40 Commits

Author SHA1 Message Date
Roey Chen
d996c63b9f NSXv BGP: Adding IP address check for ESG BGP peer
This patch adds a check that specified BGP peer ip address matches one
of the corresponding ESG interfaces.

Change-Id: Id106e7560cf314d5a24559581d5586183c862a5f
2017-05-25 04:43:47 -07:00
Roey Chen
064b72d342 NSXv: Fix validation for bgp peer 'esg_id' attr and peer removal
Not every bgp peer object required to have a valid 'esg_id', it could be
left blank if the bgp peer doesn't correspond with any NSX ESG.

Change-Id: I33b655b047a0f2b1cb22f5625a90fda180bcfeec
2017-04-27 08:44:03 +00:00
Roey Chen
81f9380765 NSXv BGP support
This change implement's a new BGP plugin which allows BGP support in Openstack,
using NSXv service edges (ESG).
When a BGP speaker is associated with an external network, service edges which
accommodates tenant routers that have their GW port on this network would be
configured to enable BGP/Dynamic-routing.
The specific BGP configuration (e.g - localAS, neighbours) for the edge is
retrieved from the BGP speaker object and its peers.

This change also adds an extension to the BGP peer object, this
extension allows the cloud operator to associate a BGP peer with a specific
service edge that will serve as GW edge for the network, multiple GW
edges are supported by enabling ECMP on tenant service edges.

Co-Authored: yuyangbj <yangyu@vmware.com>
Change-Id: Ife69b97f3232bee378a48d91dc53bdc8837de7f5
2017-04-13 06:09:53 -07:00
Gary Kotton
b8d98a5764 Use new enginefacade for networks, subnets.
Need this as commit cf34df857273d3be289e00590d80498cc11149ee broke
the plugin.

Changes from the above:
1. The delete network is removed from withing a transaction
2. dynamic extension are treated outside of the port create
   transaction

In addition to this commit 4f4d9ad3d33da85df2530347617b9dbc33543e54
broke us.

Change-Id: I8444aa09dc80dc44ce5dd9561e94989f9780f9cb
2017-04-03 01:47:09 -07:00
Eric Brown
0294eaed7d Use https for *.openstack.org references
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.

Change-Id: I0448c7bc0294db867bc1766da7aaf07912575dbe
2017-02-06 15:45:18 -08:00
Henry Gessau
37487161bd Use ExtensionDescriptor from neutron-lib
ExtensionDescriptor has been rehomed to neutron-lib and is being
removed from neutron core.

See https://review.openstack.org/398113

Depends-On: I5a111e0033e518e39b3042f047ee9eebba77a0d5

Change-Id: I0f8b11bebed9bbb06273c0f9257ec1916e0201ea
2016-11-28 01:30:38 -08:00
Adit Sarfaty
c9d44f5031 NSX-V add nsx-policies extension
This extension will list/show nsx security policies, that can be used
in the security groups for the Admin policy feature

In addition, we are using this new api for policy validation in the
security group create/update

Change-Id: I66f75ae24c814c0d644f1fc4c6b9c52b24ddc77c
2016-11-27 10:43:04 +02:00
Henry Gessau
22b6a3f0a0 Use DB field sizes instead of _MAX_LEN constants
The following _MAX_LEN constants are being removed from
neutron/api/v2/attributes.py in [1]. The corresponding DB field size
constants from neutron_lib.db.constants should be used instead.

 NAME_MAX_LEN              -->  NAME_FIELD_SIZE
 TENANT_ID_MAX_LEN         -->  PROJECT_ID_FIELD_SIZE
 DESCRIPTION_MAX_LEN       -->  DESCRIPTION_FIELD_SIZE
 LONG_DESCRIPTION_MAX_LEN  -->  LONG_DESCRIPTION_FIELD_SIZE
 DEVICE_ID_MAX_LEN         -->  DEVICE_ID_FIELD_SIZE
 DEVICE_OWNER_MAX_LEN      -->  DEVICE_NAME_FIELD_SIZE

In alembic migration scripts, the raw numerical value shall be used.

For more information, see [2].

[1] https://review.openstack.org/399891
[2] http://lists.openstack.org/pipermail/openstack-dev/2016-October/105789.html

Change-Id: I7e53de4ceecfe37edc0cb0041c23ce131f5eeca1
2016-11-26 01:05:21 -05:00
Adit Sarfaty
3009f37757 Integration with neutron-lib plugin directory
Co-authored-by: Armando Migliaccio <armamig@gmail.com>
Change-Id: I7c7efbaa7a53f8d244f1b19ea3a7c8a8900602be
Depends-on: I7331e914234c5f0b7abe836604fdd7e4067551cf
Depends-on: Ia91dfbf9d93e19b43c0dd0b58b95fc0080b0ad7c
Depends-on: I48cd9257f419ad949ba0cecc9aca98a624ca4dcc
2016-11-23 20:18:17 +00:00
Jenkins
d02ad81b52 Merge "NSX|V - initial support for NSX policy" 2016-11-10 13:35:54 +00:00
Adit Sarfaty
93d2d2077e Use neutron_lib converters instead of neutron
The converters moved to neutron_lib which broke our code

Change-Id: If0a49f966d7dda73327b7cbbe6a44b0ace2d2ee2
2016-11-09 08:16:02 +02:00
Adit Sarfaty
5c1f2f5b30 NSX|V - initial support for NSX policy
This code adds an extension for policy-id in a security group.
when this feature is enabled (new nsxv config: use_nsx_policies):
- Each security group will be linked to an nsx policy.
- No rules will be added to any of the security groups
- Only admin can edit security groups (depending on the policy.json)
- the default security group will be using the new nsx.ini config
  default_policy_id

Change-Id: Iad5e90245c2f70ed88f65f0c5e6ec46cb2eedbbc
2016-11-07 15:27:57 +02:00
Adit Sarfaty
62e5881010 OCS plugin + initial extensions support
Create an openstack client plugin for vmware nsx, and add the some of
the extensions suport: router-type, router-size, subnet dhcp-mtu and
dns-search-domain and port provider security groups and vnic index

Work for future patches:
- More unit tests (provider-security-groups)
- Add the rest of the extensions

Change-Id: I5b335de000b310cbcbb9a2f81483fd28f8d9afea
2016-10-30 12:33:03 +02:00
Aaron Rosen
bc26f40491 Fix provider sg delete by non admin and non admin rule change
This patch restricts the deleting of an provider security group only
to the admin thus preventing the tenant from deleting it.

It also prevents a non admin user from adding or deleting rules from
this group.

NOTE: we are using the following policy.json entry to prevent the
creation of a provider security group by a normal tenant:

    "create_security_group:provider": "rule:admin_only"

Change-Id: Ie195225654b0c7cd8cfb715691c5a3bb4c8ee13d
2016-08-31 20:06:36 -07:00
Adit Sarfaty
1e2ba282ce api_reply support for QoS migration
Copy QoS policies and rules from source setup to destination (NSX-V3) client
And also copy network/port policy-id.

Change-Id: I76ec0ceefe618e9bf6ea7cf61bcdb07c4edbdddb
2016-08-22 08:14:38 +03:00
Adit Sarfaty
f7ae964935 api_reply: NSX-v support + activate tests
Integrate this feature for nsxv->nsxv3 migration:
Some NSX-v fields are not supported for NSX-V3
Also api-replay tests were inactive till now

Change-Id: If38b4f0000405b12a9116fa126701cee7e8601bf
2016-08-22 08:13:46 +03:00
Jenkins
208cbd4a89 Merge "Provider Security groups" 2016-08-05 22:53:53 +00:00
Gary Kotton
bf72494d00 Use neutron-lib add_validator for registration
As per [1], neutron-lib 0.3.0 provides a public add/get API for
local validator registration/access. This API is preferred over
directly accessing the validators dict module-level attribute
that's done today when adding a new validator and in fact
direct access to the validators dict is deprecated.

This patch changes all vmware-nsx's usage of the validators dict
to use the public API.

Related-Bug: #1584237

[1] https://review.openstack.org/#/c/324090/

Change-Id: Ifc403d41133eefb1dfbcd31952c7a88c436e9724
2016-08-04 12:17:36 +00:00
Roey Chen
2cfc1231dc Provider Security groups
This patch set introduces a new feature called provider-security-groups.
Provider security groups allow the provider to create a security group
that is automatically attached to a specific tenants ports. The one
important thing to note is that rules inside of a provider security
group are set to DENY where as a normal security group they are set
to ALLOW. Provider security groups allow the admin tenant to block specific
traffic for any tenant they like by creatng a provider group. To use this
feature the admin tenant must first create a provider security group
on behalf of the other tenant (i.e):

$ neutron security-group-create no-pokemon-go-access --provider=True \
	--tenant-id=<shall remain nameless>

Then, whenever the above tenant id creates a port they will see a an
additional field on the port "provider-security-groups" which will
contain the uuid of the provider security group. This user can then
query neutron to see which rules are in it that are blocking them.

NOTE: one needs to use the correct policy.json file from this repo
for neutron inorder to prevent the tenant from removing the group.

Co-Authored-By: Aaron Rosen <aaronorosen@gmail.com>

Change-Id: I57b130437327b0bbe5cc0068695f226b76b4e2ba
2016-08-02 13:34:37 +00:00
Adit Sarfaty
d4fa95168c NSX|V add dhcp-mtu extension to subnet
Add subnet extension dhcp-mtu and configure it in option26 of the dhcp binding.
Also add this column to the nsxv_subnet_ext_attributes DB table.
This option will be available only from NSX version 6.2.3

DocImpact: Added dhcp-mtu extension to subnets

Change-Id: Id2a74a3c089beb61fde6b7c0fd02b207e444c3b7
2016-07-31 09:10:32 +03:00
Aaron Rosen
c7ac488a5f python3: make unit tests pass
now all tests pass with tox -epy34

Depends-On: I5894485e55c04a8ca69825128798227714550c9d

Change-Id: I719a6cddcbe7f2b7a15bcd35375075affc2513b8
2016-07-07 14:42:35 -07:00
Kobi Samoray
5ea7727516 Make exclusive router size updatable
Router size attribute of exclusive router should be updatable.

Change-Id: I6ac08f7f6e46cb5728634482d30063994cbc9495
2016-06-20 16:48:40 +03:00
Aaron Rosen
b004985c24 NSX-v3: Initial framework for api-replay-mode
This patch includes the initial framework to allow existing
neutron deployments running different backends to be migrated
over to the nsx-v3 plugin. The main logic that is required to
do this is to allow the ability of an id to be specified for
a given resource. This patch makes this possible with the addition
of a new extension api-replay.

The reason why a new extension is needed is because the RESOURCE_MAP
is loaded after the plugin is loaded. Therefore, there is no way
for me to change the mapping directly in the plugin without creating
an extension to do so.

This patch also adds support for migrating the router-uplink and
floatingips which was missing in the previous patchset.

Here's an example output of the migration tool
running: http://codepad.org/I7x6Rq3u

Change-Id: I2ee9778374a8d137e06125f2732524c7c662c002
2016-06-01 09:41:44 -07:00
Gary Kotton
0613e7773f Remove deprecated warnings for neutron_lib
neutron_lib should be used instead of the attributes and constants
imports. This patch moves to using neutron_lib. This removes all of
the deprecated warnings (there are still some from neutron and
l2gw - those are addressed in other patches).

Change-Id: I796d749c46a69107a1a484e8774c5d501fc4704f
2016-05-11 19:26:04 -07:00
Roey Chen
1ac25e8896 NsxV3: Fine grained logging for security-groups
Also migrates security group logging for NSXv to new model

Change-Id: I0d6a90e0d8531156e06817cba431c72db0c81bde
2016-03-29 18:27:36 +00:00
Roey Chen
1f9d16fe8d NSXv: Fine grained control for logging security-group rules
Allows admin to control security-groups rule logging

NSXv distributed firewall expose an API to control rule logging,
as for the moment, admin user can use this feature only from inside of
the distributed firewall.
This patch make use of this API to provide the cloud admin with three ways
to control security-group logging:

    - log whenever security-group rule is matched
    - log when a packet doesn't match any security-group rule
    - log whenever security-group rule is matched for selected
      security-groups

Change-Id: I2a4dbff2ecba4c6041b4aaad1f20941440a5f6b6
2016-03-29 04:54:58 -07:00
Jenkins
afab3eb774 Merge "NSX|MH: rename qos extension to qos_queue" 2016-03-04 02:18:02 +00:00
Jenkins
ed3b06c606 Merge "Extending security-group ingress rule" 2016-03-04 02:17:45 +00:00
Gary Kotton
3cb0bbace8 NSX|MH: rename qos extension to qos_queue
We need to rename the Qos extension as this causes issues
when using the Neutron Qos extension (which is the end
goal)

In addition to this the patch deletes the nvp_qos extension.
That was marked for deprecation in Kilo.

Change-Id: I4d9d3cf40a83f579b76bf5f0642d045785a271bd
2016-03-03 07:31:11 -08:00
Roey Chen
c60f22384c Extending security-group ingress rule
This adds an extension to the security-group API, using this extension will
allow a user to define rules with the notation of local-prefix-ip, which
matches on the destination address of packets going into the port.
One may use this extended API in order to specify a specific set of
multicast groups addresses in which a port (or group of ports) should
be allowed to accept packets from.

Change-Id: I9756cb27395b7b936dbfa94f403d98ac43c2e872
2016-03-03 07:22:48 -08:00
Abhishek Raut
8c61877187 NSX: make use of neutron_lib exceptions
Commit 87a79256c494c36f2d9597313f430b24c0110161 added neutron_lib
for shared exceptions. This patch moves us to make use of the
aforementioned library.

Change-Id: I9fe014c5da85faca87bf88a80c4ee19f7f123123
2016-02-21 22:30:41 -08:00
Jenkins
deef820935 Merge "Remove deprecated warnings" 2016-02-16 03:08:28 +00:00
Gary Kotton
3046089feb Remove deprecated warnings
vmware_nsx/extensions/dns_search_domain.py:40: DeprecationWarning:
Using function/method 'instance.ugettext()' is deprecated: Builtin _
translation function is deprecated in OpenStack; use the function
from _i18n module for your project.

      _("Name '%s' must be 1-63 characters long, each of "

TrivialFix

Change-Id: If4540986497903eb2d8a841903f568526225bf51
2016-02-15 00:39:48 -08:00
asarfaty
1a1e021149 NSXv - allow changing the router type exclusive <-> shared. APIImpact
Change-Id: I5b91498365ab4bd50b7b1deff8b5397d95eeb1ee
2016-02-14 15:19:03 +02:00
Abhishek Raut
4c00489dbb [NSX-v]: Validate DNS search domain values at API level
Currently the DNS search domain value is validated in the backend.
But this validation takes place at the time of instance creation,
since that is when the static edge bindings are created and pushed
to the backend. This allows the subnet create/update operations to
succeed even if an invalid DNS search domain value is specified.

This patch adds validation to the DNS search domain extension.

Change-Id: Ib392e8695f40023219df93b6889366ce0a305423
2015-12-29 17:32:36 -08:00
Abhishek Raut
d9f3ee826a [NSXv]: Add support for dns search domains in NSXv plugin
This patch adds support for dns search domains in the nsx-v plugin.
DNS search domain is implemented as a string attribute extension to the
Subnet object.
Usage:
subnet-create net-name 10.0.0.0/24 --name subnet-name \
    --dns-search-domain eng.vmware.com
subnet-update subnet-name --dns-search-domain new-domain.com

This commit adds a new table to store bindings for subnet attributes with
the necessary migration script.

Change-Id: I3f41a123f42e5b784de3ad090cecb7d712a36542
2016-02-03 14:22:25 -08:00
Gary Kotton
a67d0ad9bd Use the correct _ from vmware_nsx._i18n file
Ensure that the correct _ method is used.

Change-Id: I7ff4cb24bbde47e480dc6dd410b122693bd63ad3
2015-12-06 07:04:17 -08:00
Amey Bhide
b538ece323 [NSXv]: Add conf param for exclusive router edge size
Allows user to specify default exclusive_router_appliance_size in
nsx.ini file. If --router-size isn't specified in neutron router-create CLI
command; exclusive_router_appliance_size will be picked up

DocImpact

Change-Id: I010bfdb8c5807bb933085f049326082c8b5782dc
2015-09-25 11:44:44 -07:00
Amey Bhide
9329762d3e Add router-size when creating an exclusive router
Enables a user to specify router-size while creating an exclusive router for
creating a load-balancer service

Change-Id: If03b51ce0bc61a8e2aa46de4f1b5869306e1bd7e
2015-09-23 13:08:58 -07:00
Shih-Hao Li
d8eeda9baf Move vmware_nsx/neutron/plugins/vmware to vmware_nsx
This is part of new vmware_nsx directory structure proposed in
https://goo.gl/GdWXyH.

Change-Id: I60d6ef62eb724df71dfda90137e00f107e220971
2015-09-14 18:51:57 -07:00