V2T migration: Fix validation

- Verify that security groups do not have policy - Verify that vlan networks are not attached to routers without gateways. - Do not allow non-dhcp overlay routed subnets if there is a dhcp subnet on the same network. In addition, remove the unexpected quota for sg policy in api-replay. Change-Id: I5ed510a4c1eb8482be6049cf6fabec80a10a8448
2021-02-18 10:51:05 +02:00 · 2021-02-18 10:51:05 +02:00 · 015b426e2c
parent a3ef5afb84
commit 015b426e2c
2 changed files with 47 additions and 7 deletions
--- a/vmware_nsx/api_replay/utils.py
+++ b/vmware_nsx/api_replay/utils.py
@ -64,6 +64,7 @@ class PrepareObjectForMigration(object):
        'tenant_id',
        'project_id',
        'housekeeper',
+        'nsx_policy',
        'l2-gateway-connection']
    drop_router_fields = basic_ignore_fields + [
        'status',
--- a/vmware_nsx/shell/admin/plugins/nsxv/resources/migration.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv/resources/migration.py
@ -129,6 +129,7 @@ def validate_config_for_migration(resource, event, trigger, **kwargs):

            # VXLAN or portgroup provider networks
            net_type = net.get(pnet.NETWORK_TYPE)
+            overlay_net = bool(net_type != c_utils.NsxVNetworkTypes.VLAN)
            if (net_type == c_utils.NsxVNetworkTypes.VXLAN or
                net_type == c_utils.NsxVNetworkTypes.PORTGROUP):
                n_errors = n_errors + 1
@ -147,6 +148,14 @@ def validate_config_for_migration(resource, event, trigger, **kwargs):
                LOG.error("ERROR: Network %s has %s dhcp subnets. Only 1 is "
                          "allowed.", net['id'], n_dhcp_subnets)

+            # Network attached to multiple routers
+            intf_ports = plugin._get_network_interface_ports(
+                admin_context, net['id'])
+            if len(intf_ports) > 1:
+                n_errors = n_errors + 1
+                LOG.error("ERROR: Network %s has interfaces on multiple "
+                          "routers. Only 1 is allowed.", net['id'])
+
            # Subnets overlapping with the transit network
            for subnet in subnets:
                # get the subnet IPs
@ -170,13 +179,20 @@ def validate_config_for_migration(resource, event, trigger, **kwargs):
                                  "network ips: %s.",
                                  subnet['id'], transit_networks)

-            # Network attached to multiple routers
-            intf_ports = plugin._get_network_interface_ports(
-                admin_context, net['id'])
-            if len(intf_ports) > 1:
-                n_errors = n_errors + 1
-                LOG.error("ERROR: Network %s has interfaces on multiple "
-                          "routers. Only 1 is allowed.", net['id'])
+                # Cannot support non-dhcp overlay subnet attached to a router
+                # if there is also a dhcp subnet on the same network
+                if (overlay_net and n_dhcp_subnets > 0 and
+                    not subnet['enable_dhcp']):
+                    # look for a router interface for this subnet
+                    for if_port in intf_ports:
+                        if if_port['fixed_ips']:
+                            if_sub = if_port['fixed_ips'][0]['subnet_id']
+                            if subnet['id'] == if_sub:
+                                n_errors = n_errors + 1
+                                LOG.error("ERROR: Network %s has non-dhcp "
+                                          "subnet attached to a router, and "
+                                          "another dhcp subnet. This is not "
+                                          "allowed.", net['id'])

        # Routers validations:
        routers = plugin.get_routers(admin_context)
@ -195,6 +211,21 @@ def validate_config_for_migration(resource, event, trigger, **kwargs):
                LOG.error("ERROR: Interface network of router %s cannot "
                          "overlap with router GW network", router['id'])

+            # router without external gw cannot be attached to a vlan subnet
+            router_db = plugin._get_router(admin_context, router['id'])
+            if not router_db.gw_port:
+                router_subnets = plugin._load_router_subnet_cidrs_from_db(
+                    admin_context, router['id'])
+                for subnet in router_subnets:
+                    net_id = subnet['network_id']
+                    net = plugin.get_network(admin_context, net_id)
+                    net_type = net.get(pnet.NETWORK_TYPE)
+                    if net_type == c_utils.NsxVNetworkTypes.VLAN:
+                        n_errors = n_errors + 1
+                        LOG.error("ERROR: Vlan network %s cannot be attached "
+                                  "to router %s without a gateway", net_id,
+                                router['id'])
+
        # Octavia loadbalancers validation:
        filters = {'device_owner': [nl_constants.DEVICE_OWNER_LOADBALANCERV2,
                                    oct_const.DEVICE_OWNER_OCTAVIA]}
@ -276,6 +307,14 @@ def validate_config_for_migration(resource, event, trigger, **kwargs):
                    n_errors = n_errors + 1
                    break

+    # Security groups without policies
+    sgs = plugin.get_security_groups(admin_context)
+    for sg in sgs:
+        if plugin._is_policy_security_group(admin_context, sg['id']):
+            LOG.error("ERROR: Security group %s has NSX policy. This is not "
+                      "supported.", sg['id'])
+            n_errors = n_errors + 1
+
    # L2GW is not supported with the policy plugin
    l2gws = admin_context.session.query(l2gateway_models.L2Gateway).all()
    if len(l2gws):