Merge "Add support for VMware NSXP"

ansible/group_vars/all.yml

@@ -259,7 +259,7 @@ tunnel_interface_address: "{{ 'tunnel' | kolla_address }}"
 octavia_network_interface_address: "{{ 'octavia_network' | kolla_address }}"
 dpdk_tunnel_interface_address: "{{ 'dpdk_tunnel' | kolla_address }}"
 
-# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_dvs ]
+# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_nsxp, vmware_dvs ]
 neutron_plugin_agent: "openvswitch"
 
 # Valid options are [ internal, infoblox ]

ansible/roles/neutron/defaults/main.yml

@@ -69,7 +69,7 @@ neutron_services:
     container_name: "neutron_dhcp_agent"
     image: "{{ neutron_dhcp_agent_image_full }}"
     privileged: True
-    enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3'] or neutron_ovn_dhcp_agent | bool }}"
+    enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp'] or neutron_ovn_dhcp_agent | bool }}"
     group: "neutron-dhcp-agent"
     host_in_groups: "{{ inventory_hostname in groups['neutron-dhcp-agent'] }}"
     volumes: "{{ neutron_dhcp_agent_default_volumes + neutron_dhcp_agent_extra_volumes }}"
@@ -79,7 +79,7 @@ neutron_services:
     container_name: "neutron_l3_agent"
     image: "{{ neutron_l3_agent_image_full }}"
     privileged: True
-    enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] }}"
+    enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] }}"
     environment:
       KOLLA_LEGACY_IPTABLES: "{{ neutron_legacy_iptables | bool | lower }}"
     host_in_groups: >-
@@ -94,7 +94,7 @@ neutron_services:
     container_name: "neutron_sriov_agent"
     image: "{{ neutron_sriov_agent_image_full }}"
     privileged: True
-    enabled: "{{ enable_neutron_sriov | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3' ] }}"
+    enabled: "{{ enable_neutron_sriov | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
     host_in_groups: "{{ inventory_hostname in groups['compute'] }}"
     volumes: "{{ neutron_sriov_agent_default_volumes + neutron_sriov_agent_extra_volumes }}"
     dimensions: "{{ neutron_sriov_agent_dimensions }}"
@@ -102,7 +102,7 @@ neutron_services:
   neutron-mlnx-agent:
     container_name: "neutron_mlnx_agent"
     image: "{{ neutron_mlnx_agent_image_full }}"
-    enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3' ] }}"
+    enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
     host_in_groups: "{{ inventory_hostname in groups['compute'] }}"
     volumes: "{{ neutron_mlnx_agent_default_volumes + neutron_mlnx_agent_extra_volumes }}"
     dimensions: "{{ neutron_mlnx_agent_dimensions }}"
@@ -110,7 +110,7 @@ neutron_services:
     container_name: "neutron_eswitchd"
     image: "{{ neutron_eswitchd_image_full }}"
     privileged: True
-    enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3' ] }}"
+    enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
     host_in_groups: "{{ inventory_hostname in groups['compute'] }}"
     volumes: "{{ neutron_eswitchd_default_volumes + neutron_eswitchd_extra_volumes }}"
     dimensions: "{{ neutron_eswitchd_dimensions }}"
@@ -118,7 +118,7 @@ neutron_services:
     container_name: "neutron_metadata_agent"
     image: "{{ neutron_metadata_agent_image_full }}"
     privileged: True
-    enabled: "{{ neutron_plugin_agent not in [ 'ovn', 'vmware_nsxv', 'vmware_nsxv3' ] }}"
+    enabled: "{{ neutron_plugin_agent not in [ 'ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
     host_in_groups: >-
       {{
       inventory_hostname in groups['neutron-metadata-agent']
@@ -140,7 +140,7 @@ neutron_services:
     container_name: "neutron_bgp_dragent"
     image: "{{ neutron_bgp_dragent_image_full }}"
     privileged: True
-    enabled: "{{ enable_neutron_bgp_dragent | bool and neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] }}"
+    enabled: "{{ enable_neutron_bgp_dragent | bool and neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] }}"
     group: "neutron-bgp-dragent"
     host_in_groups: "{{ inventory_hostname in groups['neutron-bgp-dragent'] }}"
     volumes: "{{ neutron_bgp_dragent_default_volumes + neutron_bgp_dragent_extra_volumes }}"
@@ -582,6 +582,8 @@ neutron_subprojects:
     enabled: "{{ enable_neutron_bgp_dragent | bool }}"
   - name: "neutron-vpnaas"
     enabled: "{{ enable_neutron_vpnaas | bool }}"
+  - name: "vmware-nsx"
+    enabled: "{{ neutron_plugin_agent in ['vmware_dvs', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp'] }}"
 
 ####################
 # Mechanism drivers
@@ -727,6 +729,19 @@ nsxv3_default_tier0_router: "tier0 router uuid"
 nsxv3_default_vlan_tz: "vlan TZ uuid"
 nsxv3_default_overlay_tz: "overlay TZ uuid"
 
+####################
+# VMware NSXP
+####################
+vmware_nsxp_metadata_proxy: "metadata proxy uuid or name"
+vmware_nsxp_dhcp_profile: "dhcp service uuid or name"
+vmware_nsxp_native_dhcp_metadata: "true"
+vmware_nsxp_api_user: "admin"
+vmware_nsxp_insecure: "True"
+vmware_nsxp_api_managers: "127.0.0.1"
+vmware_nsxp_default_tier0_router: "tier0 router uuid or name"
+vmware_nsxp_default_vlan_tz: "vlan TZ uuid or name"
+vmware_nsxp_default_overlay_tz: "overlay TZ uuid or name"
+
 ####################
 # VMware DVS
 ####################

ansible/roles/neutron/tasks/config.yml

@@ -410,7 +410,7 @@
   when:
     - neutron_server.enabled | bool
     - neutron_server.host_in_groups | bool
-    - neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs']
+    - neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs']
   notify:
     - "Restart {{ service_name }} container"
 

ansible/roles/neutron/templates/neutron-server.json.j2

@@ -1,5 +1,5 @@
 {
-    "command": "neutron-server --config-file /etc/neutron/neutron.conf {% if neutron_plugin_agent in ['openvswitch', 'linuxbridge', 'ovn'] %} --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_vpnaas.conf {% elif neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] %} --config-file /etc/neutron/plugins/vmware/nsx.ini {% endif %}",
+    "command": "neutron-server --config-file /etc/neutron/neutron.conf {% if neutron_plugin_agent in ['openvswitch', 'linuxbridge', 'ovn'] %} --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_vpnaas.conf {% elif neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] %} --config-file /etc/neutron/plugins/vmware/nsx.ini {% endif %}",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/neutron.conf",
@@ -19,12 +19,11 @@
             "owner": "neutron",
             "perm": "0600"
         },{% endif %}
-{% if neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] -%}
+{% if neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] -%}
         {
             "source": "{{ container_config_directory }}/nsx.ini",
             "dest": "/etc/neutron/plugins/vmware/nsx.ini",
             "owner": "neutron",
-            "optional": {{ (neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs']) | string | lower }},
             "perm": "0600"
         },{% endif %}
 {% if check_extra_ml2_plugins is defined and check_extra_ml2_plugins.matched > 0 %}{% for plugin in check_extra_ml2_plugins.files %}

ansible/roles/neutron/templates/neutron.conf.j2

@@ -45,6 +45,9 @@ core_plugin = vmware_nsx.plugin.NsxVPlugin
 {% elif neutron_plugin_agent == 'vmware_nsxv3' %}
 core_plugin = vmware_nsx.plugin.NsxV3Plugin
 dhcp_agent_notification = False
+{% elif neutron_plugin_agent == 'vmware_nsxp' %}
+core_plugin = vmware_nsx.plugin.NsxPolicyPlugin
+dhcp_agent_notification = False
 {% elif neutron_plugin_agent == 'vmware_dvs' %}
 core_plugin = vmware_nsx.plugin.NsxDvsPlugin
 {% else %}
@@ -71,6 +74,8 @@ external_dns_driver = designate
 nsx_extension_drivers = vmware_nsxv_dns
 {% elif neutron_plugin_agent == 'vmware_nsxv3' %}
 nsx_extension_drivers = vmware_nsxv3_dns
+{% elif neutron_plugin_agent == 'vmware_nsxp' %}
+nsx_extension_drivers = vmware_nsxp_dns
 {% elif neutron_plugin_agent == 'vmware_dvs' %}
 nsx_extension_drivers = vmware_dvs_dns
 {% endif %}

ansible/roles/neutron/templates/nsx.ini.j2

@@ -26,6 +26,17 @@ nsx_api_managers = {{ nsxv3_api_managers }}
 default_tier0_router = {{ nsxv3_default_tier0_router }}
 default_vlan_tz = {{ nsxv3_default_vlan_tz }}
 default_overlay_tz = {{ nsxv3_default_overlay_tz }}
+{% elif neutron_plugin_agent == 'vmware_nsxp' %}
+[nsx_p]
+metadata_proxy = {{ vmware_nsxp_metadata_proxy }}
+dhcp_profile = {{ vmware_nsxp_dhcp_profile }}
+native_dhcp_metadata = {{ vmware_nsxp_native_dhcp_metadata }}
+nsx_api_password = {{ vmware_nsxp_api_password }}
+nsx_api_user = {{ vmware_nsxp_api_user }}
+nsx_api_managers = {{ vmware_nsxp_api_managers }}
+default_tier0_router = {{ vmware_nsxp_default_tier0_router }}
+default_vlan_tz = {{ vmware_nsxp_default_vlan_tz }}
+default_overlay_tz = {{ vmware_nsxp_default_overlay_tz }}
 {% elif neutron_plugin_agent == 'vmware_dvs' %}
 [dvs]
 host_ip = {{ vmware_dvs_host_ip }}

ansible/roles/nova-cell/templates/nova.conf.j2

@@ -120,7 +120,7 @@ cafile = {{ openstack_cacert }}
 [neutron]
 metadata_proxy_shared_secret = {{ metadata_secret }}
 service_metadata_proxy = true
-{% if neutron_plugin_agent == 'vmware_nsxv3' %}
+{% if neutron_plugin_agent in ['vmware_nsxv3', 'vmware_nsxp'] %}
 ovs_bridge = {{ ovs_bridge }}
 {% endif %}
 auth_url = {{ keystone_admin_url }}

ansible/roles/nova/templates/nova.conf.j2

@@ -79,9 +79,6 @@ cafile = {{ openstack_cacert }}
 [neutron]
 metadata_proxy_shared_secret = {{ metadata_secret }}
 service_metadata_proxy = true
-{% if neutron_plugin_agent == 'vmware_nsxv3' %}
-ovs_bridge = {{ ovs_bridge }}
-{% endif %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}

doc/source/reference/compute/vmware-guide.rst

@@ -8,8 +8,13 @@ Overview
 ~~~~~~~~
 
 Kolla can deploy the Nova and Neutron Service(s) for VMware vSphere.
-Depending on the network architecture (NsxV or DVS) you choose, Kolla deploys
+Depending on the network architecture (NsxT, NsxV or DVS) you choose,
-the following OpenStack services for VMware vSphere:
+Kolla deploys the following OpenStack services for VMware vSphere:
+
+For VMware NsxT:
+
+* nova-compute
+* neutron-server
 
 For VMware NsxV:
 
@@ -35,6 +40,12 @@ into what vSphere/NSX Manager API can understand. Neutron does
 not directly takes control of the Open vSwitch inside the VMware
 environment but through the API exposed by vSphere/NSX Manager.
 
+.. note::
+
+   VMware NSX plugin is not in the kolla image by default.
+   VMware NSX plugin has to be added in the neutron image and
+   if you are using vmware_dvs also in neutron-dhcp-agent image.
+
 For VMware DVS, the Neutron DHCP agent does not attaches to Open vSwitch inside
 VMware environment, but attach to the Open vSwitch bridge called ``br-dvs`` on
 the OpenStack side and replies to/receives DHCP packets through VLAN. Similar
@@ -46,22 +57,34 @@ bridge and works through VLAN.
    VMware NSX-DVS plugin does not support tenant networks, so all VMs should
    attach to Provider VLAN/Flat networks.
 
-VMware NSX-V
+VMware NSX-T
 ~~~~~~~~~~~~
 
 Preparation
 -----------
 
-You should have a working NSX-V environment, this part is out of scope
+You should have a working NSX-T environment, this part is out of scope
-of Kolla.
+of Kolla. For more information, please see
-For more information, please see `VMware NSX-V documentation <https://docs.vmware.com/en/VMware-NSX-for-vSphere/>`__.
+`VMware NSX-T documentation <https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html/>`__.
+The NSX Manager provides a web-based user interface where you can manage
+your NSX-T environment.
+It also hosts the API server that processes API calls.
+The NSX Manager interface provides two modes for configuring resources:
 
-.. note::
+- Policy mode
+- Manager mode
 
-   In addition, it is important to modify the firewall rule of vSphere to make
+In Kolla you will have the choice between both with neutron plugin
-   sure that VNC is accessible from outside VMware environment.
+vmware_nsxv3 for Manager mode and vmware_nsxp for Policy Mode.
+For more information, please see
+`documentation <https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/installation/GUID-BB26CDC8-2A90-4C7E-9331-643D13FEEC4A.html/>`__.
 
-   On every VMware host, edit ``/etc/vmware/firewall/vnc.xml`` as below:
+------------------------------------------------------------------------------
+
+In addition, it is important to modify the firewall rule of vSphere to make
+sure that VNC is accessible from outside VMware environment.
+
+On every VMware host, edit ``/etc/vmware/firewall/vnc.xml`` as below:
 
 .. code-block:: xml
 
@@ -104,6 +127,155 @@ Verify that the firewall config is applied:
 
    # esxcli network firewall ruleset list
 
+------------------------------------------------------------------------------
+
+Deployment
+----------
+
+The deployment below covers the Policy mode (vmware_nsxp)
+
+Enable VMware nova-compute plugin and NSX-T neutron-server plugin in
+``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   enable_openvswitch: no
+   nova_compute_virt_type: "vmware"
+   neutron_plugin_agent: "vmware_nsxp"
+
+If you want to set VMware datastore as cinder backend, enable it in
+``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   enable_cinder: "yes"
+   cinder_backend_vmwarevc_vmdk: "yes"
+   vmware_datastore_name: "TestDatastore"
+
+If you want to set VMware datastore as glance backend, enable it in
+``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   glance_backend_vmware: "yes"
+   vmware_vcenter_name: "TestDatacenter"
+   vmware_datastore_name: "TestDatastore"
+
+VMware options are required in ``/etc/kolla/globals.yml``, these options should
+be configured correctly according to your NSX-T environment.
+
+Options for ``nova-compute`` and ``ceilometer``:
+
+.. code-block:: yaml
+
+   vmware_vcenter_host_ip: "127.0.0.1"
+   vmware_vcenter_host_username: "admin"
+   vmware_vcenter_cluster_name: "cluster-1"
+   vmware_vcenter_insecure: "True"
+   vmware_vcenter_datastore_regex: ".*"
+
+.. note::
+
+   The VMware vCenter password has to be set in ``/etc/kolla/passwords.yml``.
+
+   .. code-block:: yaml
+
+      vmware_vcenter_host_password: "admin"
+
+Options for Neutron NSX-T support:
+
+.. code-block:: yaml
+
+   vmware_nsxp_api_user: "admin"
+   vmware_nsxp_insecure: true
+   vmware_nsxp_default_tier0_router: "T0-Example"
+   vmware_nsxp_dhcp_profile: "dhcp-profile-example"
+   vmware_nsxp_metadata_proxy: "metadata_proxy-example"
+   vmware_nsxp_api_managers: "nsx-manager.local"
+   vmware_nsxp_default_vlan_tz: "vlan-tz-example"
+   vmware_nsxp_default_overlay_tz: "overlay-tz-example"
+
+.. yaml
+
+.. note::
+
+   If you want to set secure connections to VMware, set ``vmware_vcenter_insecure``
+   to false.
+   Secure connections to vCenter requires a CA file, copy the vCenter CA file to
+   ``/etc/kolla/config/vmware_ca``.
+
+.. note::
+
+   The VMware NSX-T password has to be set in ``/etc/kolla/passwords.yml``.
+
+   .. code-block:: yaml
+
+      vmware_nsxp_api_password: "xxxxx"
+      vmware_nsxp_metadata_proxy_shared_secret: "xxxxx"
+
+Then you should start :command:`kolla-ansible` deployment normally as
+KVM/QEMU deployment.
+
+VMware NSX-V
+~~~~~~~~~~~~
+
+Preparation
+-----------
+
+You should have a working NSX-V environment, this part is out of scope
+of Kolla.
+For more information, please see
+`VMware NSX-V documentation <https://docs.vmware.com/en/VMware-NSX-for-vSphere/>`__.
+
+------------------------------------------------------------------------------
+
+In addition, it is important to modify the firewall rule of vSphere to make
+sure that VNC is accessible from outside VMware environment.
+
+On every VMware host, edit ``/etc/vmware/firewall/vnc.xml`` as below:
+
+.. code-block:: xml
+
+   <!-- FirewallRule for VNC Console -->
+   <ConfigRoot>
+   <service>
+   <id>VNC</id>
+   <rule id = '0000'>
+   <direction>inbound</direction>
+   <protocol>tcp</protocol>
+   <porttype>dst</porttype>
+   <port>
+   <begin>5900</begin>
+   <end>5999</end>
+   </port>
+   </rule>
+   <rule id = '0001'>
+   <direction>outbound</direction>
+   <protocol>tcp</protocol>
+   <porttype>dst</porttype>
+   <port>
+   <begin>0</begin>
+   <end>65535</end>
+   </port>
+   </rule>
+   <enabled>true</enabled>   <required>false</required>
+   </service>
+   </ConfigRoot>
+
+Then refresh the firewall config by:
+
+.. code-block:: console
+
+   # esxcli network firewall refresh
+
+Verify that the firewall config is applied:
+
+.. code-block:: console
+
+   # esxcli network firewall ruleset list
+
+------------------------------------------------------------------------------
+
 Deployment
 ----------
 
@@ -211,7 +383,8 @@ Before deployment, you should have a working VMware vSphere environment.
 Create a cluster and a vSphere Distributed Switch with all the host in the
 cluster attached to it.
 
-For more information, please see `Setting Up Networking with vSphere Distributed Switches <http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.networking.doc/GUID-375B45C7-684C-4C51-BA3C-70E48DFABF04.html>`__.
+For more information, please see
+`Setting Up Networking with vSphere Distributed Switches <http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.networking.doc/GUID-375B45C7-684C-4C51-BA3C-70E48DFABF04.html>`__.
 
 Deployment
 ----------

etc/kolla/globals.yml

@@ -154,8 +154,8 @@
 # addresses for that reason.
 #neutron_external_interface: "eth1"
 
-# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_dvs ]
+# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_nsxp, vmware_dvs ]
-# if vmware_nsxv3 is selected, enable_openvswitch MUST be set to "no" (default is yes)
+# if vmware_nsxv3 or vmware_nsxp is selected, enable_openvswitch MUST be set to "no" (default is yes)
 #neutron_plugin_agent: "openvswitch"
 
 # Valid options are [ internal, infoblox ]

etc/kolla/passwords.yml

@@ -29,6 +29,8 @@ vmware_dvs_host_password:
 vmware_nsxv_password:
 vmware_vcenter_host_password:
 nsxv3_api_password:
+vmware_nsxp_api_password:
+vmware_nsxp_metadata_proxy_shared_secret:
 
 #####################
 # Hitachi NAS support

releasenotes/notes/add-nsxp-support-10a750d077d51ac6.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add support for the VMware NSX Policy plugin