def do_sg_rule_remote_group_id_insertion(session):
alembic_util.msg("Starting remote_group_id insertion for SG rules.")
aim = aim_manager.AimManager()
aim_ctx = aim_context.AimContext(session)
mapper = apic_mapper.APICNameMapper()
with session.begin(subtransactions=True):
sg_rule_dbs = (session.query(sg_models.SecurityGroupRule).options(
lazyload('*')).all())
for sg_rule_db in sg_rule_dbs:
if sg_rule_db.get('remote_group_id'):
tenant_aname = mapper.project(session, sg_rule_db['tenant_id'])
sg_rule_aim = aim_resource.SecurityGroupRule(
tenant_name=tenant_aname,
security_group_name=sg_rule_db['security_group_id'],
security_group_subject_name='default',
name=sg_rule_db['id'])
sg_rule_aim = aim.get(aim_ctx, sg_rule_aim)
# Validation tool will add the missing SG rules
# if there is any.
if sg_rule_aim:
aim.update(aim_ctx,
sg_rule_aim,
remote_group_id=sg_rule_db['remote_group_id'])
alembic_util.msg("Finished remote_group_id insertion for SG rules.")
def initialize(self):
LOG.info(_LI("APIC AIM MD initializing"))
self.project_name_cache = cache.ProjectNameCache()
self.db = model.DbModel()
self.name_mapper = apic_mapper.APICNameMapper(self.db, log)
self.aim = aim_manager.AimManager()
# REVISIT(rkukura): Read from config or possibly from AIM?
self.enable_dhcp_opt = True
self.enable_metadata_opt = True
self._setup_opflex_rpc_listeners()
def initialize(self):
# TODO(ivar): SFC resource mapping to APIC DNs
self._core_plugin = None
self._flowc_plugin = None
self._l3_plugin = None
self._sfc_plugin = None
self._aim_mech_driver = None
self._aim_flowc_driver = None
self.name_mapper = apic_mapper.APICNameMapper()
self.aim = aim_manager.AimManager()
# We don't care about deletion, that is managed by the database layer
# (can't delete a flowclassifier if in use).
for event in [events.PRECOMMIT_UPDATE, events.PRECOMMIT_CREATE]:
registry.subscribe(self._handle_flow_classifier,
sfc_cts.GBP_FLOW_CLASSIFIER, event)
registry.subscribe(self._handle_port_bound, sfc_cts.GBP_PORT,
events.PRECOMMIT_UPDATE)
registry.subscribe(self._handle_net_gbp_change,
sfc_cts.GBP_NETWORK_EPG, events.PRECOMMIT_UPDATE)
registry.subscribe(self._handle_net_gbp_change,
sfc_cts.GBP_NETWORK_VRF, events.PRECOMMIT_UPDATE)
def do_apic_aim_persist_migration(session):
alembic_util.msg(
"Starting data migration for apic_aim mechanism driver persistence.")
db_mixin = db.DbMixin()
aim = aim_manager.AimManager()
aim_ctx = aim_context.AimContext(session)
mapper = apic_mapper.APICNameMapper()
with session.begin(subtransactions=True):
# Migrate address scopes.
scope_dbs = (session.query(as_db.AddressScope).all())
for scope_db in scope_dbs:
alembic_util.msg("Migrating address scope: %s" % scope_db)
vrf = None
ext_db = (session.query(DefunctAddressScopeExtensionDb).filter_by(
address_scope_id=scope_db.id).one_or_none())
if ext_db:
# It has a pre-existing VRF.
vrf = aim_resource.VRF.from_dn(ext_db.vrf_dn)
# REVISIT: Get VRF to verify it exists?
vrf_owned = False
if not vrf:
# It does not have a pre-existing VRF.
aname = mapper.address_scope(session, scope_db.id)
vrfs = aim.find(aim_ctx, aim_resource.VRF, name=aname)
if vrfs:
vrf = vrfs[0]
vrf_owned = True
if vrf:
db_mixin._add_address_scope_mapping(session, scope_db.id, vrf,
vrf_owned)
else:
alembic_util.warn("No AIM VRF found for address scope: %s" %
scope_db)
# Migrate networks.
net_dbs = (session.query(models_v2.Network).all())
for net_db in net_dbs:
alembic_util.msg("Migrating network: %s" % net_db)
bd = None
epg = None
vrf = None
ext_db = (session.query(extension_db.NetworkExtensionDb).filter_by(
network_id=net_db.id).one_or_none())
if ext_db and ext_db.external_network_dn:
# Its a managed external network.
ext_net = aim_resource.ExternalNetwork.from_dn(
ext_db.external_network_dn)
# REVISIT: Get ExternalNetwork to verify it exists?
l3out = aim_resource.L3Outside(tenant_name=ext_net.tenant_name,
name=ext_net.l3out_name)
if ext_db.nat_type == '':
ns_cls = nat_strategy.NoNatStrategy
elif ext_db.nat_type == 'edge':
ns_cls = nat_strategy.EdgeNatStrategy
else:
ns_cls = nat_strategy.DistributedNatStrategy
ns = ns_cls(aim)
ns.app_profile_name = 'OpenStack'
for resource in ns.get_l3outside_resources(aim_ctx, l3out):
if isinstance(resource, aim_resource.BridgeDomain):
bd = resource
elif isinstance(resource, aim_resource.EndpointGroup):
epg = resource
elif isinstance(resource, aim_resource.VRF):
vrf = resource
if not bd:
# It must be a normal network.
aname = mapper.network(session, net_db.id)
bds = aim.find(aim_ctx, aim_resource.BridgeDomain, name=aname)
if bds:
bd = bds[0]
epgs = aim.find(aim_ctx,
aim_resource.EndpointGroup,
name=aname)
if epgs:
epg = epgs[0]
if bd:
vrfs = (aim.find(aim_ctx,
aim_resource.VRF,
tenant_name=bd.tenant_name,
name=bd.vrf_name)
or aim.find(aim_ctx,
aim_resource.VRF,
tenant_name='common',
name=bd.vrf_name))
if vrfs:
vrf = vrfs[0]
if bd and epg and vrf:
db_mixin._add_network_mapping(session, net_db.id, bd, epg, vrf)
elif not net_db.external:
alembic_util.warn(
"AIM BD, EPG or VRF not found for network: %s" % net_db)
alembic_util.msg(
"Finished data migration for apic_aim mechanism driver persistence.")
def do_apic_aim_security_group_migration(session):
alembic_util.msg("Starting data migration for SGs and its rules.")
aim = aim_manager.AimManager()
aim_ctx = aim_context.AimContext(session)
mapper = apic_mapper.APICNameMapper()
with session.begin(subtransactions=True):
# Migrate SG.
sg_dbs = (session.query(sg_models.SecurityGroup).options(
lazyload('*')).all())
for sg_db in sg_dbs:
alembic_util.msg("Migrating SG: %s" % sg_db)
tenant_aname = mapper.project(session, sg_db['tenant_id'])
sg_aim = aim_resource.SecurityGroup(
tenant_name=tenant_aname,
name=sg_db['id'],
display_name=aim_utils.sanitize_display_name(sg_db['name']))
aim.create(aim_ctx, sg_aim, overwrite=True)
# Always create this default subject
sg_subject = aim_resource.SecurityGroupSubject(
tenant_name=tenant_aname,
security_group_name=sg_db['id'],
name='default')
aim.create(aim_ctx, sg_subject, overwrite=True)
# Migrate SG rules.
sg_rule_dbs = (session.query(sg_models.SecurityGroupRule).options(
lazyload('*')).all())
for sg_rule_db in sg_rule_dbs:
tenant_aname = mapper.project(session, sg_rule_db['tenant_id'])
if sg_rule_db.get('remote_group_id'):
ip_version = 0
if sg_rule_db['ethertype'] == 'IPv4':
ip_version = 4
elif sg_rule_db['ethertype'] == 'IPv6':
ip_version = 6
remote_ips = []
sg_ports = (session.query(models_v2.Port).join(
sg_models.SecurityGroupPortBinding,
sg_models.SecurityGroupPortBinding.port_id ==
models_v2.Port.id).filter(
sg_models.SecurityGroupPortBinding.security_group_id ==
sg_rule_db['remote_group_id']).options(
lazyload('*')).all())
for sg_port in sg_ports:
for fixed_ip in sg_port['fixed_ips']:
if ip_version == netaddr.IPAddress(
fixed_ip['ip_address']).version:
remote_ips.append(fixed_ip['ip_address'])
else:
remote_ips = ([sg_rule_db['remote_ip_prefix']]
if sg_rule_db['remote_ip_prefix'] else '')
sg_rule_aim = aim_resource.SecurityGroupRule(
tenant_name=tenant_aname,
security_group_name=sg_rule_db['security_group_id'],
security_group_subject_name='default',
name=sg_rule_db['id'],
direction=sg_rule_db['direction'],
ethertype=sg_rule_db['ethertype'].lower(),
ip_protocol=(sg_rule_db['protocol']
if sg_rule_db['protocol'] else 'unspecified'),
remote_ips=remote_ips,
from_port=(sg_rule_db['port_range_min']
if sg_rule_db['port_range_min'] else 'unspecified'),
to_port=(sg_rule_db['port_range_max']
if sg_rule_db['port_range_max'] else 'unspecified'))
aim.create(aim_ctx, sg_rule_aim, overwrite=True)
alembic_util.msg("Finished data migration for SGs and its rules.")