def delete_policy(self, context, policy_id): profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, policy_id) # delete the profile id from the backend and the DB self._nsxlib_qos.delete(profile_id) nsx_db.delete_qos_policy_profile_mapping( context.session, policy_id)
def update_policy(self, context, policy_id, policy): profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, policy_id) tags = self._get_tags(context, policy) self._nsxlib_qos.update(profile_id, tags=tags, name=policy.name, description=policy.description)
def update_policy(self, context, policy_id, policy): profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, policy_id) tags = self._get_tags(context, policy) nsxlib.update_qos_switching_profile( profile_id, tags=tags, name=policy.name, description=policy.description)
def update_policy_rules(self, context, policy_id, bw_rule, dscp_rule): """Update the QoS switch profile with the BW limitations and DSCP marking configuration """ profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, policy_id) (shaping_enabled, burst_size, peak_bw, average_bw) = self._get_bw_values_from_rule(bw_rule) qos_marking, dscp = self._get_dscp_values_from_rule(dscp_rule) self._nsxlib_qos.update_shaping(profile_id, shaping_enabled=shaping_enabled, burst_size=burst_size, peak_bandwidth=peak_bw, average_bandwidth=average_bw, qos_marking=qos_marking, dscp=dscp)
def update_policy_rules(self, context, policy_id, rules): """Update the QoS switch profile with the BW limitations and DSCP marking configuration """ profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, policy_id) ingress_bw_rule = None egress_bw_rule = None dscp_rule = None for rule in rules: if rule.rule_type == qos_consts.RULE_TYPE_BANDWIDTH_LIMIT: if rule.direction == n_consts.EGRESS_DIRECTION: egress_bw_rule = rule else: ingress_bw_rule = rule elif rule.rule_type == qos_consts.RULE_TYPE_DSCP_MARKING: dscp_rule = rule else: LOG.warning( "The NSX-V3 plugin does not support QoS rule of " "type %s", rule.rule_type) # the NSX direction is opposite to the neutron direction (ingress_bw_enabled, ingress_burst_size, ingress_peak_bw, ingress_average_bw) = self._get_bw_values_from_rule(egress_bw_rule) (egress_bw_enabled, egress_burst_size, egress_peak_bw, egress_average_bw) = self._get_bw_values_from_rule(ingress_bw_rule) qos_marking, dscp = self._get_dscp_values_from_rule(dscp_rule) self._nsxlib_qos.set_profile_shaping( profile_id, ingress_bw_enabled=ingress_bw_enabled, ingress_burst_size=ingress_burst_size, ingress_peak_bandwidth=ingress_peak_bw, ingress_average_bandwidth=ingress_average_bw, egress_bw_enabled=egress_bw_enabled, egress_burst_size=egress_burst_size, egress_peak_bandwidth=egress_peak_bw, egress_average_bandwidth=egress_average_bw, qos_marking=qos_marking, dscp=dscp)
def update_policy_rules(self, context, policy_id, rules): """Update the QoS switch profile with the BW limitations and DSCP marking configuration """ profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, policy_id) ingress_bw_rule = None egress_bw_rule = None dscp_rule = None for rule in rules: if rule.rule_type == qos_consts.RULE_TYPE_BANDWIDTH_LIMIT: if rule.direction == n_consts.EGRESS_DIRECTION: egress_bw_rule = rule else: ingress_bw_rule = rule elif rule.rule_type == qos_consts.RULE_TYPE_DSCP_MARKING: dscp_rule = rule else: LOG.warning("The NSX-V3 plugin does not support QoS rule of " "type %s", rule.rule_type) # the NSX direction is opposite to the neutron direction (ingress_bw_enabled, ingress_burst_size, ingress_peak_bw, ingress_average_bw) = self._get_bw_values_from_rule(egress_bw_rule) (egress_bw_enabled, egress_burst_size, egress_peak_bw, egress_average_bw) = self._get_bw_values_from_rule(ingress_bw_rule) qos_marking, dscp = self._get_dscp_values_from_rule(dscp_rule) self._nsxlib_qos.set_profile_shaping( profile_id, ingress_bw_enabled=ingress_bw_enabled, ingress_burst_size=ingress_burst_size, ingress_peak_bandwidth=ingress_peak_bw, ingress_average_bandwidth=ingress_average_bw, egress_bw_enabled=egress_bw_enabled, egress_burst_size=egress_burst_size, egress_peak_bandwidth=egress_peak_bw, egress_average_bandwidth=egress_average_bw, qos_marking=qos_marking, dscp=dscp)
def update_policy_rules(self, context, policy_id, bw_rule, dscp_rule): """Update the QoS switch profile with the BW limitations and DSCP marking configuration """ profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, policy_id) (shaping_enabled, burst_size, peak_bw, average_bw) = self._get_bw_values_from_rule(bw_rule) qos_marking, dscp = self._get_dscp_values_from_rule(dscp_rule) nsxlib.update_qos_switching_profile_shaping( profile_id, shaping_enabled=shaping_enabled, burst_size=burst_size, peak_bandwidth=peak_bw, average_bandwidth=average_bw, qos_marking=qos_marking, dscp=dscp)
def list_missing_ports(resource, event, trigger, **kwargs): """List neutron ports that are missing the NSX backend port And ports with wrong switch profiles """ admin_cxt = neutron_context.get_admin_context() filters = v3_utils.get_plugin_filters(admin_cxt) with PortsPlugin() as plugin: neutron_ports = plugin.get_ports(admin_cxt, filters=filters) port_client, profile_client = get_port_and_profile_clients() # get pre-defined profile ids dhcp_profile_id = get_dhcp_profile_id(profile_client) dhcp_profile_key = resources.SwitchingProfileTypes.SWITCH_SECURITY spoofguard_profile_id = get_spoofguard_profile_id(profile_client) spoofguard_profile_key = resources.SwitchingProfileTypes.SPOOF_GUARD qos_profile_key = resources.SwitchingProfileTypes.QOS problems = [] for port in neutron_ports: neutron_id = port['id'] # get the network nsx id from the mapping table nsx_id = get_port_nsx_id(admin_cxt.session, neutron_id) if not nsx_id: # skip external ports pass else: try: nsx_port = port_client.get(nsx_id) except nsx_exc.ResourceNotFound: problems.append({ 'neutron_id': neutron_id, 'nsx_id': nsx_id, 'error': 'Missing from backend' }) continue # Port found on backend! # Check that it has all the expected switch profiles. # create a dictionary of the current profiles: profiles_dict = {} for prf in nsx_port['switching_profile_ids']: profiles_dict[prf['key']] = prf['value'] # DHCP port: neutron dhcp profile should be attached # to logical ports created for neutron DHCP but not # for native DHCP. if (port.get('device_owner') == const.DEVICE_OWNER_DHCP and not cfg.CONF.nsx_v3.native_dhcp_metadata): prf_id = profiles_dict[dhcp_profile_key] if prf_id != dhcp_profile_id: add_profile_mismatch(problems, neutron_id, nsx_id, prf_id, "DHCP security") # Port with QoS policy: a matching profile should be attached qos_policy_id = qos_utils.get_port_policy_id( admin_cxt, neutron_id) if qos_policy_id: qos_profile_id = nsx_db.get_switch_profile_by_qos_policy( admin_cxt.session, qos_policy_id) prf_id = profiles_dict[qos_profile_key] if prf_id != qos_profile_id: add_profile_mismatch(problems, neutron_id, nsx_id, prf_id, "QoS") # Port with security & fixed ips/address pairs: # neutron spoofguard profile should be attached port_sec, has_ip = plugin._determine_port_security_and_has_ip( admin_cxt, port) addr_pair = port.get(addr_apidef.ADDRESS_PAIRS) if port_sec and (has_ip or addr_pair): prf_id = profiles_dict[spoofguard_profile_key] if prf_id != spoofguard_profile_id: add_profile_mismatch(problems, neutron_id, nsx_id, prf_id, "Spoof Guard") if len(problems) > 0: title = ("Found internal ports misconfiguration on the " "NSX manager:") LOG.info( formatters.output_formatter(title, problems, ['neutron_id', 'nsx_id', 'error'])) else: LOG.info("All internal ports verified on the NSX manager")
def get_mismatch_logical_ports(context, nsxlib, plugin, get_filters=None): neutron_ports = plugin.get_ports(context, filters=get_filters) # get pre-defined profile ids dhcp_profile_id = get_dhcp_profile_id(nsxlib) dhcp_profile_key = ( core_resources.SwitchingProfileTypes.SWITCH_SECURITY) spoofguard_profile_id = get_spoofguard_profile_id(nsxlib) spoofguard_profile_key = ( core_resources.SwitchingProfileTypes.SPOOF_GUARD) qos_profile_key = core_resources.SwitchingProfileTypes.QOS problems = [] for port in neutron_ports: neutron_id = port['id'] # get the network nsx id from the mapping table nsx_id = get_port_nsx_id(context.session, neutron_id) if not nsx_id: # skip external ports pass else: try: nsx_port = nsxlib.logical_port.get(nsx_id) except nsxlib_exc.ResourceNotFound: problems.append({'neutron_id': neutron_id, 'nsx_id': nsx_id, 'error': 'Missing from backend', 'error_type': PORT_ERROR_TYPE_MISSING}) continue # Port found on backend! # Check that it has all the expected switch profiles. # create a dictionary of the current profiles: profiles_dict = {} for prf in nsx_port['switching_profile_ids']: profiles_dict[prf['key']] = prf['value'] # DHCP port: neutron dhcp profile should be attached # to logical ports created for neutron DHCP but not # for native DHCP. if (port.get('device_owner') == const.DEVICE_OWNER_DHCP and not cfg.CONF.nsx_v3.native_dhcp_metadata): prf_id = profiles_dict[dhcp_profile_key] if prf_id != dhcp_profile_id: add_profile_mismatch(problems, neutron_id, nsx_id, prf_id, "DHCP security") # Port with QoS policy: a matching profile should be attached qos_policy_id = qos_utils.get_port_policy_id(context, neutron_id) if qos_policy_id: qos_profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, qos_policy_id) prf_id = profiles_dict[qos_profile_key] if prf_id != qos_profile_id: add_profile_mismatch(problems, neutron_id, nsx_id, prf_id, "QoS") # Port with security & fixed ips/address pairs: # neutron spoofguard profile should be attached port_sec, has_ip = plugin._determine_port_security_and_has_ip( context, port) addr_pair = port.get(addr_apidef.ADDRESS_PAIRS) if port_sec and (has_ip or addr_pair): prf_id = profiles_dict[spoofguard_profile_key] if prf_id != spoofguard_profile_id: add_profile_mismatch(problems, neutron_id, nsx_id, prf_id, "Spoof Guard") # Check the address bindings if port_sec: nsx_address_bindings = nsx_port.get('address_bindings', []) nsx_ips = [x['ip_address'] for x in nsx_address_bindings] nsx_macs = [x['mac_address'] for x in nsx_address_bindings] neutron_ips = [x['ip_address'] for x in port.get('fixed_ips', [])] neutron_mac = port['mac_address'] different_macs = [mac for mac in nsx_macs if mac != neutron_mac] if (len(nsx_ips) != len(neutron_ips) or set(nsx_ips) != set(neutron_ips)): problems.append({'neutron_id': neutron_id, 'nsx_id': nsx_id, 'port': port, 'error': 'Different IP address bindings', 'error_type': PORT_ERROR_TYPE_BINDINGS}) elif different_macs: problems.append({'neutron_id': neutron_id, 'nsx_id': nsx_id, 'port': port, 'error': 'Different MAC address bindings', 'error_type': PORT_ERROR_TYPE_BINDINGS}) return problems
def delete_policy(self, context, policy_id): profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, policy_id) self._nsxlib_qos.delete(profile_id)
def get_mismatch_logical_ports(context, nsxlib, plugin, get_filters=None): neutron_ports = plugin.get_ports(context, filters=get_filters) # get pre-defined profile ids dhcp_profile_id = get_dhcp_profile_id(nsxlib) dhcp_profile_key = (core_resources.SwitchingProfileTypes.SWITCH_SECURITY) spoofguard_profile_id = get_spoofguard_profile_id(nsxlib) spoofguard_profile_key = (core_resources.SwitchingProfileTypes.SPOOF_GUARD) qos_profile_key = core_resources.SwitchingProfileTypes.QOS problems = [] for port in neutron_ports: neutron_id = port['id'] # get the network nsx id from the mapping table nsx_id = get_port_nsx_id(context.session, neutron_id) if not nsx_id: # skip external ports pass else: try: nsx_port = nsxlib.logical_port.get(nsx_id) except nsxlib_exc.ResourceNotFound: problems.append({ 'neutron_id': neutron_id, 'nsx_id': nsx_id, 'error': 'Missing from backend', 'error_type': PORT_ERROR_TYPE_MISSING }) continue # Port found on backend! # Check that it has all the expected switch profiles. # create a dictionary of the current profiles: profiles_dict = {} for prf in nsx_port['switching_profile_ids']: profiles_dict[prf['key']] = prf['value'] # DHCP port: neutron dhcp profile should be attached # to logical ports created for neutron DHCP but not # for native DHCP. if (port.get('device_owner') == const.DEVICE_OWNER_DHCP and not cfg.CONF.nsx_v3.native_dhcp_metadata): prf_id = profiles_dict[dhcp_profile_key] if prf_id != dhcp_profile_id: add_profile_mismatch(problems, neutron_id, nsx_id, prf_id, "DHCP security") # Port with QoS policy: a matching profile should be attached qos_policy_id = qos_utils.get_port_policy_id(context, neutron_id) if qos_policy_id: qos_profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, qos_policy_id) prf_id = profiles_dict[qos_profile_key] if prf_id != qos_profile_id: add_profile_mismatch(problems, neutron_id, nsx_id, prf_id, "QoS") # Port with security & fixed ips/address pairs: # neutron spoofguard profile should be attached port_sec, has_ip = plugin._determine_port_security_and_has_ip( context, port) addr_pair = port.get(addr_apidef.ADDRESS_PAIRS) if port_sec and (has_ip or addr_pair): prf_id = profiles_dict[spoofguard_profile_key] if prf_id != spoofguard_profile_id: add_profile_mismatch(problems, neutron_id, nsx_id, prf_id, "Spoof Guard") # Check the address bindings if port_sec: nsx_address_bindings = nsx_port.get('address_bindings', []) nsx_ips = [x['ip_address'] for x in nsx_address_bindings] nsx_macs = [x['mac_address'] for x in nsx_address_bindings] neutron_ips = [ x['ip_address'] for x in port.get('fixed_ips', []) ] neutron_mac = port['mac_address'] different_macs = [ mac for mac in nsx_macs if mac != neutron_mac ] if (len(nsx_ips) != len(neutron_ips) or set(nsx_ips) != set(neutron_ips)): problems.append({ 'neutron_id': neutron_id, 'nsx_id': nsx_id, 'port': port, 'error': 'Different IP address bindings', 'error_type': PORT_ERROR_TYPE_BINDINGS }) elif different_macs: problems.append({ 'neutron_id': neutron_id, 'nsx_id': nsx_id, 'port': port, 'error': 'Different MAC address bindings', 'error_type': PORT_ERROR_TYPE_BINDINGS }) return problems
def delete_policy(self, context, policy_id): profile_id = nsx_db.get_switch_profile_by_qos_policy( context.session, policy_id) nsxlib.delete_qos_switching_profile(profile_id)