def _init_mock_plugin(self, *mocks): super(TestNsxvAdminUtils, self)._init_mock_plugin() # support the dvs manager: mock.patch.object(dvs_utils, 'dvs_create_session').start() # override metadata get-object dummy_lb = { 'enabled': True, 'enableServiceInsertion': True, 'accelerationEnabled': True, 'virtualServer': [], 'applicationProfile': [], 'pool': [], 'applicationRule': [] } mock.patch( 'vmware_nsx.plugins.nsx_v.vshield.nsxv_edge_cfg_obj.' 'NsxvEdgeCfgObj.get_object', return_value=dummy_lb).start() # Tests shouldn't wait for dummy spawn jobs to finish mock.patch( 'vmware_nsx.shell.admin.plugins.nsxv.resources.utils.' 'NsxVPluginWrapper.count_spawn_jobs', return_value=0).start() self._plugin = nsxv_utils.NsxVPluginWrapper() mock_nm_get_plugin = mock.patch( "neutron_lib.plugins.directory.get_plugin") self.mock_nm_get_plugin = mock_nm_get_plugin.start() self.mock_nm_get_plugin.return_value = self._plugin # Create a router to make sure we have deployed an edge self.router = self.create_router()
def nsx_recreate_router(router_id): # init the plugin and edge manager cfg.CONF.set_override( 'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources' '.utils.NsxVPluginWrapper') with utils.NsxVPluginWrapper() as plugin: context = n_context.get_admin_context() router = plugin.get_router(context, router_id) if router.get('distributed'): LOG.error("Recreating a distributed router is not supported") return router_driver = plugin._router_managers.get_tenant_router_driver( context, router['router_type']) # Check if it is already attached to an edge binding = nsxv_db.get_nsxv_router_binding(context.session, router_id) if binding: old_edge_id = binding['edge_id'] # detach the router from this edge LOG.info("Detaching the router from edge %s", old_edge_id) router_driver.detach_router(context, router_id, {'router': router}) # attach the router to a new edge appliance_size = router.get(routersize.ROUTER_SIZE) router_driver.attach_router(context, router_id, {'router': router}, appliance_size=appliance_size) # find out who is the new edge to print it new_edge_id = router_driver._get_edge_id_or_raise(context, router_id) LOG.info("Router %(router)s was attached to edge %(edge)s", { 'router': router_id, 'edge': new_edge_id })
def delete_v_resources(context, objects): """Delete a list of objects from the V plugin""" with v_utils.NsxVPluginWrapper() as plugin: LOG.info(">>>>Deleting all NSX-V objects of the project.") for resource in migrated_resources: get_object = getattr(plugin, "get_%s" % resource) del_object = getattr(plugin, "delete_%s" % resource) for obj in objects[resource]: # verify that this object still exists try: get_object(context, obj['id']) except exceptions.NotFound: # prevent logger from logging this exception sys.exc_clear() continue try: # handle special cases before delete if resource == 'router': delete_router_routes_and_interfaces( context, plugin, obj) elif resource == 'port': if obj['device_owner'] == 'network:dhcp': continue # delete the objects from the NSX-V plugin del_object(context, obj['id']) LOG.info(">>Deleted %(resource)s %(name)s", {'resource': resource, 'name': obj.get('name') or obj['id']}) except Exception as e: LOG.warning(">>Failed to delete %(resource)s %(name)s: " "%(e)s", {'resource': resource, 'name': obj.get('name') or obj['id'], 'e': e}) LOG.info(">>>>Done deleting all NSX-V objects.")
def read_v_resources_to_files(context, project_id): """Read all relevant NSX-V resources from a specific project and write them into a json file """ results = {} with v_utils.NsxVPluginWrapper() as plugin: filters = {'project_id': [project_id]} for resource in migrated_resources: filename = get_resource_file_name(project_id, resource) file = open(filename, 'w') get_objects = getattr(plugin, "get_%ss" % resource) objects = get_objects(context, filters=filters) # also add router gateway ports of the relevant routers # (don't have the project id) if resource == 'port': rtr_ids = [rtr['id'] for rtr in results['router']] gw_filters = {'device_owner': ['network:router_gateway'], 'device_id': rtr_ids} gw_ports = plugin.get_ports(context, filters=gw_filters, filter_project=False) # ignore metadata gw ports objects.extend([port for port in gw_ports if not port['tenant_id']]) file.write(jsonutils.dumps(objects, sort_keys=True, indent=4)) file.close() results[resource] = objects return results
def fix_security_groups(resource, event, trigger, **kwargs): context_ = n_context.get_admin_context() sgs_with_missing_section = _find_missing_sections() sgs_with_missing_nsx_group = _find_missing_security_groups() if not sgs_with_missing_section and not sgs_with_missing_nsx_group: # no mismatches return with utils.NsxVPluginWrapper() as plugin: # If only the fw section is missing then create it. for sg_id in (set(sgs_with_missing_section.keys()) - set(sgs_with_missing_nsx_group.keys())): neutron_sg.delete_security_group_section_mapping(sg_id) secgroup = plugin.get_security_group(context_, sg_id) plugin._create_fw_section_for_security_group( context_, secgroup, sgs_with_missing_section[sg_id]['nsx-securitygroup-id']) # If nsx security-group is missing then create both nsx security-group # and a new fw section (remove old one). for sg_id, sg in sgs_with_missing_nsx_group.items(): secgroup = plugin.get_security_group(context_, sg_id) if sg_id not in sgs_with_missing_section: plugin._delete_section(sg['section-uri']) neutron_sg.delete_security_group_section_mapping(sg_id) neutron_sg.delete_security_group_backend_mapping(sg_id) plugin._process_security_group_create_backend_resources( context_, secgroup) nsx_id = nsx_db.get_nsx_security_group_id(context_.session, sg_id) for vnic_id in neutron_sg.get_vnics_in_security_group(sg_id): plugin._add_member_to_security_group(nsx_id, vnic_id)
def get_orphaned_vnics(): orphaned_vnics = [] context = n_context.get_admin_context() vnic_binds = nsxv_db.get_edge_vnic_bindings_with_networks(context.session) with utils.NsxVPluginWrapper() as plugin: for vnic_bind in vnic_binds: edge_id = vnic_bind['edge_id'] # check if this is a router edge by the router bindings table router_bindings = nsxv_db.get_nsxv_router_bindings_by_edge( context.session, edge_id) if not router_bindings: # Only log it. this is a different type of orphaned LOG.warning("Router bindings for vnic %s not found", vnic_bind) continue router_ids = [b['router_id'] for b in router_bindings] routers = plugin.get_routers(context, filters={'id': router_ids}) if routers: interface_found = False # check if any of those routers is attached to this network for router in routers: if plugin._get_router_interface_ports_by_network( context, router['id'], vnic_bind['network_id']): interface_found = True break if not interface_found: # for later deleting the interface we need to know if this # is a distributed router. # All the routers on the same edge are of the same type, # so we can check the first one. vnic_bind['distributed'] = routers[0].get('distributed') orphaned_vnics.append(vnic_bind) return orphaned_vnics
def list_policies(resource, event, trigger, **kwargs): """List nsx service composer policies""" context = n_context.get_admin_context() with utils.NsxVPluginWrapper() as plugin: policies = plugin.get_nsx_policies(context) policies.sort(key=operator.itemgetter('id')) _log_info("NSX service composer policies:", policies, attrs=['id', 'name', 'description'])
def nsx_recreate_router_edge(old_edge_id): # init the plugin and edge manager cfg.CONF.set_override( 'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources' '.utils.NsxVPluginWrapper') with utils.NsxVPluginWrapper() as plugin: nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) context = n_context.get_admin_context() # verify that this is a Router edge router_ids = edge_manager.get_routers_on_edge(context, old_edge_id) if not router_ids: LOG.error("Edge %(edge_id)s is not a router edge", {'edge_id': old_edge_id}) return # all the routers on the same edge have the same type, so it # is ok to check the type once example_router = plugin.get_router(context, router_ids[0]) if example_router.get('distributed'): LOG.error("Recreating a distributed router edge is not " "supported") return router_driver = plugin._router_managers.get_tenant_router_driver( context, example_router['router_type']) # load all the routers before deleting their binding routers = [] for router_id in router_ids: routers.append(plugin.get_router(context, router_id)) # delete the backend edge and all the relevant DB entries delete_old_edge(context, old_edge_id) # Go over all the relevant routers for router in routers: router_id = router['id'] az_name = _get_router_az_from_plugin_router(router) # clean up other objects related to this router if plugin.metadata_proxy_handler: md_proxy = plugin.get_metadata_proxy_handler(az_name) md_proxy.cleanup_router_edge(context, router_id) # attach the router to a new edge appliance_size = router.get(routersize.ROUTER_SIZE) router_driver.attach_router(context, router_id, {'router': router}, appliance_size=appliance_size) # find out who is the new edge to print it new_edge_id = router_driver._get_edge_id_or_raise( context, router_id) LOG.info("Router %(router)s was attached to edge %(edge)s", { 'router': router_id, 'edge': new_edge_id })
def nsx_recreate_dhcp_edge(resource, event, trigger, **kwargs): """Recreate a dhcp edge with all the networks n a new NSXv edge""" if not kwargs.get('property'): LOG.error(_LE("Need to specify edge-id parameter")) return # input validation properties = admin_utils.parse_multi_keyval_opt(kwargs['property']) old_edge_id = properties.get('edge-id') if not old_edge_id: LOG.error(_LE("Need to specify edge-id parameter")) return LOG.info(_LI("ReCreating NSXv Edge: %s"), old_edge_id) # init the plugin and edge manager cfg.CONF.set_override('core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources' '.utils.NsxVPluginWrapper') plugin = utils.NsxVPluginWrapper() nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) context = n_context.get_admin_context() # verify that this is a DHCP edge bindings = nsxv_db.get_nsxv_router_bindings_by_edge( context.session, old_edge_id) if (not bindings or not bindings[0]['router_id'].startswith( nsxv_constants.DHCP_EDGE_PREFIX)): LOG.error(_LE("Edge %(edge_id)s is not a DHCP edge"), {'edge_id': old_edge_id}) return # find the networks bound to this DHCP edge networks_binding = nsxv_db.get_edge_vnic_bindings_by_edge( context.session, old_edge_id) network_ids = [binding['network_id'] for binding in networks_binding] # Find out the vdr router, if this is a vdr DHCP edge vdr_binding = nsxv_db.get_vdr_dhcp_binding_by_edge( context.session, old_edge_id) vdr_router_id = vdr_binding['vdr_router_id'] if vdr_binding else None # Delete the old edge delete_old_dhcp_edge(context, old_edge_id, bindings) if vdr_router_id: # recreate the edge as a VDR DHCP edge recreate_vdr_dhcp_edge(context, plugin, edge_manager, old_edge_id, vdr_router_id) else: # This is a regular DHCP edge: # Move all the networks to other (new or existing) edge for net_id in network_ids: recreate_network_dhcp(context, plugin, edge_manager, old_edge_id, net_id)
def nsx_list_mismatch_addresses(resource, event, trigger, **kwargs): """List missing spoofguard policies approved addresses on NSXv. Address pairs defined on neutron compute ports that are missing from the NSX-V spoofguard policy of a specific/all networks. """ network_id = None if kwargs.get('property'): properties = admin_utils.parse_multi_keyval_opt(kwargs['property']) network_id = properties.get('network') spgapi = utils.NeutronDbClient() if network_id: policy_id = nsxv_db.get_spoofguard_policy_id(spgapi.context.session, network_id) if not policy_id: LOG.error( "Could not find spoofguard policy for neutron network " "%s", network_id) return with utils.NsxVPluginWrapper() as plugin: missing_data = nsx_list_mismatch_addresses_for_net( spgapi.context, plugin, network_id, policy_id) else: with utils.NsxVPluginWrapper() as plugin: missing_data = [] # Go over all the networks with spoofguard policies mappings = get_spoofguard_policy_network_mappings() for entry in mappings: missing_data.extend( nsx_list_mismatch_addresses_for_net( spgapi.context, plugin, entry['network_id'], entry['policy_id'])) if missing_data: LOG.info( formatters.output_formatter(constants.SPOOFGUARD_POLICY, missing_data, ['network', 'policy', 'port', 'data'])) else: LOG.info("No mismatches found.")
def validate_configuration(resource, event, trigger, **kwargs): """Validate the nsxv configuration""" try: utils.NsxVPluginWrapper() except exceptions.Forbidden: LOG.error("Configuration validation failed: wrong VSM credentials " "for %s", cfg.CONF.nsxv.manager_uri) except Exception as e: LOG.error("Configuration validation failed: %s", e) else: LOG.info("Configuration validation succeeded")
def get_vnics_in_security_group(self, security_group_id): with utils.NsxVPluginWrapper() as plugin: vnics = [] query = self.context.session.query( models_v2.Port.id, models_v2.Port.device_id).join( sg_models.SecurityGroupPortBinding).filter_by( security_group_id=security_group_id).all() for p in query: vnic_index = plugin._get_port_vnic_index(self.context, p.id) vnic_id = plugin._get_port_vnic_id(vnic_index, p.device_id) vnics.append(vnic_id) return vnics
def nsx_recreate_dhcp_edge(resource, event, trigger, **kwargs): """Recreate a dhcp edge with all the networks on a new NSXv edge""" usage_msg = ("Need to specify edge-id or net-id parameter") if not kwargs.get('property'): LOG.error(usage_msg) return # input validation properties = admin_utils.parse_multi_keyval_opt(kwargs['property']) old_edge_id = properties.get('edge-id') if not old_edge_id: # if the net-id property exist - recreate the edge for this network net_id = properties.get('net-id') if net_id: nsx_recreate_dhcp_edge_by_net_id(net_id) return LOG.error(usage_msg) return LOG.info("ReCreating NSXv Edge: %s", old_edge_id) context = n_context.get_admin_context() # verify that this is a DHCP edge bindings = nsxv_db.get_nsxv_router_bindings_by_edge( context.session, old_edge_id) if (not bindings or not bindings[0]['router_id'].startswith( nsxv_constants.DHCP_EDGE_PREFIX)): LOG.error("Edge %(edge_id)s is not a DHCP edge", {'edge_id': old_edge_id}) return # init the plugin and edge manager cfg.CONF.set_override( 'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources' '.utils.NsxVPluginWrapper') with utils.NsxVPluginWrapper() as plugin: nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) # find the networks bound to this DHCP edge networks_binding = nsxv_db.get_edge_vnic_bindings_by_edge( context.session, old_edge_id) network_ids = [binding['network_id'] for binding in networks_binding] # Delete the old edge delete_old_dhcp_edge(context, old_edge_id, bindings) # Move all the networks to other (new or existing) edge for net_id in network_ids: recreate_network_dhcp(context, plugin, edge_manager, old_edge_id, net_id)
def redistribute_routers(resource, event, trigger, **kwargs): """If any of the shared routers are on a conflicting edge move them""" context = n_context.get_admin_context() with utils.NsxVPluginWrapper() as plugin: router_driver = plugin._router_managers.get_tenant_router_driver( context, 'shared') routers = plugin.get_routers(context) for router in routers: if (not router.get('distributed', False) and router.get('router_type') == 'shared' and is_router_conflicting_on_edge(context, router_driver, router['id'])): router_driver.detach_router(context, router['id'], router) router_driver.attach_router(context, router['id'], router)
def update_security_groups_logging(resource, event, trigger, **kwargs): """Update allowed traffic logging for all neutron security group rules""" errmsg = ("Need to specify log-allowed-traffic property. Add --property " "log-allowed-traffic=true/false") if not kwargs.get('property'): LOG.error("%s", errmsg) return properties = admin_utils.parse_multi_keyval_opt(kwargs['property']) log_allowed_str = properties.get('log-allowed-traffic') if not log_allowed_str or log_allowed_str.lower() not in ['true', 'false']: LOG.error("%s", errmsg) return log_allowed = log_allowed_str.lower() == 'true' context = n_context.get_admin_context() with utils.NsxVPluginWrapper() as plugin: vcns = plugin.nsx_v.vcns sg_utils = plugin. nsx_sg_utils # If the section/sg is already logged, then no action is # required. security_groups = plugin.get_security_groups(context) LOG.info("Going to update logging of %s sections", len(security_groups)) for sg in [sg for sg in plugin.get_security_groups(context) if sg.get(sg_logging.LOGGING) is False]: if sg.get(sg_policy.POLICY): # Logging is not relevant with a policy continue section_uri = plugin._get_section_uri(context.session, sg['id']) if section_uri is None: continue # Section/sg is not logged, update rules logging according # to the 'log_security_groups_allowed_traffic' config # option. try: h, c = vcns.get_section(section_uri) section = sg_utils.parse_section(c) section_needs_update = sg_utils.set_rules_logged_option( section, log_allowed) if section_needs_update: vcns.update_section(section_uri, sg_utils.to_xml_string(section), h) except Exception as exc: LOG.error('Unable to update security group %(sg)s ' 'section for logging. %(e)s', {'e': exc, 'sg': sg['id']})
def get_orphaned_router_bindings(): context = n_context.get_admin_context() orphaned_list = [] with utils.NsxVPluginWrapper() as plugin: networks = plugin.get_networks(context, fields=['id']) net_ids = [x['id'] for x in networks] routers = plugin.get_routers(context, fields=['id']) rtr_ids = [x['id'] for x in routers] for binding in get_router_edge_bindings(): if not router_binding_obj_exist(context, binding, net_ids, rtr_ids): orphaned_list.append(binding) return orphaned_list
def nsx_recreate_dhcp_edge_by_net_id(net_id): """Recreate a dhcp edge for a specific network without an edge""" LOG.info("ReCreating NSXv Edge for network: %s", net_id) context = n_context.get_admin_context() # init the plugin and edge manager cfg.CONF.set_override( 'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources' '.utils.NsxVPluginWrapper') with utils.NsxVPluginWrapper() as plugin: nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) # verify that there is no DHCP edge for this network at the moment resource_id = (nsxv_constants.DHCP_EDGE_PREFIX + net_id)[:36] router_binding = nsxv_db.get_nsxv_router_binding( context.session, resource_id) if router_binding: # make sure there is no real edge if router_binding['edge_id']: edge_id = router_binding['edge_id'] try: nsxv_manager.vcns.get_edge(edge_id) except exceptions.ResourceNotFound: # No edge on backend # prevent logger from logging this exception sys.exc_clear() LOG.info("Edge %s does not exist on the NSX", edge_id) else: LOG.warning( "Network %(net_id)s already has a dhcp edge: " "%(edge_id)s", { 'edge_id': edge_id, 'net_id': net_id }) return # delete this old entry nsxv_db.delete_nsxv_router_binding(context.session, resource_id) # Verify that the network exists on neutron try: plugin.get_network(context, net_id) except nl_exc.NetworkNotFound: LOG.error("Network %s does not exist", net_id) return recreate_network_dhcp(context, plugin, edge_manager, None, net_id)
def nsx_redo_metadata_cfg(resource, event, trigger, **kwargs): properties = admin_utils.parse_multi_keyval_opt(kwargs.get('property')) edgeapi = utils.NeutronDbClient() plugin = utils.NsxVPluginWrapper() edge_id = properties.get('edge-id') if properties: if edge_id: nsx_redo_metadata_cfg_for_edge(edgeapi.context, plugin, edge_id) return else: # if the net-id property exist - recreate the edge for this network az_name = properties.get('az-name') if az_name: nsx_redo_metadata_cfg_for_az(edgeapi.context, plugin, az_name) return LOG.error('Cannot parse properties %s', properties) return nsx_redo_metadata_cfg_all(edgeapi.context, plugin)
def nsx_recreate_dhcp_edge_by_net_id(net_id): """Recreate a dhcp edge for a specific network without an edge""" LOG.info("ReCreating NSXv Edge for network: %s", net_id) context = n_context.get_admin_context() # verify that there is no DHCP edge for this network at the moment resource_id = (nsxv_constants.DHCP_EDGE_PREFIX + net_id)[:36] router_binding = nsxv_db.get_nsxv_router_binding(context.session, resource_id) if router_binding: # make sure there is no edge if router_binding['edge_id']: LOG.warning( "Network %(net_id)s already has a dhcp edge: " "%(egde_id)s", { 'edge_id': router_binding['edge_id'], 'net_id': net_id }) return # delete this old entry nsxv_db.delete_nsxv_router_binding(context.session, resource_id) # init the plugin and edge manager cfg.CONF.set_override( 'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources' '.utils.NsxVPluginWrapper') with utils.NsxVPluginWrapper() as plugin: nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) # check if this network is attached to a distributed router vdr_router_id = _get_net_vdr_router_id(plugin, context, net_id) if vdr_router_id: # recreate the edge as a VDR DHCP edge recreate_vdr_dhcp_edge(context, plugin, edge_manager, vdr_router_id) else: # This is a regular DHCP edge: recreate_network_dhcp(context, plugin, edge_manager, None, net_id)
def nsx_redistribute_dhcp_edges(resource, event, trigger, **kwargs): """If any of the DHCP networks are on a conflicting edge move them""" context = n_context.get_admin_context() with utils.NsxVPluginWrapper() as plugin: nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) # go over all DHCP subnets networks = plugin.get_networks(context) for network in networks: network_id = network['id'] # Check if the network has a related DHCP edge resource_id = (nsxv_constants.DHCP_EDGE_PREFIX + network_id)[:36] dhcp_edge_binding = nsxv_db.get_nsxv_router_binding( context.session, resource_id) if not dhcp_edge_binding: continue LOG.info("Checking network %s", network_id) edge_id = dhcp_edge_binding['edge_id'] availability_zone = plugin.get_network_az_by_net_id( context, network['id']) filters = {'network_id': [network_id], 'enable_dhcp': [True]} subnets = plugin.get_subnets(context, filters=filters) for subnet in subnets: (conflict_edge_ids, available_edge_ids) = edge_manager._get_used_edges( context, subnet, availability_zone) if edge_id in conflict_edge_ids: # move the DHCP to another edge LOG.info( "Network %(net)s on DHCP edge %(edge)s is " "conflicting with another network and will be " "moved", { 'net': network_id, 'edge': edge_id }) edge_manager.remove_network_from_dhcp_edge( context, network_id, edge_id) edge_manager.create_dhcp_edge_service( context, network_id, subnet) break
def nsx_update_dhcp_edge_binding(resource, event, trigger, **kwargs): """Resync DHCP bindings on NSXv Edge""" if not kwargs.get('property'): LOG.error(_LE("Need to specify edge-id parameter")) return else: properties = admin_utils.parse_multi_keyval_opt(kwargs['property']) edge_id = properties.get('edge-id') if not edge_id: LOG.error(_LE("Need to specify edge-id parameter")) return LOG.info(_LI("Updating NSXv Edge: %s"), edge_id) # Need to create a plugin object; so that we are able to # do neutron list-ports. plugin = utils.NsxVPluginWrapper() nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) try: edge_manager.update_dhcp_service_config(neutron_db.context, edge_id) except exceptions.ResourceNotFound: LOG.error(_LE("Edge %s not found"), edge_id)
def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs): context = n_context.get_admin_context() nsxv = utils.get_nsxv_client() with utils.NsxVPluginWrapper() as plugin: routers = plugin.get_routers(context) for router in routers: if router.get('distributed', False): binding = nsxv_db.get_nsxv_router_binding( context.session, router['id']) if binding: edge_id = binding['edge_id'] with locking.LockManager.get_lock(edge_id): route_obj = nsxv.get_routes(edge_id)[1] routes = route_obj.get('staticRoutes', {}).get('staticRoutes', []) new_routes = [ route for route in routes if route.get('network') != '169.254.169.254/32' ] route_obj['staticRoutes']['staticRoutes'] = new_routes nsxv.update_routes(edge_id, route_obj)
def clean_orphaned_vnics(resource, event, trigger, **kwargs): """List router orphaned router vnics where the port was deleted""" orphaned_vnics = get_orphaned_vnics() if not orphaned_vnics: LOG.info("No orphaned router vnics found") return headers = ['edge_id', 'vnic_index', 'tunnel_index', 'network_id'] LOG.info( formatters.output_formatter(constants.ORPHANED_VNICS, orphaned_vnics, headers)) user_confirm = admin_utils.query_yes_no( "Do you want to delete " "orphaned vnics", default="no") if not user_confirm: LOG.info("NSXv vnics deletion aborted by user") return context = n_context.get_admin_context() with utils.NsxVPluginWrapper() as plugin: nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) for vnic in orphaned_vnics: if not vnic['distributed']: try: nsxv_manager.vcns.delete_interface(vnic['edge_id'], vnic['vnic_index']) except Exception as e: LOG.error("Failed to delete vnic from NSX: %s", e) nsxv_db.free_edge_vnic_by_network(context.session, vnic['edge_id'], vnic['network_id']) else: try: nsxv_manager.vcns.delete_vdr_internal_interface( vnic['edge_id'], vnic['vnic_index']) except Exception as e: LOG.error("Failed to delete vnic from NSX: %s", e) nsxv_db.delete_edge_vnic_binding_by_network( context.session, vnic['edge_id'], vnic['network_id'])
def get_orphaned_router_bindings(): context = n_context.get_admin_context() orphaned_list = [] with utils.NsxVPluginWrapper() as plugin: networks = plugin.get_networks(context, fields=['id']) net_ids = [x['id'] for x in networks] routers = plugin.get_routers(context, fields=['id']) rtr_ids = [x['id'] for x in routers] nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) plr_tlr_ids = {} for tlr_id in rtr_ids: plr_id = edge_manager.get_plr_by_tlr_id(context, tlr_id) if plr_id: plr_tlr_ids[plr_id] = tlr_id for binding in get_router_edge_bindings(): if not router_binding_obj_exist(context, binding, net_ids, rtr_ids, plr_tlr_ids): orphaned_list.append(binding) return orphaned_list
def nsx_fix_mismatch_addresses(resource, event, trigger, **kwargs): """Fix missing spoofguard policies approved addresses for a port.""" port_id = None if kwargs.get('property'): properties = admin_utils.parse_multi_keyval_opt(kwargs['property']) port_id = properties.get('port') if not port_id: usage_msg = ("Need to specify the id of the neutron port. " "Add --property port=<port_id>") LOG.error(usage_msg) return spgapi = utils.NeutronDbClient() with utils.NsxVPluginWrapper() as plugin: try: port = plugin.get_port(spgapi.context, port_id) except exceptions.PortNotFound: LOG.error("Could not find neutron port %s", port_id) return vnic_id = get_port_vnic_id(plugin, port) plugin._update_vnic_assigned_addresses(spgapi.context.session, port, vnic_id) LOG.info("Done.")
def firewall_update_cluster_default_fw_section(resource, event, trigger, **kwargs): with utils.NsxVPluginWrapper() as plugin: plugin._create_cluster_default_fw_section() LOG.info("Cluster default FW section updated.")
def migrate_sg_to_policy(resource, event, trigger, **kwargs): """Change the mode of a security group from rules to NSX policy""" if not kwargs.get('property'): LOG.error("Need to specify security-group-id and policy-id " "parameters") return # input validation properties = admin_utils.parse_multi_keyval_opt(kwargs['property']) sg_id = properties.get('security-group-id') if not sg_id: LOG.error("Need to specify security-group-id parameter") return policy_id = properties.get('policy-id') if not policy_id: LOG.error("Need to specify policy-id parameter") return # validate that the security group exist and contains rules and no policy context_ = n_context.get_admin_context() with utils.NsxVPluginWrapper() as plugin: try: secgroup = plugin.get_security_group(context_, sg_id) except ext_sg.SecurityGroupNotFound: LOG.error("Security group %s was not found", sg_id) return if secgroup.get('policy'): LOG.error("Security group %s already uses a policy", sg_id) return # validate that the policy exists if not plugin.nsx_v.vcns.validate_inventory(policy_id): LOG.error("NSX policy %s was not found", policy_id) return # get the nsx id from the backend nsx_sg_id = nsx_db.get_nsx_security_group_id(context_.session, sg_id, moref=True) if not nsx_sg_id: LOG.error("Did not find security groups %s neutron ID", sg_id) return # Delete the rules from the security group LOG.info("Deleting the rules of security group: %s", sg_id) for rule in secgroup.get('security_group_rules', []): try: plugin.delete_security_group_rule(context_, rule['id']) except Exception as e: LOG.warning( "Failed to delete rule %(r)s from security " "group %(sg)s: %(e)s", { 'r': rule['id'], 'sg': sg_id, 'e': e }) # continue anyway # Delete the security group FW section LOG.info("Deleting the section of security group: %s", sg_id) try: section_uri = plugin._get_section_uri(context_.session, sg_id) plugin._delete_section(section_uri) nsxv_db.delete_neutron_nsx_section_mapping(context_.session, sg_id) except Exception as e: LOG.warning( "Failed to delete firewall section of security " "group %(sg)s: %(e)s", { 'sg': sg_id, 'e': e }) # continue anyway # bind this security group to the policy in the backend and DB LOG.info("Binding the NSX security group %(nsx)s to policy " "%(pol)s", { 'nsx': nsx_sg_id, 'pol': policy_id }) plugin._update_nsx_security_group_policies(policy_id, None, nsx_sg_id) with context_.session.begin(subtransactions=True): prop = context_.session.query( extended_secgroup.NsxExtendedSecurityGroupProperties).\ filter_by(security_group_id=sg_id).one() prop[sg_policy.POLICY] = policy_id LOG.info("Done.")
def list_orphaned_networks(resource, event, trigger, **kwargs): """List the NSX networks which are missing the neutron DB """ admin_context = context.get_admin_context() missing_networks = [] # get all neutron distributed routers in advanced with utils.NsxVPluginWrapper() as plugin: neutron_routers = plugin.get_routers( admin_context, fields=['id', 'name', 'distributed']) neutron_dist_routers = [ rtr for rtr in neutron_routers if rtr['distributed'] ] # get the list of backend networks: backend_networks = get_networks() for net in backend_networks: moref = net['moref'] backend_name = net['name'] # Decide if this is a neutron network by its name (which should always # contain the net-id), and type if (backend_name.startswith('edge-') or len(backend_name) < 36 or net['type'] == 'Network'): # This is not a neutron network continue if backend_name.startswith('int-') and net['type'] == 'VirtualWire': # This is a PLR network. Check that the router exists found = False # compare the expected lswitch name by the dist router name & id for rtr in neutron_dist_routers: lswitch_name = ('int-' + rtr['name'] + rtr['id'])[:36] if lswitch_name == backend_name: found = True break # if the neutron router got renamed, this will not work. # compare ids prefixes instead (might cause false positives) for rtr in neutron_dist_routers: if rtr['id'][:5] in backend_name: LOG.info( "Logical switch %s probably matches distributed " "router %s", backend_name, rtr['id']) found = True break if not found: missing_networks.append(net) continue # get the list of neutron networks with this moref neutron_networks = nsx_db.get_nsx_network_mapping_for_nsx_id( admin_context.session, moref) if not neutron_networks: # no network found for this moref missing_networks.append(net) elif moref.startswith(PORTGROUP_PREFIX): # This is a VLAN network. Also verify that the DVS Id matches for entry in neutron_networks: if (not entry['dvs_id'] or backend_name.startswith(entry['dvs_id'])): found = True # this moref & dvs-id does not appear in the DB if not found: missing_networks.append(net) LOG.info( formatters.output_formatter(constants.ORPHANED_NETWORKS, missing_networks, ['type', 'moref', 'name']))
def nsx_recreate_router_edge(resource, event, trigger, **kwargs): """Recreate a router edge with all the data on a new NSXv edge""" if not kwargs.get('property'): LOG.error(_LE("Need to specify edge-id parameter")) return # input validation properties = admin_utils.parse_multi_keyval_opt(kwargs['property']) old_edge_id = properties.get('edge-id') if not old_edge_id: LOG.error(_LE("Need to specify edge-id parameter")) return LOG.info(_LI("ReCreating NSXv Router Edge: %s"), old_edge_id) # init the plugin and edge manager cfg.CONF.set_override( 'core_plugin', 'vmware_nsx.shell.admin.plugins.nsxv.resources' '.utils.NsxVPluginWrapper') plugin = utils.NsxVPluginWrapper() nsxv_manager = vcns_driver.VcnsDriver(edge_utils.NsxVCallbacks(plugin)) edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) context = n_context.get_admin_context() # verify that this is a Router edge router_ids = edge_manager.get_routers_on_edge(context, old_edge_id) if not router_ids: LOG.error(_LE("Edge %(edge_id)s is not a router edge"), {'edge_id': old_edge_id}) return # all the routers on the same edge have the same type, so it # is ok to check the type once example_router = plugin.get_router(context, router_ids[0]) router_driver = plugin._router_managers.get_tenant_router_driver( context, example_router['router_type']) if router_driver.get_type() == "distributed": LOG.error( _LE("Recreating a distributed driver edge is not " "supported")) return # load all the routers before deleting their binding routers = [] for router_id in router_ids: routers.append(plugin.get_router(context, router_id)) # delete the backend edge and all the relevant DB entries delete_old_edge(context, old_edge_id) # Go over all the relevant routers for router in routers: router_id = router['id'] # clean up other objects related to this router if plugin.metadata_proxy_handler: plugin.metadata_proxy_handler.cleanup_router_edge(router_id) # attach the router to a new edge appliance_size = router.get(routersize.ROUTER_SIZE) router_driver.attach_router(context, router_id, {'router': router}, appliance_size=appliance_size) # find out who is the new edge to print it new_edge_id = router_driver._get_edge_id_or_raise(context, router_id) LOG.info(_LI("Router %(router)s was attached to edge %(edge)s"), { 'router': router_id, 'edge': new_edge_id })
h, firewall_config = self.vcns.get_dfw_config() root = et.fromstring(firewall_config) sections = [] for sec in root.iter('section'): sec_id = sec.attrib['id'] # Don't show NSX default sections, which are not relevant to OS. if sec_id in ['1001', '1002', '1003']: continue sections.append({'name': sec.attrib['name'], 'id': sec_id}) return sections neutron_sg = NeutronSecurityGroupDB() nsxv_firewall = NsxFirewallAPI() plugin = utils.NsxVPluginWrapper() def _log_info(resource, data, attrs=['name', 'id']): LOG.info(formatters.output_formatter(resource, data, attrs)) @admin_utils.list_handler(constants.SECURITY_GROUPS) @admin_utils.output_header def neutron_list_security_groups_mappings(resource, event, trigger, **kwargs): sg_mappings = neutron_sg.get_security_groups_mappings() _log_info(constants.SECURITY_GROUPS, sg_mappings, attrs=['name', 'id', 'section-uri', 'nsx-securitygroup-id']) return bool(sg_mappings)