diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 2bc744b2ee..f5e4ea3a74 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -259,7 +259,7 @@ tunnel_interface_address: "{{ 'tunnel' | kolla_address }}"
octavia_network_interface_address: "{{ 'octavia_network' | kolla_address }}"
dpdk_tunnel_interface_address: "{{ 'dpdk_tunnel' | kolla_address }}"
-# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_dvs ]
+# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_nsxp, vmware_dvs ]
neutron_plugin_agent: "openvswitch"
# Valid options are [ internal, infoblox ]
diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml
index 387fbef6fc..87bc023a27 100644
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@@ -69,7 +69,7 @@ neutron_services:
container_name: "neutron_dhcp_agent"
image: "{{ neutron_dhcp_agent_image_full }}"
privileged: True
- enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3'] or neutron_ovn_dhcp_agent | bool }}"
+ enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp'] or neutron_ovn_dhcp_agent | bool }}"
group: "neutron-dhcp-agent"
host_in_groups: "{{ inventory_hostname in groups['neutron-dhcp-agent'] }}"
volumes: "{{ neutron_dhcp_agent_default_volumes + neutron_dhcp_agent_extra_volumes }}"
@@ -79,7 +79,7 @@ neutron_services:
container_name: "neutron_l3_agent"
image: "{{ neutron_l3_agent_image_full }}"
privileged: True
- enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] }}"
+ enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] }}"
environment:
KOLLA_LEGACY_IPTABLES: "{{ neutron_legacy_iptables | bool | lower }}"
host_in_groups: >-
@@ -94,7 +94,7 @@ neutron_services:
container_name: "neutron_sriov_agent"
image: "{{ neutron_sriov_agent_image_full }}"
privileged: True
- enabled: "{{ enable_neutron_sriov | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3' ] }}"
+ enabled: "{{ enable_neutron_sriov | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
host_in_groups: "{{ inventory_hostname in groups['compute'] }}"
volumes: "{{ neutron_sriov_agent_default_volumes + neutron_sriov_agent_extra_volumes }}"
dimensions: "{{ neutron_sriov_agent_dimensions }}"
@@ -102,7 +102,7 @@ neutron_services:
neutron-mlnx-agent:
container_name: "neutron_mlnx_agent"
image: "{{ neutron_mlnx_agent_image_full }}"
- enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3' ] }}"
+ enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
host_in_groups: "{{ inventory_hostname in groups['compute'] }}"
volumes: "{{ neutron_mlnx_agent_default_volumes + neutron_mlnx_agent_extra_volumes }}"
dimensions: "{{ neutron_mlnx_agent_dimensions }}"
@@ -110,7 +110,7 @@ neutron_services:
container_name: "neutron_eswitchd"
image: "{{ neutron_eswitchd_image_full }}"
privileged: True
- enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3' ] }}"
+ enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
host_in_groups: "{{ inventory_hostname in groups['compute'] }}"
volumes: "{{ neutron_eswitchd_default_volumes + neutron_eswitchd_extra_volumes }}"
dimensions: "{{ neutron_eswitchd_dimensions }}"
@@ -118,7 +118,7 @@ neutron_services:
container_name: "neutron_metadata_agent"
image: "{{ neutron_metadata_agent_image_full }}"
privileged: True
- enabled: "{{ neutron_plugin_agent not in [ 'ovn', 'vmware_nsxv', 'vmware_nsxv3' ] }}"
+ enabled: "{{ neutron_plugin_agent not in [ 'ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
host_in_groups: >-
{{
inventory_hostname in groups['neutron-metadata-agent']
@@ -140,7 +140,7 @@ neutron_services:
container_name: "neutron_bgp_dragent"
image: "{{ neutron_bgp_dragent_image_full }}"
privileged: True
- enabled: "{{ enable_neutron_bgp_dragent | bool and neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] }}"
+ enabled: "{{ enable_neutron_bgp_dragent | bool and neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] }}"
group: "neutron-bgp-dragent"
host_in_groups: "{{ inventory_hostname in groups['neutron-bgp-dragent'] }}"
volumes: "{{ neutron_bgp_dragent_default_volumes + neutron_bgp_dragent_extra_volumes }}"
@@ -582,6 +582,8 @@ neutron_subprojects:
enabled: "{{ enable_neutron_bgp_dragent | bool }}"
- name: "neutron-vpnaas"
enabled: "{{ enable_neutron_vpnaas | bool }}"
+ - name: "vmware-nsx"
+ enabled: "{{ neutron_plugin_agent in ['vmware_dvs', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp'] }}"
####################
# Mechanism drivers
@@ -727,6 +729,19 @@ nsxv3_default_tier0_router: "tier0 router uuid"
nsxv3_default_vlan_tz: "vlan TZ uuid"
nsxv3_default_overlay_tz: "overlay TZ uuid"
+####################
+# VMware NSXP
+####################
+vmware_nsxp_metadata_proxy: "metadata proxy uuid or name"
+vmware_nsxp_dhcp_profile: "dhcp service uuid or name"
+vmware_nsxp_native_dhcp_metadata: "true"
+vmware_nsxp_api_user: "admin"
+vmware_nsxp_insecure: "True"
+vmware_nsxp_api_managers: "127.0.0.1"
+vmware_nsxp_default_tier0_router: "tier0 router uuid or name"
+vmware_nsxp_default_vlan_tz: "vlan TZ uuid or name"
+vmware_nsxp_default_overlay_tz: "overlay TZ uuid or name"
+
####################
# VMware DVS
####################
diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml
index 115402242f..cfc4e74fc5 100644
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@@ -410,7 +410,7 @@
when:
- neutron_server.enabled | bool
- neutron_server.host_in_groups | bool
- - neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs']
+ - neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs']
notify:
- "Restart {{ service_name }} container"
diff --git a/ansible/roles/neutron/templates/neutron-server.json.j2 b/ansible/roles/neutron/templates/neutron-server.json.j2
index 30bb11f49c..f8f9e4a94b 100644
--- a/ansible/roles/neutron/templates/neutron-server.json.j2
+++ b/ansible/roles/neutron/templates/neutron-server.json.j2
@@ -1,5 +1,5 @@
{
- "command": "neutron-server --config-file /etc/neutron/neutron.conf {% if neutron_plugin_agent in ['openvswitch', 'linuxbridge', 'ovn'] %} --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_vpnaas.conf {% elif neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] %} --config-file /etc/neutron/plugins/vmware/nsx.ini {% endif %}",
+ "command": "neutron-server --config-file /etc/neutron/neutron.conf {% if neutron_plugin_agent in ['openvswitch', 'linuxbridge', 'ovn'] %} --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_vpnaas.conf {% elif neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] %} --config-file /etc/neutron/plugins/vmware/nsx.ini {% endif %}",
"config_files": [
{
"source": "{{ container_config_directory }}/neutron.conf",
@@ -19,12 +19,11 @@
"owner": "neutron",
"perm": "0600"
},{% endif %}
-{% if neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] -%}
+{% if neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] -%}
{
"source": "{{ container_config_directory }}/nsx.ini",
"dest": "/etc/neutron/plugins/vmware/nsx.ini",
"owner": "neutron",
- "optional": {{ (neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs']) | string | lower }},
"perm": "0600"
},{% endif %}
{% if check_extra_ml2_plugins is defined and check_extra_ml2_plugins.matched > 0 %}{% for plugin in check_extra_ml2_plugins.files %}
diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2
index 04e74854a5..443a53ad76 100644
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@@ -45,6 +45,9 @@ core_plugin = vmware_nsx.plugin.NsxVPlugin
{% elif neutron_plugin_agent == 'vmware_nsxv3' %}
core_plugin = vmware_nsx.plugin.NsxV3Plugin
dhcp_agent_notification = False
+{% elif neutron_plugin_agent == 'vmware_nsxp' %}
+core_plugin = vmware_nsx.plugin.NsxPolicyPlugin
+dhcp_agent_notification = False
{% elif neutron_plugin_agent == 'vmware_dvs' %}
core_plugin = vmware_nsx.plugin.NsxDvsPlugin
{% else %}
@@ -71,6 +74,8 @@ external_dns_driver = designate
nsx_extension_drivers = vmware_nsxv_dns
{% elif neutron_plugin_agent == 'vmware_nsxv3' %}
nsx_extension_drivers = vmware_nsxv3_dns
+{% elif neutron_plugin_agent == 'vmware_nsxp' %}
+nsx_extension_drivers = vmware_nsxp_dns
{% elif neutron_plugin_agent == 'vmware_dvs' %}
nsx_extension_drivers = vmware_dvs_dns
{% endif %}
diff --git a/ansible/roles/neutron/templates/nsx.ini.j2 b/ansible/roles/neutron/templates/nsx.ini.j2
index 1129de424b..5c62c4d4ac 100644
--- a/ansible/roles/neutron/templates/nsx.ini.j2
+++ b/ansible/roles/neutron/templates/nsx.ini.j2
@@ -26,6 +26,17 @@ nsx_api_managers = {{ nsxv3_api_managers }}
default_tier0_router = {{ nsxv3_default_tier0_router }}
default_vlan_tz = {{ nsxv3_default_vlan_tz }}
default_overlay_tz = {{ nsxv3_default_overlay_tz }}
+{% elif neutron_plugin_agent == 'vmware_nsxp' %}
+[nsx_p]
+metadata_proxy = {{ vmware_nsxp_metadata_proxy }}
+dhcp_profile = {{ vmware_nsxp_dhcp_profile }}
+native_dhcp_metadata = {{ vmware_nsxp_native_dhcp_metadata }}
+nsx_api_password = {{ vmware_nsxp_api_password }}
+nsx_api_user = {{ vmware_nsxp_api_user }}
+nsx_api_managers = {{ vmware_nsxp_api_managers }}
+default_tier0_router = {{ vmware_nsxp_default_tier0_router }}
+default_vlan_tz = {{ vmware_nsxp_default_vlan_tz }}
+default_overlay_tz = {{ vmware_nsxp_default_overlay_tz }}
{% elif neutron_plugin_agent == 'vmware_dvs' %}
[dvs]
host_ip = {{ vmware_dvs_host_ip }}
diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2
index 5adb22c263..9baa712f25 100644
--- a/ansible/roles/nova-cell/templates/nova.conf.j2
+++ b/ansible/roles/nova-cell/templates/nova.conf.j2
@@ -120,7 +120,7 @@ cafile = {{ openstack_cacert }}
[neutron]
metadata_proxy_shared_secret = {{ metadata_secret }}
service_metadata_proxy = true
-{% if neutron_plugin_agent == 'vmware_nsxv3' %}
+{% if neutron_plugin_agent in ['vmware_nsxv3', 'vmware_nsxp'] %}
ovs_bridge = {{ ovs_bridge }}
{% endif %}
auth_url = {{ keystone_admin_url }}
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index 1032aaec43..93913c065d 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -79,9 +79,6 @@ cafile = {{ openstack_cacert }}
[neutron]
metadata_proxy_shared_secret = {{ metadata_secret }}
service_metadata_proxy = true
-{% if neutron_plugin_agent == 'vmware_nsxv3' %}
-ovs_bridge = {{ ovs_bridge }}
-{% endif %}
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_name = {{ default_project_domain_name }}
diff --git a/doc/source/reference/compute/vmware-guide.rst b/doc/source/reference/compute/vmware-guide.rst
index a205593b11..b03fd8f286 100644
--- a/doc/source/reference/compute/vmware-guide.rst
+++ b/doc/source/reference/compute/vmware-guide.rst
@@ -8,8 +8,13 @@ Overview
~~~~~~~~
Kolla can deploy the Nova and Neutron Service(s) for VMware vSphere.
-Depending on the network architecture (NsxV or DVS) you choose, Kolla deploys
-the following OpenStack services for VMware vSphere:
+Depending on the network architecture (NsxT, NsxV or DVS) you choose,
+Kolla deploys the following OpenStack services for VMware vSphere:
+
+For VMware NsxT:
+
+* nova-compute
+* neutron-server
For VMware NsxV:
@@ -35,6 +40,12 @@ into what vSphere/NSX Manager API can understand. Neutron does
not directly takes control of the Open vSwitch inside the VMware
environment but through the API exposed by vSphere/NSX Manager.
+.. note::
+
+ VMware NSX plugin is not in the kolla image by default.
+ VMware NSX plugin has to be added in the neutron image and
+ if you are using vmware_dvs also in neutron-dhcp-agent image.
+
For VMware DVS, the Neutron DHCP agent does not attaches to Open vSwitch inside
VMware environment, but attach to the Open vSwitch bridge called ``br-dvs`` on
the OpenStack side and replies to/receives DHCP packets through VLAN. Similar
@@ -46,22 +57,34 @@ bridge and works through VLAN.
VMware NSX-DVS plugin does not support tenant networks, so all VMs should
attach to Provider VLAN/Flat networks.
-VMware NSX-V
+VMware NSX-T
~~~~~~~~~~~~
Preparation
-----------
-You should have a working NSX-V environment, this part is out of scope
-of Kolla.
-For more information, please see `VMware NSX-V documentation `__.
+You should have a working NSX-T environment, this part is out of scope
+of Kolla. For more information, please see
+`VMware NSX-T documentation `__.
+The NSX Manager provides a web-based user interface where you can manage
+your NSX-T environment.
+It also hosts the API server that processes API calls.
+The NSX Manager interface provides two modes for configuring resources:
-.. note::
+- Policy mode
+- Manager mode
- In addition, it is important to modify the firewall rule of vSphere to make
- sure that VNC is accessible from outside VMware environment.
+In Kolla you will have the choice between both with neutron plugin
+vmware_nsxv3 for Manager mode and vmware_nsxp for Policy Mode.
+For more information, please see
+`documentation `__.
- On every VMware host, edit ``/etc/vmware/firewall/vnc.xml`` as below:
+------------------------------------------------------------------------------
+
+In addition, it is important to modify the firewall rule of vSphere to make
+sure that VNC is accessible from outside VMware environment.
+
+On every VMware host, edit ``/etc/vmware/firewall/vnc.xml`` as below:
.. code-block:: xml
@@ -104,6 +127,155 @@ Verify that the firewall config is applied:
# esxcli network firewall ruleset list
+------------------------------------------------------------------------------
+
+Deployment
+----------
+
+The deployment below covers the Policy mode (vmware_nsxp)
+
+Enable VMware nova-compute plugin and NSX-T neutron-server plugin in
+``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+ enable_openvswitch: no
+ nova_compute_virt_type: "vmware"
+ neutron_plugin_agent: "vmware_nsxp"
+
+If you want to set VMware datastore as cinder backend, enable it in
+``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+ enable_cinder: "yes"
+ cinder_backend_vmwarevc_vmdk: "yes"
+ vmware_datastore_name: "TestDatastore"
+
+If you want to set VMware datastore as glance backend, enable it in
+``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+ glance_backend_vmware: "yes"
+ vmware_vcenter_name: "TestDatacenter"
+ vmware_datastore_name: "TestDatastore"
+
+VMware options are required in ``/etc/kolla/globals.yml``, these options should
+be configured correctly according to your NSX-T environment.
+
+Options for ``nova-compute`` and ``ceilometer``:
+
+.. code-block:: yaml
+
+ vmware_vcenter_host_ip: "127.0.0.1"
+ vmware_vcenter_host_username: "admin"
+ vmware_vcenter_cluster_name: "cluster-1"
+ vmware_vcenter_insecure: "True"
+ vmware_vcenter_datastore_regex: ".*"
+
+.. note::
+
+ The VMware vCenter password has to be set in ``/etc/kolla/passwords.yml``.
+
+ .. code-block:: yaml
+
+ vmware_vcenter_host_password: "admin"
+
+Options for Neutron NSX-T support:
+
+.. code-block:: yaml
+
+ vmware_nsxp_api_user: "admin"
+ vmware_nsxp_insecure: true
+ vmware_nsxp_default_tier0_router: "T0-Example"
+ vmware_nsxp_dhcp_profile: "dhcp-profile-example"
+ vmware_nsxp_metadata_proxy: "metadata_proxy-example"
+ vmware_nsxp_api_managers: "nsx-manager.local"
+ vmware_nsxp_default_vlan_tz: "vlan-tz-example"
+ vmware_nsxp_default_overlay_tz: "overlay-tz-example"
+
+.. yaml
+
+.. note::
+
+ If you want to set secure connections to VMware, set ``vmware_vcenter_insecure``
+ to false.
+ Secure connections to vCenter requires a CA file, copy the vCenter CA file to
+ ``/etc/kolla/config/vmware_ca``.
+
+.. note::
+
+ The VMware NSX-T password has to be set in ``/etc/kolla/passwords.yml``.
+
+ .. code-block:: yaml
+
+ vmware_nsxp_api_password: "xxxxx"
+ vmware_nsxp_metadata_proxy_shared_secret: "xxxxx"
+
+Then you should start :command:`kolla-ansible` deployment normally as
+KVM/QEMU deployment.
+
+VMware NSX-V
+~~~~~~~~~~~~
+
+Preparation
+-----------
+
+You should have a working NSX-V environment, this part is out of scope
+of Kolla.
+For more information, please see
+`VMware NSX-V documentation `__.
+
+------------------------------------------------------------------------------
+
+In addition, it is important to modify the firewall rule of vSphere to make
+sure that VNC is accessible from outside VMware environment.
+
+On every VMware host, edit ``/etc/vmware/firewall/vnc.xml`` as below:
+
+.. code-block:: xml
+
+
+
+
+ VNC
+
+ inbound
+ tcp
+ dst
+
+ 5900
+ 5999
+
+
+
+ outbound
+ tcp
+ dst
+
+ 0
+ 65535
+
+
+ true false
+
+
+
+Then refresh the firewall config by:
+
+.. code-block:: console
+
+ # esxcli network firewall refresh
+
+Verify that the firewall config is applied:
+
+.. code-block:: console
+
+ # esxcli network firewall ruleset list
+
+------------------------------------------------------------------------------
+
Deployment
----------
@@ -211,7 +383,8 @@ Before deployment, you should have a working VMware vSphere environment.
Create a cluster and a vSphere Distributed Switch with all the host in the
cluster attached to it.
-For more information, please see `Setting Up Networking with vSphere Distributed Switches `__.
+For more information, please see
+`Setting Up Networking with vSphere Distributed Switches `__.
Deployment
----------
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index d9038cb6eb..de0389ac24 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -154,8 +154,8 @@
# addresses for that reason.
#neutron_external_interface: "eth1"
-# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_dvs ]
-# if vmware_nsxv3 is selected, enable_openvswitch MUST be set to "no" (default is yes)
+# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_nsxp, vmware_dvs ]
+# if vmware_nsxv3 or vmware_nsxp is selected, enable_openvswitch MUST be set to "no" (default is yes)
#neutron_plugin_agent: "openvswitch"
# Valid options are [ internal, infoblox ]
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index 9b0dd99257..b343496b9e 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -29,6 +29,8 @@ vmware_dvs_host_password:
vmware_nsxv_password:
vmware_vcenter_host_password:
nsxv3_api_password:
+vmware_nsxp_api_password:
+vmware_nsxp_metadata_proxy_shared_secret:
#####################
# Hitachi NAS support
diff --git a/releasenotes/notes/add-nsxp-support-10a750d077d51ac6.yaml b/releasenotes/notes/add-nsxp-support-10a750d077d51ac6.yaml
new file mode 100644
index 0000000000..65d1f29138
--- /dev/null
+++ b/releasenotes/notes/add-nsxp-support-10a750d077d51ac6.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - |
+ Add support for the VMware NSX Policy plugin