def delete_policy(self, context, policy_id):
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
# delete the profile id from the backend and the DB
self._nsxlib_qos.delete(profile_id)
nsx_db.delete_qos_policy_profile_mapping(
context.session, policy_id)
def delete_policy(self, context, policy_id):
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
# delete the profile id from the backend and the DB
self._nsxlib_qos.delete(profile_id)
nsx_db.delete_qos_policy_profile_mapping(
context.session, policy_id)
def update_policy(self, context, policy_id, policy):
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
tags = self._get_tags(context, policy)
self._nsxlib_qos.update(profile_id,
tags=tags,
name=policy.name,
description=policy.description)
def update_policy(self, context, policy_id, policy):
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
tags = self._get_tags(context, policy)
nsxlib.update_qos_switching_profile(
profile_id,
tags=tags,
name=policy.name,
description=policy.description)
def update_policy_rules(self, context, policy_id, bw_rule, dscp_rule):
"""Update the QoS switch profile with the BW limitations and
DSCP marking configuration
"""
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
(shaping_enabled, burst_size, peak_bw,
average_bw) = self._get_bw_values_from_rule(bw_rule)
qos_marking, dscp = self._get_dscp_values_from_rule(dscp_rule)
self._nsxlib_qos.update_shaping(profile_id,
shaping_enabled=shaping_enabled,
burst_size=burst_size,
peak_bandwidth=peak_bw,
average_bandwidth=average_bw,
qos_marking=qos_marking,
dscp=dscp)
def update_policy_rules(self, context, policy_id, rules):
"""Update the QoS switch profile with the BW limitations and
DSCP marking configuration
"""
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
ingress_bw_rule = None
egress_bw_rule = None
dscp_rule = None
for rule in rules:
if rule.rule_type == qos_consts.RULE_TYPE_BANDWIDTH_LIMIT:
if rule.direction == n_consts.EGRESS_DIRECTION:
egress_bw_rule = rule
else:
ingress_bw_rule = rule
elif rule.rule_type == qos_consts.RULE_TYPE_DSCP_MARKING:
dscp_rule = rule
else:
LOG.warning(
"The NSX-V3 plugin does not support QoS rule of "
"type %s", rule.rule_type)
# the NSX direction is opposite to the neutron direction
(ingress_bw_enabled, ingress_burst_size, ingress_peak_bw,
ingress_average_bw) = self._get_bw_values_from_rule(egress_bw_rule)
(egress_bw_enabled, egress_burst_size, egress_peak_bw,
egress_average_bw) = self._get_bw_values_from_rule(ingress_bw_rule)
qos_marking, dscp = self._get_dscp_values_from_rule(dscp_rule)
self._nsxlib_qos.set_profile_shaping(
profile_id,
ingress_bw_enabled=ingress_bw_enabled,
ingress_burst_size=ingress_burst_size,
ingress_peak_bandwidth=ingress_peak_bw,
ingress_average_bandwidth=ingress_average_bw,
egress_bw_enabled=egress_bw_enabled,
egress_burst_size=egress_burst_size,
egress_peak_bandwidth=egress_peak_bw,
egress_average_bandwidth=egress_average_bw,
qos_marking=qos_marking,
dscp=dscp)
def update_policy_rules(self, context, policy_id, rules):
"""Update the QoS switch profile with the BW limitations and
DSCP marking configuration
"""
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
ingress_bw_rule = None
egress_bw_rule = None
dscp_rule = None
for rule in rules:
if rule.rule_type == qos_consts.RULE_TYPE_BANDWIDTH_LIMIT:
if rule.direction == n_consts.EGRESS_DIRECTION:
egress_bw_rule = rule
else:
ingress_bw_rule = rule
elif rule.rule_type == qos_consts.RULE_TYPE_DSCP_MARKING:
dscp_rule = rule
else:
LOG.warning("The NSX-V3 plugin does not support QoS rule of "
"type %s", rule.rule_type)
# the NSX direction is opposite to the neutron direction
(ingress_bw_enabled, ingress_burst_size, ingress_peak_bw,
ingress_average_bw) = self._get_bw_values_from_rule(egress_bw_rule)
(egress_bw_enabled, egress_burst_size, egress_peak_bw,
egress_average_bw) = self._get_bw_values_from_rule(ingress_bw_rule)
qos_marking, dscp = self._get_dscp_values_from_rule(dscp_rule)
self._nsxlib_qos.set_profile_shaping(
profile_id,
ingress_bw_enabled=ingress_bw_enabled,
ingress_burst_size=ingress_burst_size,
ingress_peak_bandwidth=ingress_peak_bw,
ingress_average_bandwidth=ingress_average_bw,
egress_bw_enabled=egress_bw_enabled,
egress_burst_size=egress_burst_size,
egress_peak_bandwidth=egress_peak_bw,
egress_average_bandwidth=egress_average_bw,
qos_marking=qos_marking, dscp=dscp)
def update_policy_rules(self, context, policy_id, bw_rule, dscp_rule):
"""Update the QoS switch profile with the BW limitations and
DSCP marking configuration
"""
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
(shaping_enabled, burst_size, peak_bw,
average_bw) = self._get_bw_values_from_rule(bw_rule)
qos_marking, dscp = self._get_dscp_values_from_rule(dscp_rule)
nsxlib.update_qos_switching_profile_shaping(
profile_id,
shaping_enabled=shaping_enabled,
burst_size=burst_size,
peak_bandwidth=peak_bw,
average_bandwidth=average_bw,
qos_marking=qos_marking,
dscp=dscp)
def list_missing_ports(resource, event, trigger, **kwargs):
"""List neutron ports that are missing the NSX backend port
And ports with wrong switch profiles
"""
admin_cxt = neutron_context.get_admin_context()
filters = v3_utils.get_plugin_filters(admin_cxt)
with PortsPlugin() as plugin:
neutron_ports = plugin.get_ports(admin_cxt, filters=filters)
port_client, profile_client = get_port_and_profile_clients()
# get pre-defined profile ids
dhcp_profile_id = get_dhcp_profile_id(profile_client)
dhcp_profile_key = resources.SwitchingProfileTypes.SWITCH_SECURITY
spoofguard_profile_id = get_spoofguard_profile_id(profile_client)
spoofguard_profile_key = resources.SwitchingProfileTypes.SPOOF_GUARD
qos_profile_key = resources.SwitchingProfileTypes.QOS
problems = []
for port in neutron_ports:
neutron_id = port['id']
# get the network nsx id from the mapping table
nsx_id = get_port_nsx_id(admin_cxt.session, neutron_id)
if not nsx_id:
# skip external ports
pass
else:
try:
nsx_port = port_client.get(nsx_id)
except nsx_exc.ResourceNotFound:
problems.append({
'neutron_id': neutron_id,
'nsx_id': nsx_id,
'error': 'Missing from backend'
})
continue
# Port found on backend!
# Check that it has all the expected switch profiles.
# create a dictionary of the current profiles:
profiles_dict = {}
for prf in nsx_port['switching_profile_ids']:
profiles_dict[prf['key']] = prf['value']
# DHCP port: neutron dhcp profile should be attached
# to logical ports created for neutron DHCP but not
# for native DHCP.
if (port.get('device_owner') == const.DEVICE_OWNER_DHCP
and not cfg.CONF.nsx_v3.native_dhcp_metadata):
prf_id = profiles_dict[dhcp_profile_key]
if prf_id != dhcp_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id,
prf_id, "DHCP security")
# Port with QoS policy: a matching profile should be attached
qos_policy_id = qos_utils.get_port_policy_id(
admin_cxt, neutron_id)
if qos_policy_id:
qos_profile_id = nsx_db.get_switch_profile_by_qos_policy(
admin_cxt.session, qos_policy_id)
prf_id = profiles_dict[qos_profile_key]
if prf_id != qos_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id,
prf_id, "QoS")
# Port with security & fixed ips/address pairs:
# neutron spoofguard profile should be attached
port_sec, has_ip = plugin._determine_port_security_and_has_ip(
admin_cxt, port)
addr_pair = port.get(addr_apidef.ADDRESS_PAIRS)
if port_sec and (has_ip or addr_pair):
prf_id = profiles_dict[spoofguard_profile_key]
if prf_id != spoofguard_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id,
prf_id, "Spoof Guard")
if len(problems) > 0:
title = ("Found internal ports misconfiguration on the "
"NSX manager:")
LOG.info(
formatters.output_formatter(title, problems,
['neutron_id', 'nsx_id', 'error']))
else:
LOG.info("All internal ports verified on the NSX manager")
def get_mismatch_logical_ports(context, nsxlib, plugin, get_filters=None):
neutron_ports = plugin.get_ports(context, filters=get_filters)
# get pre-defined profile ids
dhcp_profile_id = get_dhcp_profile_id(nsxlib)
dhcp_profile_key = (
core_resources.SwitchingProfileTypes.SWITCH_SECURITY)
spoofguard_profile_id = get_spoofguard_profile_id(nsxlib)
spoofguard_profile_key = (
core_resources.SwitchingProfileTypes.SPOOF_GUARD)
qos_profile_key = core_resources.SwitchingProfileTypes.QOS
problems = []
for port in neutron_ports:
neutron_id = port['id']
# get the network nsx id from the mapping table
nsx_id = get_port_nsx_id(context.session, neutron_id)
if not nsx_id:
# skip external ports
pass
else:
try:
nsx_port = nsxlib.logical_port.get(nsx_id)
except nsxlib_exc.ResourceNotFound:
problems.append({'neutron_id': neutron_id,
'nsx_id': nsx_id,
'error': 'Missing from backend',
'error_type': PORT_ERROR_TYPE_MISSING})
continue
# Port found on backend!
# Check that it has all the expected switch profiles.
# create a dictionary of the current profiles:
profiles_dict = {}
for prf in nsx_port['switching_profile_ids']:
profiles_dict[prf['key']] = prf['value']
# DHCP port: neutron dhcp profile should be attached
# to logical ports created for neutron DHCP but not
# for native DHCP.
if (port.get('device_owner') == const.DEVICE_OWNER_DHCP and
not cfg.CONF.nsx_v3.native_dhcp_metadata):
prf_id = profiles_dict[dhcp_profile_key]
if prf_id != dhcp_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id,
prf_id, "DHCP security")
# Port with QoS policy: a matching profile should be attached
qos_policy_id = qos_utils.get_port_policy_id(context,
neutron_id)
if qos_policy_id:
qos_profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, qos_policy_id)
prf_id = profiles_dict[qos_profile_key]
if prf_id != qos_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id,
prf_id, "QoS")
# Port with security & fixed ips/address pairs:
# neutron spoofguard profile should be attached
port_sec, has_ip = plugin._determine_port_security_and_has_ip(
context, port)
addr_pair = port.get(addr_apidef.ADDRESS_PAIRS)
if port_sec and (has_ip or addr_pair):
prf_id = profiles_dict[spoofguard_profile_key]
if prf_id != spoofguard_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id,
prf_id, "Spoof Guard")
# Check the address bindings
if port_sec:
nsx_address_bindings = nsx_port.get('address_bindings', [])
nsx_ips = [x['ip_address'] for x in nsx_address_bindings]
nsx_macs = [x['mac_address'] for x in nsx_address_bindings]
neutron_ips = [x['ip_address']
for x in port.get('fixed_ips', [])]
neutron_mac = port['mac_address']
different_macs = [mac for mac in nsx_macs
if mac != neutron_mac]
if (len(nsx_ips) != len(neutron_ips) or
set(nsx_ips) != set(neutron_ips)):
problems.append({'neutron_id': neutron_id,
'nsx_id': nsx_id,
'port': port,
'error': 'Different IP address bindings',
'error_type': PORT_ERROR_TYPE_BINDINGS})
elif different_macs:
problems.append({'neutron_id': neutron_id,
'nsx_id': nsx_id,
'port': port,
'error': 'Different MAC address bindings',
'error_type': PORT_ERROR_TYPE_BINDINGS})
return problems
def delete_policy(self, context, policy_id):
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
self._nsxlib_qos.delete(profile_id)
def get_mismatch_logical_ports(context, nsxlib, plugin, get_filters=None):
neutron_ports = plugin.get_ports(context, filters=get_filters)
# get pre-defined profile ids
dhcp_profile_id = get_dhcp_profile_id(nsxlib)
dhcp_profile_key = (core_resources.SwitchingProfileTypes.SWITCH_SECURITY)
spoofguard_profile_id = get_spoofguard_profile_id(nsxlib)
spoofguard_profile_key = (core_resources.SwitchingProfileTypes.SPOOF_GUARD)
qos_profile_key = core_resources.SwitchingProfileTypes.QOS
problems = []
for port in neutron_ports:
neutron_id = port['id']
# get the network nsx id from the mapping table
nsx_id = get_port_nsx_id(context.session, neutron_id)
if not nsx_id:
# skip external ports
pass
else:
try:
nsx_port = nsxlib.logical_port.get(nsx_id)
except nsxlib_exc.ResourceNotFound:
problems.append({
'neutron_id': neutron_id,
'nsx_id': nsx_id,
'error': 'Missing from backend',
'error_type': PORT_ERROR_TYPE_MISSING
})
continue
# Port found on backend!
# Check that it has all the expected switch profiles.
# create a dictionary of the current profiles:
profiles_dict = {}
for prf in nsx_port['switching_profile_ids']:
profiles_dict[prf['key']] = prf['value']
# DHCP port: neutron dhcp profile should be attached
# to logical ports created for neutron DHCP but not
# for native DHCP.
if (port.get('device_owner') == const.DEVICE_OWNER_DHCP
and not cfg.CONF.nsx_v3.native_dhcp_metadata):
prf_id = profiles_dict[dhcp_profile_key]
if prf_id != dhcp_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id, prf_id,
"DHCP security")
# Port with QoS policy: a matching profile should be attached
qos_policy_id = qos_utils.get_port_policy_id(context, neutron_id)
if qos_policy_id:
qos_profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, qos_policy_id)
prf_id = profiles_dict[qos_profile_key]
if prf_id != qos_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id, prf_id,
"QoS")
# Port with security & fixed ips/address pairs:
# neutron spoofguard profile should be attached
port_sec, has_ip = plugin._determine_port_security_and_has_ip(
context, port)
addr_pair = port.get(addr_apidef.ADDRESS_PAIRS)
if port_sec and (has_ip or addr_pair):
prf_id = profiles_dict[spoofguard_profile_key]
if prf_id != spoofguard_profile_id:
add_profile_mismatch(problems, neutron_id, nsx_id, prf_id,
"Spoof Guard")
# Check the address bindings
if port_sec:
nsx_address_bindings = nsx_port.get('address_bindings', [])
nsx_ips = [x['ip_address'] for x in nsx_address_bindings]
nsx_macs = [x['mac_address'] for x in nsx_address_bindings]
neutron_ips = [
x['ip_address'] for x in port.get('fixed_ips', [])
]
neutron_mac = port['mac_address']
different_macs = [
mac for mac in nsx_macs if mac != neutron_mac
]
if (len(nsx_ips) != len(neutron_ips)
or set(nsx_ips) != set(neutron_ips)):
problems.append({
'neutron_id': neutron_id,
'nsx_id': nsx_id,
'port': port,
'error': 'Different IP address bindings',
'error_type': PORT_ERROR_TYPE_BINDINGS
})
elif different_macs:
problems.append({
'neutron_id': neutron_id,
'nsx_id': nsx_id,
'port': port,
'error': 'Different MAC address bindings',
'error_type': PORT_ERROR_TYPE_BINDINGS
})
return problems
def delete_policy(self, context, policy_id):
profile_id = nsx_db.get_switch_profile_by_qos_policy(
context.session, policy_id)
nsxlib.delete_qos_switching_profile(profile_id)
