def tag_default_ports(resource, event, trigger, **kwargs):
nsxlib = v3_utils.get_connected_nsxlib()
admin_cxt = neutron_context.get_admin_context()
filters = v3_utils.get_plugin_filters(admin_cxt)
# the plugin creation below will create the NS group and update the default
# OS section to have the correct applied to group
with v3_utils.NsxV3PluginWrapper() as _plugin:
neutron_ports = _plugin.get_ports(admin_cxt, filters=filters)
for port in neutron_ports:
neutron_id = port['id']
# get the network nsx id from the mapping table
nsx_id = plugin_utils.get_port_nsx_id(admin_cxt.session,
neutron_id)
if not nsx_id:
continue
device_owner = port['device_owner']
if (device_owner == l3_db.DEVICE_OWNER_ROUTER_INTF or
device_owner == const.DEVICE_OWNER_DHCP):
continue
ps = _plugin._get_port_security_binding(admin_cxt,
neutron_id)
if not ps:
continue
try:
nsx_port = nsxlib.logical_port.get(nsx_id)
except nsx_exc.ResourceNotFound:
continue
tags_update = nsx_port['tags']
tags_update += [{'scope': security.PORT_SG_SCOPE,
'tag': plugin.NSX_V3_DEFAULT_SECTION}]
nsxlib.logical_port.update(nsx_id, None,
tags_update=tags_update)
def tag_default_ports(resource, event, trigger, **kwargs):
nsxlib = v3_utils.get_connected_nsxlib()
admin_cxt = neutron_context.get_admin_context()
filters = v3_utils.get_plugin_filters(admin_cxt)
# the plugin creation below will create the NS group and update the default
# OS section to have the correct applied to group
with v3_utils.NsxV3PluginWrapper() as _plugin:
neutron_ports = _plugin.get_ports(admin_cxt, filters=filters)
for port in neutron_ports:
neutron_id = port['id']
# get the network nsx id from the mapping table
nsx_id = get_port_nsx_id(admin_cxt.session, neutron_id)
if not nsx_id:
continue
device_owner = port['device_owner']
if (device_owner == l3_db.DEVICE_OWNER_ROUTER_INTF
or device_owner == const.DEVICE_OWNER_DHCP):
continue
ps = _plugin._get_port_security_binding(admin_cxt, neutron_id)
if not ps:
continue
try:
nsx_port = nsxlib.logical_port.get(nsx_id)
except nsx_exc.ResourceNotFound:
continue
tags_update = nsx_port['tags']
tags_update += [{
'scope': security.PORT_SG_SCOPE,
'tag': plugin.NSX_V3_DEFAULT_SECTION
}]
nsxlib.logical_port.update(nsx_id, None, tags_update=tags_update)
def list_missing_networks(resource, event, trigger, **kwargs):
"""List neutron networks that are missing the NSX backend network
"""
nsxlib = utils.get_connected_nsxlib()
plugin = db_base_plugin_v2.NeutronDbPluginV2()
admin_cxt = neutron_context.get_admin_context()
filters = utils.get_plugin_filters(admin_cxt)
neutron_networks = plugin.get_networks(admin_cxt, filters=filters)
networks = []
for net in neutron_networks:
neutron_id = net['id']
# get the network nsx id from the mapping table
nsx_id = get_network_nsx_id(admin_cxt, neutron_id)
if not nsx_id:
# skip external networks
pass
else:
try:
nsxlib.logical_switch.get(nsx_id)
except nsx_exc.ResourceNotFound:
networks.append({'name': net['name'],
'neutron_id': neutron_id,
'nsx_id': nsx_id})
if len(networks) > 0:
title = ("Found %d internal networks missing from the NSX "
"manager:") % len(networks)
LOG.info(formatters.output_formatter(
title, networks,
['name', 'neutron_id', 'nsx_id']))
else:
LOG.info("All internal networks exist on the NSX manager")
def update_enable_standby_relocation(resource, event, trigger, **kwargs):
"""Enable standby relocation on all routers """
# This feature is supported only since nsx version 2.4
nsxlib = utils.get_connected_nsxlib()
version = nsxlib.get_version()
if not nsx_utils.is_nsx_version_2_4_0(version):
LOG.info("Standby relocation update is only supported from 2.4 "
"onwards")
LOG.info("Version is %s", version)
return
# Go over all neutron routers
plugin = RoutersPlugin()
admin_cxt = neutron_context.get_admin_context()
filters = utils.get_plugin_filters(admin_cxt)
neutron_routers = plugin.get_routers(admin_cxt, filters=filters)
for router in neutron_routers:
neutron_id = router['id']
# get the router nsx id from the mapping table
nsx_id = nsx_db.get_nsx_router_id(admin_cxt.session, neutron_id)
try:
nsxlib.logical_router.update(lrouter_id=nsx_id,
enable_standby_relocation=True)
except Exception as e:
# This may fail if the service router is not created
LOG.warning("Router %s cannot enable standby relocation: %s",
neutron_id, e)
else:
LOG.info("Router %s was enabled with standby relocation",
neutron_id)
LOG.info("Done")
def update_nat_rules(resource, event, trigger, **kwargs):
"""Update all routers NAT rules to not bypass the firewall"""
# This feature is supported only since nsx version 2
nsxlib = utils.get_connected_nsxlib()
version = nsxlib.get_version()
if not nsx_utils.is_nsx_version_2_0_0(version):
LOG.info("NAT rules update only supported from 2.0 onwards")
LOG.info("Version is %s", version)
return
# Go over all neutron routers
plugin = RoutersPlugin()
admin_cxt = neutron_context.get_admin_context()
filters = utils.get_plugin_filters(admin_cxt)
neutron_routers = plugin.get_routers(admin_cxt, filters=filters)
num_of_updates = 0
for router in neutron_routers:
neutron_id = router['id']
# get the router nsx id from the mapping table
nsx_id = nsx_db.get_nsx_router_id(admin_cxt.session, neutron_id)
if nsx_id:
# get all NAT rules:
rules = nsxlib.logical_router.list_nat_rules(nsx_id)['results']
for rule in rules:
if rule['action'] not in ["NO_SNAT", "NO_DNAT", "NO_NAT"]:
if 'nat_pass' not in rule or rule['nat_pass']:
nsxlib.logical_router.update_nat_rule(nsx_id,
rule['id'],
nat_pass=False)
num_of_updates = num_of_updates + 1
if num_of_updates:
LOG.info("Done updating %s NAT rules", num_of_updates)
else:
LOG.info("Did not find any NAT rule to update")
def list_missing_networks(resource, event, trigger, **kwargs):
"""List neutron networks that are missing the NSX backend network
"""
nsxlib = utils.get_connected_nsxlib()
plugin = db_base_plugin_v2.NeutronDbPluginV2()
admin_cxt = neutron_context.get_admin_context()
filters = utils.get_plugin_filters(admin_cxt)
neutron_networks = plugin.get_networks(admin_cxt, filters=filters)
networks = []
for net in neutron_networks:
neutron_id = net['id']
# get the network nsx id from the mapping table
nsx_id = get_network_nsx_id(admin_cxt, neutron_id)
if not nsx_id:
# skip external networks
pass
else:
try:
nsxlib.logical_switch.get(nsx_id)
except nsx_exc.ResourceNotFound:
networks.append({
'name': net['name'],
'neutron_id': neutron_id,
'nsx_id': nsx_id
})
if len(networks) > 0:
title = ("Found %d internal networks missing from the NSX "
"manager:") % len(networks)
LOG.info(
formatters.output_formatter(title, networks,
['name', 'neutron_id', 'nsx_id']))
else:
LOG.info("All internal networks exist on the NSX manager")
def list_missing_routers(resource, event, trigger, **kwargs):
"""List neutron routers that are missing the NSX backend router
"""
nsxlib = utils.get_connected_nsxlib()
plugin = RoutersPlugin()
admin_cxt = neutron_context.get_admin_context()
filters = utils.get_plugin_filters(admin_cxt)
neutron_routers = plugin.get_routers(admin_cxt, filters=filters)
routers = []
for router in neutron_routers:
neutron_id = router['id']
# get the router nsx id from the mapping table
nsx_id = nsx_db.get_nsx_router_id(admin_cxt.session,
neutron_id)
if not nsx_id:
routers.append({'name': router['name'],
'neutron_id': neutron_id,
'nsx_id': None})
else:
try:
nsxlib.logical_router.get(nsx_id)
except nsx_exc.ResourceNotFound:
routers.append({'name': router['name'],
'neutron_id': neutron_id,
'nsx_id': nsx_id})
if len(routers) > 0:
title = ("Found %d routers missing from the NSX "
"manager:") % len(routers)
LOG.info(formatters.output_formatter(
title, routers,
['name', 'neutron_id', 'nsx_id']))
else:
LOG.info("All routers exist on the NSX manager")
def update_dhcp_relay(resource, event, trigger, **kwargs):
"""Update all routers dhcp relay service by the current configuration"""
nsxlib = utils.get_connected_nsxlib()
if not nsxlib.feature_supported(nsx_constants.FEATURE_DHCP_RELAY):
version = nsxlib.get_version()
LOG.error("DHCP relay is not supported by NSX version %s", version)
return
admin_cxt = neutron_context.get_admin_context()
filters = utils.get_plugin_filters(admin_cxt)
with utils.NsxV3PluginWrapper() as plugin:
# Make sure FWaaS was initialized
plugin.init_fwaas_for_admin_utils()
# get all neutron routers and interfaces ports
routers = plugin.get_routers(admin_cxt, filters=filters)
for router in routers:
LOG.info("Updating router %s", router['id'])
port_filters = {
'device_owner': [l3_db.DEVICE_OWNER_ROUTER_INTF],
'device_id': [router['id']]
}
ports = plugin.get_ports(admin_cxt, filters=port_filters)
for port in ports:
# get the backend router port by the tag
nsx_port_id = nsxlib.get_id_by_resource_and_tag(
'LogicalRouterDownLinkPort', 'os-neutron-rport-id',
port['id'])
if not nsx_port_id:
LOG.warning(
"Couldn't find nsx router port for interface "
"%s", port['id'])
continue
# get the network of this port
network_id = port['network_id']
# check the relay service on the az of the network
az = plugin.get_network_az_by_net_id(admin_cxt, network_id)
nsxlib.logical_router_port.update(
nsx_port_id, relay_service_uuid=az.dhcp_relay_service)
# if FWaaS is enables, also update the firewall rules
try:
plugin.update_router_firewall(admin_cxt, router['id'])
except Exception as e:
LOG.warning(
"Updating router firewall was skipped because of "
"an error %s", e)
LOG.info("Done.")
def list_missing_ports(resource, event, trigger, **kwargs):
"""List neutron ports that are missing the NSX backend port
And ports with wrong switch profiles or bindings
"""
admin_cxt = neutron_context.get_admin_context()
filters = v3_utils.get_plugin_filters(admin_cxt)
nsxlib = v3_utils.get_connected_nsxlib()
with v3_utils.NsxV3PluginWrapper() as plugin:
problems = plugin_utils.get_mismatch_logical_ports(
admin_cxt, nsxlib, plugin, filters)
if len(problems) > 0:
title = ("Found internal ports misconfiguration on the "
"NSX manager:")
LOG.info(formatters.output_formatter(
title, problems,
['neutron_id', 'nsx_id', 'error']))
else:
LOG.info("All internal ports verified on the NSX manager")
def list_missing_ports(resource, event, trigger, **kwargs):
"""List neutron ports that are missing the NSX backend port
And ports with wrong switch profiles or bindings
"""
admin_cxt = neutron_context.get_admin_context()
filters = v3_utils.get_plugin_filters(admin_cxt)
nsxlib = v3_utils.get_connected_nsxlib()
with PortsPlugin() as plugin:
problems = plugin_utils.get_mismatch_logical_ports(
admin_cxt, nsxlib, plugin, filters)
if len(problems) > 0:
title = ("Found internal ports misconfiguration on the "
"NSX manager:")
LOG.info(
formatters.output_formatter(title, problems,
['neutron_id', 'nsx_id', 'error']))
else:
LOG.info("All internal ports verified on the NSX manager")
def list_missing_ports(resource, event, trigger, **kwargs):
"""List neutron ports that are missing the NSX backend port
And ports with wrong switch profiles
"""
admin_cxt = neutron_context.get_admin_context()
filters = v3_utils.get_plugin_filters(admin_cxt)
with PortsPlugin() as plugin:
neutron_ports = plugin.get_ports(admin_cxt, filters=filters)
port_client, profile_client = get_port_and_profile_clients()
# get pre-defined profile ids
dhcp_profile_id = get_dhcp_profile_id(profile_client)
dhcp_profile_key = resources.SwitchingProfileTypes.SWITCH_SECURITY
spoofguard_profile_id = get_spoofguard_profile_id(profile_client)
spoofguard_profile_key = resources.SwitchingProfileTypes.SPOOF_GUARD
qos_profile_key = resources.SwitchingProfileTypes.QOS
problems = []
for port in neutron_ports:
neutron_id = port['id']
# get the network nsx id from the mapping table
nsx_id = get_port_nsx_id(admin_cxt.session, neutron_id)
if not nsx_id:
# skip external ports
pass
else:
try:
nsx_port = port_client.get(nsx_id)
except nsx_exc.ResourceNotFound:
problems.append({
'neutron_id': neutron_id,
'nsx_id': nsx_id,
'error': 'Missing from backend'
})
continue
# Port found on backend!
# Check that it has all the expected switch profiles.
# create a dictionary of the current profiles:
profiles_dict = {}
for prf in nsx_port['switching_profile_ids']:
profiles_dict[prf['key']] = prf['value']
# DHCP port: neutron dhcp profile should be attached
# to logical ports created for neutron DHCP but not
# for native DHCP.
if (port.get('device_owner') == const.DEVICE_OWNER_DHCP
and not cfg.CONF.nsx_v3.native_dhcp_metadata):
prf_id = profiles_dict[dhcp_profile_key]
if prf_id != dhcp_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id,
prf_id, "DHCP security")
# Port with QoS policy: a matching profile should be attached
qos_policy_id = qos_utils.get_port_policy_id(
admin_cxt, neutron_id)
if qos_policy_id:
qos_profile_id = nsx_db.get_switch_profile_by_qos_policy(
admin_cxt.session, qos_policy_id)
prf_id = profiles_dict[qos_profile_key]
if prf_id != qos_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id,
prf_id, "QoS")
# Port with security & fixed ips/address pairs:
# neutron spoofguard profile should be attached
port_sec, has_ip = plugin._determine_port_security_and_has_ip(
admin_cxt, port)
addr_pair = port.get(addr_apidef.ADDRESS_PAIRS)
if port_sec and (has_ip or addr_pair):
prf_id = profiles_dict[spoofguard_profile_key]
if prf_id != spoofguard_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id,
prf_id, "Spoof Guard")
if len(problems) > 0:
title = ("Found internal ports misconfiguration on the "
"NSX manager:")
LOG.info(
formatters.output_formatter(title, problems,
['neutron_id', 'nsx_id', 'error']))
else:
LOG.info("All internal ports verified on the NSX manager")
def __init__(self):
super(NeutronSecurityGroupApi, self)
self.context = neutron_context.get_admin_context()
self.filters = v3_utils.get_plugin_filters(self.context)
def __init__(self):
super(NeutronSecurityGroupApi, self)
self.context = neutron_context.get_admin_context()
self.filters = v3_utils.get_plugin_filters(self.context)