_ID_MAX_LEN --> PROJECT_ID_FIELD_SIZE
DESCRIPTION_MAX_LEN --> DESCRIPTION_FIELD_SIZE
LONG_DESCRIPTION_MAX_LEN --> LONG_DESCRIPTION_FIELD_SIZE
DEVICE_ID_MAX_LEN --> DEVICE_ID_FIELD_SIZE
DEVICE_OWNER_MAX_LEN --> DEVICE_NAME_FIELD_SIZE
In alembic migration scripts, the raw numerical value shall be used.
For more information, see [2].
[1] https://review.openstack.org/399891
[2] http://lists.openstack.org/pipermail/openstack-dev/2016-October/105789.html
Change-Id: I7e53de4ceecfe37edc0cb0041c23ce131f5eeca1
This code adds an extension for policy-id in a security group.
when this feature is enabled (new nsxv config: use_nsx_policies):
- Each security group will be linked to an nsx policy.
- No rules will be added to any of the security groups
- Only admin can edit security groups (depending on the policy.json)
- the default security group will be using the new nsx.ini config
default_policy_id
Change-Id: Iad5e90245c2f70ed88f65f0c5e6ec46cb2eedbbc
Create an openstack client plugin for vmware nsx, and add the some of
the extensions suport: router-type, router-size, subnet dhcp-mtu and
dns-search-domain and port provider security groups and vnic index
Work for future patches:
- More unit tests (provider-security-groups)
- Add the rest of the extensions
Change-Id: I5b335de000b310cbcbb9a2f81483fd28f8d9afea
This patch restricts the deleting of an provider security group only
to the admin thus preventing the tenant from deleting it.
It also prevents a non admin user from adding or deleting rules from
this group.
NOTE: we are using the following policy.json entry to prevent the
creation of a provider security group by a normal tenant:
"create_security_group:provider": "rule:admin_only"
Change-Id: Ie195225654b0c7cd8cfb715691c5a3bb4c8ee13d
Copy QoS policies and rules from source setup to destination (NSX-V3) client
And also copy network/port policy-id.
Change-Id: I76ec0ceefe618e9bf6ea7cf61bcdb07c4edbdddb
Integrate this feature for nsxv->nsxv3 migration:
Some NSX-v fields are not supported for NSX-V3
Also api-replay tests were inactive till now
Change-Id: If38b4f0000405b12a9116fa126701cee7e8601bf
As per [1], neutron-lib 0.3.0 provides a public add/get API for
local validator registration/access. This API is preferred over
directly accessing the validators dict module-level attribute
that's done today when adding a new validator and in fact
direct access to the validators dict is deprecated.
This patch changes all vmware-nsx's usage of the validators dict
to use the public API.
Related-Bug: #1584237
[1] https://review.openstack.org/#/c/324090/
Change-Id: Ifc403d41133eefb1dfbcd31952c7a88c436e9724
This patch set introduces a new feature called provider-security-groups.
Provider security groups allow the provider to create a security group
that is automatically attached to a specific tenants ports. The one
important thing to note is that rules inside of a provider security
group are set to DENY where as a normal security group they are set
to ALLOW. Provider security groups allow the admin tenant to block specific
traffic for any tenant they like by creatng a provider group. To use this
feature the admin tenant must first create a provider security group
on behalf of the other tenant (i.e):
$ neutron security-group-create no-pokemon-go-access --provider=True \
--tenant-id=<shall remain nameless>
Then, whenever the above tenant id creates a port they will see a an
additional field on the port "provider-security-groups" which will
contain the uuid of the provider security group. This user can then
query neutron to see which rules are in it that are blocking them.
NOTE: one needs to use the correct policy.json file from this repo
for neutron inorder to prevent the tenant from removing the group.
Co-Authored-By: Aaron Rosen <aaronorosen@gmail.com>
Change-Id: I57b130437327b0bbe5cc0068695f226b76b4e2ba
Add subnet extension dhcp-mtu and configure it in option26 of the dhcp binding.
Also add this column to the nsxv_subnet_ext_attributes DB table.
This option will be available only from NSX version 6.2.3
DocImpact: Added dhcp-mtu extension to subnets
Change-Id: Id2a74a3c089beb61fde6b7c0fd02b207e444c3b7
This patch includes the initial framework to allow existing
neutron deployments running different backends to be migrated
over to the nsx-v3 plugin. The main logic that is required to
do this is to allow the ability of an id to be specified for
a given resource. This patch makes this possible with the addition
of a new extension api-replay.
The reason why a new extension is needed is because the RESOURCE_MAP
is loaded after the plugin is loaded. Therefore, there is no way
for me to change the mapping directly in the plugin without creating
an extension to do so.
This patch also adds support for migrating the router-uplink and
floatingips which was missing in the previous patchset.
Here's an example output of the migration tool
running: http://codepad.org/I7x6Rq3u
Change-Id: I2ee9778374a8d137e06125f2732524c7c662c002
neutron_lib should be used instead of the attributes and constants
imports. This patch moves to using neutron_lib. This removes all of
the deprecated warnings (there are still some from neutron and
l2gw - those are addressed in other patches).
Change-Id: I796d749c46a69107a1a484e8774c5d501fc4704f
Allows admin to control security-groups rule logging
NSXv distributed firewall expose an API to control rule logging,
as for the moment, admin user can use this feature only from inside of
the distributed firewall.
This patch make use of this API to provide the cloud admin with three ways
to control security-group logging:
- log whenever security-group rule is matched
- log when a packet doesn't match any security-group rule
- log whenever security-group rule is matched for selected
security-groups
Change-Id: I2a4dbff2ecba4c6041b4aaad1f20941440a5f6b6
We need to rename the Qos extension as this causes issues
when using the Neutron Qos extension (which is the end
goal)
In addition to this the patch deletes the nvp_qos extension.
That was marked for deprecation in Kilo.
Change-Id: I4d9d3cf40a83f579b76bf5f0642d045785a271bd
This adds an extension to the security-group API, using this extension will
allow a user to define rules with the notation of local-prefix-ip, which
matches on the destination address of packets going into the port.
One may use this extended API in order to specify a specific set of
multicast groups addresses in which a port (or group of ports) should
be allowed to accept packets from.
Change-Id: I9756cb27395b7b936dbfa94f403d98ac43c2e872
Commit 87a79256c494c36f2d9597313f430b24c0110161 added neutron_lib
for shared exceptions. This patch moves us to make use of the
aforementioned library.
Change-Id: I9fe014c5da85faca87bf88a80c4ee19f7f123123
vmware_nsx/extensions/dns_search_domain.py:40: DeprecationWarning:
Using function/method 'instance.ugettext()' is deprecated: Builtin _
translation function is deprecated in OpenStack; use the function
from _i18n module for your project.
_("Name '%s' must be 1-63 characters long, each of "
TrivialFix
Change-Id: If4540986497903eb2d8a841903f568526225bf51
Currently the DNS search domain value is validated in the backend.
But this validation takes place at the time of instance creation,
since that is when the static edge bindings are created and pushed
to the backend. This allows the subnet create/update operations to
succeed even if an invalid DNS search domain value is specified.
This patch adds validation to the DNS search domain extension.
Change-Id: Ib392e8695f40023219df93b6889366ce0a305423
This patch adds support for dns search domains in the nsx-v plugin.
DNS search domain is implemented as a string attribute extension to the
Subnet object.
Usage:
subnet-create net-name 10.0.0.0/24 --name subnet-name \
--dns-search-domain eng.vmware.com
subnet-update subnet-name --dns-search-domain new-domain.com
This commit adds a new table to store bindings for subnet attributes with
the necessary migration script.
Change-Id: I3f41a123f42e5b784de3ad090cecb7d712a36542
Allows user to specify default exclusive_router_appliance_size in
nsx.ini file. If --router-size isn't specified in neutron router-create CLI
command; exclusive_router_appliance_size will be picked up
DocImpact
Change-Id: I010bfdb8c5807bb933085f049326082c8b5782dc
Enables a user to specify router-size while creating an exclusive router for
creating a load-balancer service
Change-Id: If03b51ce0bc61a8e2aa46de4f1b5869306e1bd7e