def _init_mock_plugin(self, *mocks):
super(TestNsxvAdminUtils, self)._init_mock_plugin()
# support the dvs manager:
mock.patch.object(dvs_utils, 'dvs_create_session').start()
# override metadata get-object
dummy_lb = {
'enabled': True,
'enableServiceInsertion': True,
'accelerationEnabled': True,
'virtualServer': [],
'applicationProfile': [],
'pool': [],
'applicationRule': []
}
mock.patch(
'vmware_nsx.plugins.nsx_v.vshield.nsxv_edge_cfg_obj.'
'NsxvEdgeCfgObj.get_object',
return_value=dummy_lb).start()
# Tests shouldn't wait for dummy spawn jobs to finish
mock.patch(
'vmware_nsx.shell.admin.plugins.nsxv.resources.utils.'
'NsxVPluginWrapper.count_spawn_jobs',
return_value=0).start()
self._plugin = nsxv_utils.NsxVPluginWrapper()
mock_nm_get_plugin = mock.patch(
"neutron_lib.plugins.directory.get_plugin")
self.mock_nm_get_plugin = mock_nm_get_plugin.start()
self.mock_nm_get_plugin.return_value = self._plugin
# Create a router to make sure we have deployed an edge
self.router = self.create_router()
def nsx_recreate_router(router_id):
# init the plugin and edge manager
cfg.CONF.set_override(
'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources'
'.utils.NsxVPluginWrapper')
with utils.NsxVPluginWrapper() as plugin:
context = n_context.get_admin_context()
router = plugin.get_router(context, router_id)
if router.get('distributed'):
LOG.error("Recreating a distributed router is not supported")
return
router_driver = plugin._router_managers.get_tenant_router_driver(
context, router['router_type'])
# Check if it is already attached to an edge
binding = nsxv_db.get_nsxv_router_binding(context.session, router_id)
if binding:
old_edge_id = binding['edge_id']
# detach the router from this edge
LOG.info("Detaching the router from edge %s", old_edge_id)
router_driver.detach_router(context, router_id, {'router': router})
# attach the router to a new edge
appliance_size = router.get(routersize.ROUTER_SIZE)
router_driver.attach_router(context,
router_id, {'router': router},
appliance_size=appliance_size)
# find out who is the new edge to print it
new_edge_id = router_driver._get_edge_id_or_raise(context, router_id)
LOG.info("Router %(router)s was attached to edge %(edge)s", {
'router': router_id,
'edge': new_edge_id
})
def delete_v_resources(context, objects):
"""Delete a list of objects from the V plugin"""
with v_utils.NsxVPluginWrapper() as plugin:
LOG.info(">>>>Deleting all NSX-V objects of the project.")
for resource in migrated_resources:
get_object = getattr(plugin, "get_%s" % resource)
del_object = getattr(plugin, "delete_%s" % resource)
for obj in objects[resource]:
# verify that this object still exists
try:
get_object(context, obj['id'])
except exceptions.NotFound:
# prevent logger from logging this exception
sys.exc_clear()
continue
try:
# handle special cases before delete
if resource == 'router':
delete_router_routes_and_interfaces(
context, plugin, obj)
elif resource == 'port':
if obj['device_owner'] == 'network:dhcp':
continue
# delete the objects from the NSX-V plugin
del_object(context, obj['id'])
LOG.info(">>Deleted %(resource)s %(name)s",
{'resource': resource,
'name': obj.get('name') or obj['id']})
except Exception as e:
LOG.warning(">>Failed to delete %(resource)s %(name)s: "
"%(e)s",
{'resource': resource,
'name': obj.get('name') or obj['id'], 'e': e})
LOG.info(">>>>Done deleting all NSX-V objects.")
def read_v_resources_to_files(context, project_id):
"""Read all relevant NSX-V resources from a specific project
and write them into a json file
"""
results = {}
with v_utils.NsxVPluginWrapper() as plugin:
filters = {'project_id': [project_id]}
for resource in migrated_resources:
filename = get_resource_file_name(project_id, resource)
file = open(filename, 'w')
get_objects = getattr(plugin, "get_%ss" % resource)
objects = get_objects(context, filters=filters)
# also add router gateway ports of the relevant routers
# (don't have the project id)
if resource == 'port':
rtr_ids = [rtr['id'] for rtr in results['router']]
gw_filters = {'device_owner': ['network:router_gateway'],
'device_id': rtr_ids}
gw_ports = plugin.get_ports(context, filters=gw_filters,
filter_project=False)
# ignore metadata gw ports
objects.extend([port for port in gw_ports
if not port['tenant_id']])
file.write(jsonutils.dumps(objects, sort_keys=True, indent=4))
file.close()
results[resource] = objects
return results
def fix_security_groups(resource, event, trigger, **kwargs):
context_ = n_context.get_admin_context()
sgs_with_missing_section = _find_missing_sections()
sgs_with_missing_nsx_group = _find_missing_security_groups()
if not sgs_with_missing_section and not sgs_with_missing_nsx_group:
# no mismatches
return
with utils.NsxVPluginWrapper() as plugin:
# If only the fw section is missing then create it.
for sg_id in (set(sgs_with_missing_section.keys()) -
set(sgs_with_missing_nsx_group.keys())):
neutron_sg.delete_security_group_section_mapping(sg_id)
secgroup = plugin.get_security_group(context_, sg_id)
plugin._create_fw_section_for_security_group(
context_, secgroup,
sgs_with_missing_section[sg_id]['nsx-securitygroup-id'])
# If nsx security-group is missing then create both nsx security-group
# and a new fw section (remove old one).
for sg_id, sg in sgs_with_missing_nsx_group.items():
secgroup = plugin.get_security_group(context_, sg_id)
if sg_id not in sgs_with_missing_section:
plugin._delete_section(sg['section-uri'])
neutron_sg.delete_security_group_section_mapping(sg_id)
neutron_sg.delete_security_group_backend_mapping(sg_id)
plugin._process_security_group_create_backend_resources(
context_, secgroup)
nsx_id = nsx_db.get_nsx_security_group_id(context_.session, sg_id)
for vnic_id in neutron_sg.get_vnics_in_security_group(sg_id):
plugin._add_member_to_security_group(nsx_id, vnic_id)
def get_orphaned_vnics():
orphaned_vnics = []
context = n_context.get_admin_context()
vnic_binds = nsxv_db.get_edge_vnic_bindings_with_networks(context.session)
with utils.NsxVPluginWrapper() as plugin:
for vnic_bind in vnic_binds:
edge_id = vnic_bind['edge_id']
# check if this is a router edge by the router bindings table
router_bindings = nsxv_db.get_nsxv_router_bindings_by_edge(
context.session, edge_id)
if not router_bindings:
# Only log it. this is a different type of orphaned
LOG.warning("Router bindings for vnic %s not found", vnic_bind)
continue
router_ids = [b['router_id'] for b in router_bindings]
routers = plugin.get_routers(context, filters={'id': router_ids})
if routers:
interface_found = False
# check if any of those routers is attached to this network
for router in routers:
if plugin._get_router_interface_ports_by_network(
context, router['id'], vnic_bind['network_id']):
interface_found = True
break
if not interface_found:
# for later deleting the interface we need to know if this
# is a distributed router.
# All the routers on the same edge are of the same type,
# so we can check the first one.
vnic_bind['distributed'] = routers[0].get('distributed')
orphaned_vnics.append(vnic_bind)
return orphaned_vnics
def list_policies(resource, event, trigger, **kwargs):
"""List nsx service composer policies"""
context = n_context.get_admin_context()
with utils.NsxVPluginWrapper() as plugin:
policies = plugin.get_nsx_policies(context)
policies.sort(key=operator.itemgetter('id'))
_log_info("NSX service composer policies:", policies,
attrs=['id', 'name', 'description'])
def nsx_recreate_router_edge(old_edge_id):
# init the plugin and edge manager
cfg.CONF.set_override(
'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources'
'.utils.NsxVPluginWrapper')
with utils.NsxVPluginWrapper() as plugin:
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
context = n_context.get_admin_context()
# verify that this is a Router edge
router_ids = edge_manager.get_routers_on_edge(context, old_edge_id)
if not router_ids:
LOG.error("Edge %(edge_id)s is not a router edge",
{'edge_id': old_edge_id})
return
# all the routers on the same edge have the same type, so it
# is ok to check the type once
example_router = plugin.get_router(context, router_ids[0])
if example_router.get('distributed'):
LOG.error("Recreating a distributed router edge is not "
"supported")
return
router_driver = plugin._router_managers.get_tenant_router_driver(
context, example_router['router_type'])
# load all the routers before deleting their binding
routers = []
for router_id in router_ids:
routers.append(plugin.get_router(context, router_id))
# delete the backend edge and all the relevant DB entries
delete_old_edge(context, old_edge_id)
# Go over all the relevant routers
for router in routers:
router_id = router['id']
az_name = _get_router_az_from_plugin_router(router)
# clean up other objects related to this router
if plugin.metadata_proxy_handler:
md_proxy = plugin.get_metadata_proxy_handler(az_name)
md_proxy.cleanup_router_edge(context, router_id)
# attach the router to a new edge
appliance_size = router.get(routersize.ROUTER_SIZE)
router_driver.attach_router(context,
router_id, {'router': router},
appliance_size=appliance_size)
# find out who is the new edge to print it
new_edge_id = router_driver._get_edge_id_or_raise(
context, router_id)
LOG.info("Router %(router)s was attached to edge %(edge)s", {
'router': router_id,
'edge': new_edge_id
})
def nsx_recreate_dhcp_edge(resource, event, trigger, **kwargs):
"""Recreate a dhcp edge with all the networks n a new NSXv edge"""
if not kwargs.get('property'):
LOG.error(_LE("Need to specify edge-id parameter"))
return
# input validation
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
old_edge_id = properties.get('edge-id')
if not old_edge_id:
LOG.error(_LE("Need to specify edge-id parameter"))
return
LOG.info(_LI("ReCreating NSXv Edge: %s"), old_edge_id)
# init the plugin and edge manager
cfg.CONF.set_override('core_plugin',
'vmware_nsx.shell.admin.plugins.nsxv.resources'
'.utils.NsxVPluginWrapper')
plugin = utils.NsxVPluginWrapper()
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
context = n_context.get_admin_context()
# verify that this is a DHCP edge
bindings = nsxv_db.get_nsxv_router_bindings_by_edge(
context.session, old_edge_id)
if (not bindings or
not bindings[0]['router_id'].startswith(
nsxv_constants.DHCP_EDGE_PREFIX)):
LOG.error(_LE("Edge %(edge_id)s is not a DHCP edge"),
{'edge_id': old_edge_id})
return
# find the networks bound to this DHCP edge
networks_binding = nsxv_db.get_edge_vnic_bindings_by_edge(
context.session, old_edge_id)
network_ids = [binding['network_id'] for binding in networks_binding]
# Find out the vdr router, if this is a vdr DHCP edge
vdr_binding = nsxv_db.get_vdr_dhcp_binding_by_edge(
context.session, old_edge_id)
vdr_router_id = vdr_binding['vdr_router_id'] if vdr_binding else None
# Delete the old edge
delete_old_dhcp_edge(context, old_edge_id, bindings)
if vdr_router_id:
# recreate the edge as a VDR DHCP edge
recreate_vdr_dhcp_edge(context, plugin, edge_manager,
old_edge_id, vdr_router_id)
else:
# This is a regular DHCP edge:
# Move all the networks to other (new or existing) edge
for net_id in network_ids:
recreate_network_dhcp(context, plugin, edge_manager,
old_edge_id, net_id)
def nsx_list_mismatch_addresses(resource, event, trigger, **kwargs):
"""List missing spoofguard policies approved addresses on NSXv.
Address pairs defined on neutron compute ports that are missing from the
NSX-V spoofguard policy of a specific/all networks.
"""
network_id = None
if kwargs.get('property'):
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
network_id = properties.get('network')
spgapi = utils.NeutronDbClient()
if network_id:
policy_id = nsxv_db.get_spoofguard_policy_id(spgapi.context.session,
network_id)
if not policy_id:
LOG.error(
"Could not find spoofguard policy for neutron network "
"%s", network_id)
return
with utils.NsxVPluginWrapper() as plugin:
missing_data = nsx_list_mismatch_addresses_for_net(
spgapi.context, plugin, network_id, policy_id)
else:
with utils.NsxVPluginWrapper() as plugin:
missing_data = []
# Go over all the networks with spoofguard policies
mappings = get_spoofguard_policy_network_mappings()
for entry in mappings:
missing_data.extend(
nsx_list_mismatch_addresses_for_net(
spgapi.context, plugin, entry['network_id'],
entry['policy_id']))
if missing_data:
LOG.info(
formatters.output_formatter(constants.SPOOFGUARD_POLICY,
missing_data,
['network', 'policy', 'port', 'data']))
else:
LOG.info("No mismatches found.")
def validate_configuration(resource, event, trigger, **kwargs):
"""Validate the nsxv configuration"""
try:
utils.NsxVPluginWrapper()
except exceptions.Forbidden:
LOG.error("Configuration validation failed: wrong VSM credentials "
"for %s", cfg.CONF.nsxv.manager_uri)
except Exception as e:
LOG.error("Configuration validation failed: %s", e)
else:
LOG.info("Configuration validation succeeded")
def get_vnics_in_security_group(self, security_group_id):
with utils.NsxVPluginWrapper() as plugin:
vnics = []
query = self.context.session.query(
models_v2.Port.id, models_v2.Port.device_id).join(
sg_models.SecurityGroupPortBinding).filter_by(
security_group_id=security_group_id).all()
for p in query:
vnic_index = plugin._get_port_vnic_index(self.context, p.id)
vnic_id = plugin._get_port_vnic_id(vnic_index, p.device_id)
vnics.append(vnic_id)
return vnics
def nsx_recreate_dhcp_edge(resource, event, trigger, **kwargs):
"""Recreate a dhcp edge with all the networks on a new NSXv edge"""
usage_msg = ("Need to specify edge-id or net-id parameter")
if not kwargs.get('property'):
LOG.error(usage_msg)
return
# input validation
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
old_edge_id = properties.get('edge-id')
if not old_edge_id:
# if the net-id property exist - recreate the edge for this network
net_id = properties.get('net-id')
if net_id:
nsx_recreate_dhcp_edge_by_net_id(net_id)
return
LOG.error(usage_msg)
return
LOG.info("ReCreating NSXv Edge: %s", old_edge_id)
context = n_context.get_admin_context()
# verify that this is a DHCP edge
bindings = nsxv_db.get_nsxv_router_bindings_by_edge(
context.session, old_edge_id)
if (not bindings or not bindings[0]['router_id'].startswith(
nsxv_constants.DHCP_EDGE_PREFIX)):
LOG.error("Edge %(edge_id)s is not a DHCP edge",
{'edge_id': old_edge_id})
return
# init the plugin and edge manager
cfg.CONF.set_override(
'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources'
'.utils.NsxVPluginWrapper')
with utils.NsxVPluginWrapper() as plugin:
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
# find the networks bound to this DHCP edge
networks_binding = nsxv_db.get_edge_vnic_bindings_by_edge(
context.session, old_edge_id)
network_ids = [binding['network_id'] for binding in networks_binding]
# Delete the old edge
delete_old_dhcp_edge(context, old_edge_id, bindings)
# Move all the networks to other (new or existing) edge
for net_id in network_ids:
recreate_network_dhcp(context, plugin, edge_manager, old_edge_id,
net_id)
def redistribute_routers(resource, event, trigger, **kwargs):
"""If any of the shared routers are on a conflicting edge move them"""
context = n_context.get_admin_context()
with utils.NsxVPluginWrapper() as plugin:
router_driver = plugin._router_managers.get_tenant_router_driver(
context, 'shared')
routers = plugin.get_routers(context)
for router in routers:
if (not router.get('distributed', False)
and router.get('router_type') == 'shared'
and is_router_conflicting_on_edge(context, router_driver,
router['id'])):
router_driver.detach_router(context, router['id'], router)
router_driver.attach_router(context, router['id'], router)
def update_security_groups_logging(resource, event, trigger, **kwargs):
"""Update allowed traffic logging for all neutron security group rules"""
errmsg = ("Need to specify log-allowed-traffic property. Add --property "
"log-allowed-traffic=true/false")
if not kwargs.get('property'):
LOG.error("%s", errmsg)
return
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
log_allowed_str = properties.get('log-allowed-traffic')
if not log_allowed_str or log_allowed_str.lower() not in ['true', 'false']:
LOG.error("%s", errmsg)
return
log_allowed = log_allowed_str.lower() == 'true'
context = n_context.get_admin_context()
with utils.NsxVPluginWrapper() as plugin:
vcns = plugin.nsx_v.vcns
sg_utils = plugin. nsx_sg_utils
# If the section/sg is already logged, then no action is
# required.
security_groups = plugin.get_security_groups(context)
LOG.info("Going to update logging of %s sections",
len(security_groups))
for sg in [sg for sg in plugin.get_security_groups(context)
if sg.get(sg_logging.LOGGING) is False]:
if sg.get(sg_policy.POLICY):
# Logging is not relevant with a policy
continue
section_uri = plugin._get_section_uri(context.session,
sg['id'])
if section_uri is None:
continue
# Section/sg is not logged, update rules logging according
# to the 'log_security_groups_allowed_traffic' config
# option.
try:
h, c = vcns.get_section(section_uri)
section = sg_utils.parse_section(c)
section_needs_update = sg_utils.set_rules_logged_option(
section, log_allowed)
if section_needs_update:
vcns.update_section(section_uri,
sg_utils.to_xml_string(section), h)
except Exception as exc:
LOG.error('Unable to update security group %(sg)s '
'section for logging. %(e)s',
{'e': exc, 'sg': sg['id']})
def get_orphaned_router_bindings():
context = n_context.get_admin_context()
orphaned_list = []
with utils.NsxVPluginWrapper() as plugin:
networks = plugin.get_networks(context, fields=['id'])
net_ids = [x['id'] for x in networks]
routers = plugin.get_routers(context, fields=['id'])
rtr_ids = [x['id'] for x in routers]
for binding in get_router_edge_bindings():
if not router_binding_obj_exist(context, binding, net_ids,
rtr_ids):
orphaned_list.append(binding)
return orphaned_list
def nsx_recreate_dhcp_edge_by_net_id(net_id):
"""Recreate a dhcp edge for a specific network without an edge"""
LOG.info("ReCreating NSXv Edge for network: %s", net_id)
context = n_context.get_admin_context()
# init the plugin and edge manager
cfg.CONF.set_override(
'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources'
'.utils.NsxVPluginWrapper')
with utils.NsxVPluginWrapper() as plugin:
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
# verify that there is no DHCP edge for this network at the moment
resource_id = (nsxv_constants.DHCP_EDGE_PREFIX + net_id)[:36]
router_binding = nsxv_db.get_nsxv_router_binding(
context.session, resource_id)
if router_binding:
# make sure there is no real edge
if router_binding['edge_id']:
edge_id = router_binding['edge_id']
try:
nsxv_manager.vcns.get_edge(edge_id)
except exceptions.ResourceNotFound:
# No edge on backend
# prevent logger from logging this exception
sys.exc_clear()
LOG.info("Edge %s does not exist on the NSX", edge_id)
else:
LOG.warning(
"Network %(net_id)s already has a dhcp edge: "
"%(edge_id)s", {
'edge_id': edge_id,
'net_id': net_id
})
return
# delete this old entry
nsxv_db.delete_nsxv_router_binding(context.session, resource_id)
# Verify that the network exists on neutron
try:
plugin.get_network(context, net_id)
except nl_exc.NetworkNotFound:
LOG.error("Network %s does not exist", net_id)
return
recreate_network_dhcp(context, plugin, edge_manager, None, net_id)
def nsx_redo_metadata_cfg(resource, event, trigger, **kwargs):
properties = admin_utils.parse_multi_keyval_opt(kwargs.get('property'))
edgeapi = utils.NeutronDbClient()
plugin = utils.NsxVPluginWrapper()
edge_id = properties.get('edge-id')
if properties:
if edge_id:
nsx_redo_metadata_cfg_for_edge(edgeapi.context, plugin, edge_id)
return
else:
# if the net-id property exist - recreate the edge for this network
az_name = properties.get('az-name')
if az_name:
nsx_redo_metadata_cfg_for_az(edgeapi.context, plugin, az_name)
return
LOG.error('Cannot parse properties %s', properties)
return
nsx_redo_metadata_cfg_all(edgeapi.context, plugin)
def nsx_recreate_dhcp_edge_by_net_id(net_id):
"""Recreate a dhcp edge for a specific network without an edge"""
LOG.info("ReCreating NSXv Edge for network: %s", net_id)
context = n_context.get_admin_context()
# verify that there is no DHCP edge for this network at the moment
resource_id = (nsxv_constants.DHCP_EDGE_PREFIX + net_id)[:36]
router_binding = nsxv_db.get_nsxv_router_binding(context.session,
resource_id)
if router_binding:
# make sure there is no edge
if router_binding['edge_id']:
LOG.warning(
"Network %(net_id)s already has a dhcp edge: "
"%(egde_id)s", {
'edge_id': router_binding['edge_id'],
'net_id': net_id
})
return
# delete this old entry
nsxv_db.delete_nsxv_router_binding(context.session, resource_id)
# init the plugin and edge manager
cfg.CONF.set_override(
'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources'
'.utils.NsxVPluginWrapper')
with utils.NsxVPluginWrapper() as plugin:
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
# check if this network is attached to a distributed router
vdr_router_id = _get_net_vdr_router_id(plugin, context, net_id)
if vdr_router_id:
# recreate the edge as a VDR DHCP edge
recreate_vdr_dhcp_edge(context, plugin, edge_manager,
vdr_router_id)
else:
# This is a regular DHCP edge:
recreate_network_dhcp(context, plugin, edge_manager, None, net_id)
def nsx_redistribute_dhcp_edges(resource, event, trigger, **kwargs):
"""If any of the DHCP networks are on a conflicting edge move them"""
context = n_context.get_admin_context()
with utils.NsxVPluginWrapper() as plugin:
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
# go over all DHCP subnets
networks = plugin.get_networks(context)
for network in networks:
network_id = network['id']
# Check if the network has a related DHCP edge
resource_id = (nsxv_constants.DHCP_EDGE_PREFIX + network_id)[:36]
dhcp_edge_binding = nsxv_db.get_nsxv_router_binding(
context.session, resource_id)
if not dhcp_edge_binding:
continue
LOG.info("Checking network %s", network_id)
edge_id = dhcp_edge_binding['edge_id']
availability_zone = plugin.get_network_az_by_net_id(
context, network['id'])
filters = {'network_id': [network_id], 'enable_dhcp': [True]}
subnets = plugin.get_subnets(context, filters=filters)
for subnet in subnets:
(conflict_edge_ids,
available_edge_ids) = edge_manager._get_used_edges(
context, subnet, availability_zone)
if edge_id in conflict_edge_ids:
# move the DHCP to another edge
LOG.info(
"Network %(net)s on DHCP edge %(edge)s is "
"conflicting with another network and will be "
"moved", {
'net': network_id,
'edge': edge_id
})
edge_manager.remove_network_from_dhcp_edge(
context, network_id, edge_id)
edge_manager.create_dhcp_edge_service(
context, network_id, subnet)
break
def nsx_update_dhcp_edge_binding(resource, event, trigger, **kwargs):
"""Resync DHCP bindings on NSXv Edge"""
if not kwargs.get('property'):
LOG.error(_LE("Need to specify edge-id parameter"))
return
else:
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
edge_id = properties.get('edge-id')
if not edge_id:
LOG.error(_LE("Need to specify edge-id parameter"))
return
LOG.info(_LI("Updating NSXv Edge: %s"), edge_id)
# Need to create a plugin object; so that we are able to
# do neutron list-ports.
plugin = utils.NsxVPluginWrapper()
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
try:
edge_manager.update_dhcp_service_config(neutron_db.context,
edge_id)
except exceptions.ResourceNotFound:
LOG.error(_LE("Edge %s not found"), edge_id)
def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs):
context = n_context.get_admin_context()
nsxv = utils.get_nsxv_client()
with utils.NsxVPluginWrapper() as plugin:
routers = plugin.get_routers(context)
for router in routers:
if router.get('distributed', False):
binding = nsxv_db.get_nsxv_router_binding(
context.session, router['id'])
if binding:
edge_id = binding['edge_id']
with locking.LockManager.get_lock(edge_id):
route_obj = nsxv.get_routes(edge_id)[1]
routes = route_obj.get('staticRoutes',
{}).get('staticRoutes', [])
new_routes = [
route for route in routes
if route.get('network') != '169.254.169.254/32'
]
route_obj['staticRoutes']['staticRoutes'] = new_routes
nsxv.update_routes(edge_id, route_obj)
def clean_orphaned_vnics(resource, event, trigger, **kwargs):
"""List router orphaned router vnics where the port was deleted"""
orphaned_vnics = get_orphaned_vnics()
if not orphaned_vnics:
LOG.info("No orphaned router vnics found")
return
headers = ['edge_id', 'vnic_index', 'tunnel_index', 'network_id']
LOG.info(
formatters.output_formatter(constants.ORPHANED_VNICS, orphaned_vnics,
headers))
user_confirm = admin_utils.query_yes_no(
"Do you want to delete "
"orphaned vnics", default="no")
if not user_confirm:
LOG.info("NSXv vnics deletion aborted by user")
return
context = n_context.get_admin_context()
with utils.NsxVPluginWrapper() as plugin:
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
for vnic in orphaned_vnics:
if not vnic['distributed']:
try:
nsxv_manager.vcns.delete_interface(vnic['edge_id'],
vnic['vnic_index'])
except Exception as e:
LOG.error("Failed to delete vnic from NSX: %s", e)
nsxv_db.free_edge_vnic_by_network(context.session,
vnic['edge_id'],
vnic['network_id'])
else:
try:
nsxv_manager.vcns.delete_vdr_internal_interface(
vnic['edge_id'], vnic['vnic_index'])
except Exception as e:
LOG.error("Failed to delete vnic from NSX: %s", e)
nsxv_db.delete_edge_vnic_binding_by_network(
context.session, vnic['edge_id'], vnic['network_id'])
def get_orphaned_router_bindings():
context = n_context.get_admin_context()
orphaned_list = []
with utils.NsxVPluginWrapper() as plugin:
networks = plugin.get_networks(context, fields=['id'])
net_ids = [x['id'] for x in networks]
routers = plugin.get_routers(context, fields=['id'])
rtr_ids = [x['id'] for x in routers]
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
plr_tlr_ids = {}
for tlr_id in rtr_ids:
plr_id = edge_manager.get_plr_by_tlr_id(context, tlr_id)
if plr_id:
plr_tlr_ids[plr_id] = tlr_id
for binding in get_router_edge_bindings():
if not router_binding_obj_exist(context, binding, net_ids, rtr_ids,
plr_tlr_ids):
orphaned_list.append(binding)
return orphaned_list
def nsx_fix_mismatch_addresses(resource, event, trigger, **kwargs):
"""Fix missing spoofguard policies approved addresses for a port."""
port_id = None
if kwargs.get('property'):
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
port_id = properties.get('port')
if not port_id:
usage_msg = ("Need to specify the id of the neutron port. "
"Add --property port=<port_id>")
LOG.error(usage_msg)
return
spgapi = utils.NeutronDbClient()
with utils.NsxVPluginWrapper() as plugin:
try:
port = plugin.get_port(spgapi.context, port_id)
except exceptions.PortNotFound:
LOG.error("Could not find neutron port %s", port_id)
return
vnic_id = get_port_vnic_id(plugin, port)
plugin._update_vnic_assigned_addresses(spgapi.context.session, port,
vnic_id)
LOG.info("Done.")
def firewall_update_cluster_default_fw_section(resource, event, trigger,
**kwargs):
with utils.NsxVPluginWrapper() as plugin:
plugin._create_cluster_default_fw_section()
LOG.info("Cluster default FW section updated.")
def migrate_sg_to_policy(resource, event, trigger, **kwargs):
"""Change the mode of a security group from rules to NSX policy"""
if not kwargs.get('property'):
LOG.error("Need to specify security-group-id and policy-id "
"parameters")
return
# input validation
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
sg_id = properties.get('security-group-id')
if not sg_id:
LOG.error("Need to specify security-group-id parameter")
return
policy_id = properties.get('policy-id')
if not policy_id:
LOG.error("Need to specify policy-id parameter")
return
# validate that the security group exist and contains rules and no policy
context_ = n_context.get_admin_context()
with utils.NsxVPluginWrapper() as plugin:
try:
secgroup = plugin.get_security_group(context_, sg_id)
except ext_sg.SecurityGroupNotFound:
LOG.error("Security group %s was not found", sg_id)
return
if secgroup.get('policy'):
LOG.error("Security group %s already uses a policy", sg_id)
return
# validate that the policy exists
if not plugin.nsx_v.vcns.validate_inventory(policy_id):
LOG.error("NSX policy %s was not found", policy_id)
return
# get the nsx id from the backend
nsx_sg_id = nsx_db.get_nsx_security_group_id(context_.session,
sg_id,
moref=True)
if not nsx_sg_id:
LOG.error("Did not find security groups %s neutron ID", sg_id)
return
# Delete the rules from the security group
LOG.info("Deleting the rules of security group: %s", sg_id)
for rule in secgroup.get('security_group_rules', []):
try:
plugin.delete_security_group_rule(context_, rule['id'])
except Exception as e:
LOG.warning(
"Failed to delete rule %(r)s from security "
"group %(sg)s: %(e)s", {
'r': rule['id'],
'sg': sg_id,
'e': e
})
# continue anyway
# Delete the security group FW section
LOG.info("Deleting the section of security group: %s", sg_id)
try:
section_uri = plugin._get_section_uri(context_.session, sg_id)
plugin._delete_section(section_uri)
nsxv_db.delete_neutron_nsx_section_mapping(context_.session, sg_id)
except Exception as e:
LOG.warning(
"Failed to delete firewall section of security "
"group %(sg)s: %(e)s", {
'sg': sg_id,
'e': e
})
# continue anyway
# bind this security group to the policy in the backend and DB
LOG.info("Binding the NSX security group %(nsx)s to policy "
"%(pol)s", {
'nsx': nsx_sg_id,
'pol': policy_id
})
plugin._update_nsx_security_group_policies(policy_id, None, nsx_sg_id)
with context_.session.begin(subtransactions=True):
prop = context_.session.query(
extended_secgroup.NsxExtendedSecurityGroupProperties).\
filter_by(security_group_id=sg_id).one()
prop[sg_policy.POLICY] = policy_id
LOG.info("Done.")
def list_orphaned_networks(resource, event, trigger, **kwargs):
"""List the NSX networks which are missing the neutron DB
"""
admin_context = context.get_admin_context()
missing_networks = []
# get all neutron distributed routers in advanced
with utils.NsxVPluginWrapper() as plugin:
neutron_routers = plugin.get_routers(
admin_context, fields=['id', 'name', 'distributed'])
neutron_dist_routers = [
rtr for rtr in neutron_routers if rtr['distributed']
]
# get the list of backend networks:
backend_networks = get_networks()
for net in backend_networks:
moref = net['moref']
backend_name = net['name']
# Decide if this is a neutron network by its name (which should always
# contain the net-id), and type
if (backend_name.startswith('edge-') or len(backend_name) < 36
or net['type'] == 'Network'):
# This is not a neutron network
continue
if backend_name.startswith('int-') and net['type'] == 'VirtualWire':
# This is a PLR network. Check that the router exists
found = False
# compare the expected lswitch name by the dist router name & id
for rtr in neutron_dist_routers:
lswitch_name = ('int-' + rtr['name'] + rtr['id'])[:36]
if lswitch_name == backend_name:
found = True
break
# if the neutron router got renamed, this will not work.
# compare ids prefixes instead (might cause false positives)
for rtr in neutron_dist_routers:
if rtr['id'][:5] in backend_name:
LOG.info(
"Logical switch %s probably matches distributed "
"router %s", backend_name, rtr['id'])
found = True
break
if not found:
missing_networks.append(net)
continue
# get the list of neutron networks with this moref
neutron_networks = nsx_db.get_nsx_network_mapping_for_nsx_id(
admin_context.session, moref)
if not neutron_networks:
# no network found for this moref
missing_networks.append(net)
elif moref.startswith(PORTGROUP_PREFIX):
# This is a VLAN network. Also verify that the DVS Id matches
for entry in neutron_networks:
if (not entry['dvs_id']
or backend_name.startswith(entry['dvs_id'])):
found = True
# this moref & dvs-id does not appear in the DB
if not found:
missing_networks.append(net)
LOG.info(
formatters.output_formatter(constants.ORPHANED_NETWORKS,
missing_networks,
['type', 'moref', 'name']))
def nsx_recreate_router_edge(resource, event, trigger, **kwargs):
"""Recreate a router edge with all the data on a new NSXv edge"""
if not kwargs.get('property'):
LOG.error(_LE("Need to specify edge-id parameter"))
return
# input validation
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
old_edge_id = properties.get('edge-id')
if not old_edge_id:
LOG.error(_LE("Need to specify edge-id parameter"))
return
LOG.info(_LI("ReCreating NSXv Router Edge: %s"), old_edge_id)
# init the plugin and edge manager
cfg.CONF.set_override(
'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources'
'.utils.NsxVPluginWrapper')
plugin = utils.NsxVPluginWrapper()
nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
context = n_context.get_admin_context()
# verify that this is a Router edge
router_ids = edge_manager.get_routers_on_edge(context, old_edge_id)
if not router_ids:
LOG.error(_LE("Edge %(edge_id)s is not a router edge"),
{'edge_id': old_edge_id})
return
# all the routers on the same edge have the same type, so it
# is ok to check the type once
example_router = plugin.get_router(context, router_ids[0])
router_driver = plugin._router_managers.get_tenant_router_driver(
context, example_router['router_type'])
if router_driver.get_type() == "distributed":
LOG.error(
_LE("Recreating a distributed driver edge is not "
"supported"))
return
# load all the routers before deleting their binding
routers = []
for router_id in router_ids:
routers.append(plugin.get_router(context, router_id))
# delete the backend edge and all the relevant DB entries
delete_old_edge(context, old_edge_id)
# Go over all the relevant routers
for router in routers:
router_id = router['id']
# clean up other objects related to this router
if plugin.metadata_proxy_handler:
plugin.metadata_proxy_handler.cleanup_router_edge(router_id)
# attach the router to a new edge
appliance_size = router.get(routersize.ROUTER_SIZE)
router_driver.attach_router(context,
router_id, {'router': router},
appliance_size=appliance_size)
# find out who is the new edge to print it
new_edge_id = router_driver._get_edge_id_or_raise(context, router_id)
LOG.info(_LI("Router %(router)s was attached to edge %(edge)s"), {
'router': router_id,
'edge': new_edge_id
})
h, firewall_config = self.vcns.get_dfw_config()
root = et.fromstring(firewall_config)
sections = []
for sec in root.iter('section'):
sec_id = sec.attrib['id']
# Don't show NSX default sections, which are not relevant to OS.
if sec_id in ['1001', '1002', '1003']:
continue
sections.append({'name': sec.attrib['name'],
'id': sec_id})
return sections
neutron_sg = NeutronSecurityGroupDB()
nsxv_firewall = NsxFirewallAPI()
plugin = utils.NsxVPluginWrapper()
def _log_info(resource, data, attrs=['name', 'id']):
LOG.info(formatters.output_formatter(resource, data, attrs))
@admin_utils.list_handler(constants.SECURITY_GROUPS)
@admin_utils.output_header
def neutron_list_security_groups_mappings(resource, event, trigger, **kwargs):
sg_mappings = neutron_sg.get_security_groups_mappings()
_log_info(constants.SECURITY_GROUPS,
sg_mappings,
attrs=['name', 'id', 'section-uri', 'nsx-securitygroup-id'])
return bool(sg_mappings)
