x
/
vmware-nsx
Code Issues Proposed changes

NSXv3: Introduce config param to add dhcp switching profile 

A new config parameter is introduced in nsx.ini to add the UUID
of the switching profile which will enable DHCP traffic. This profile
will be applied on DHCP ports only, overriding any switch profiles
applied on the backend. This profile must be configured in nsx.ini
if Neutron's DHCP service is to be used.
This profile must be created, out of band, on the NSX backend with
DHCP Server and Client Block disabled.

DocImpact

Change-Id: Iffeead83cbf58e106a284e1b1b142a360eb6dd40
(cherry picked from commit 63a22d0bf3)
This commit is contained in:
Abhishek Raut 2015-08-26 16:08:11 -07:00
parent b8aaf13aef
commit 0c56a0b3b7
5 changed files with 63 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
devstack/lib/vmware_nsx_v3
View File

@ -114,6 +114,7 @@ function neutron_plugin_configure_service {
_nsxv3_ini_set insecure $NSX_INSECURE
_nsxv3_ini_set ca_file $NSX_CA_FILE
_nsxv3_ini_set default_bridge_cluster_uuid $DEFAULT_BRIDGE_CLUSTER_UUID
_nsxv3_ini_set default_switching_profile_dhcp_uuid $DEFAULT_SWITCHING_PROFILE_DHCP_UUID
}
function neutron_plugin_setup_interface_driver {

9
etc/nsx.ini
View File

@ -346,3 +346,12 @@
# L2 gateway APIs.
# This field must be specified on one of the active neutron servers only.
# default_bridge_cluster_uuid =
# UUID of the default NSX switching profile to allow DHCP traffic. This will be
# applied on the DHCP ports, if neutron's DHCP service is enabled.
# In order to create the DHCP switching profile, go the NSX manager and perform
# the following steps:
# Create a new Switching Profile of type 'Switch Security'.
# Disable DHCP Client Block and DHCP Server Block options for this profile.
# Save the profile and copy the Switching Profile's UUID below.
# default_switching_profile_dhcp_uuid =

8
vmware_nsx/common/config.py
View File

@ -203,7 +203,13 @@ nsx_v3_opts = [
'used for verification. This option is ignored if '
'"ca_file" is set.')),
cfg.StrOpt('default_tier0_router_uuid',
help=_("Default tier0 router identifier"))
help=_("Default tier0 router identifier")),
cfg.StrOpt('default_switching_profile_dhcp_uuid',
help=_("UUID of the default NSX switching profile to allow "
"DHCP traffic. This will be applied on the DHCP ports, "
"if neutron's DHCP service is enabled. This profile "
"must be created on the backend, out of band, with DHCP "
"Server/Client Block disabled.")),
]
DEFAULT_STATUS_CHECK_INTERVAL = 2000

1
vmware_nsx/nsxlib/v3/resources.py
View File

@ -71,6 +71,7 @@ class SwitchingProfileTypes(object):
PORT_MIRRORING = 'PortMirroringSwitchingProfile'
QOS = 'QosSwitchingProfile'
SPOOF_GUARD = 'SpoofGuardSwitchingProfile'
SWITCH_SECURITY = 'SwitchSecuritySwitchingProfile'
class WhiteListAddressTypes(object):

47
vmware_nsx/plugins/nsx_v3/plugin.py
View File

@ -125,8 +125,10 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
self._psec_profile = self._init_port_security_profile()
if not self._psec_profile:
msg = (_("Unable to initialize NSX v3 port spoofguard "
"switching profile: %s") % NSX_V3_PSEC_PROFILE_NAME)
"switching profile: %s") % NSX_V3_PSEC_PROFILE_NAME)
raise nsx_exc.NsxPluginException(msg)
LOG.debug("Initializing NSX v3 DHCP switching profile")
self._dhcp_profile = self._init_dhcp_switching_profile()
self._unsubscribe_callback_events()
def _unsubscribe_callback_events(self):
@ -138,6 +140,39 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
resources.PORT,
events.BEFORE_DELETE)
def _validate_dhcp_profile(self, dhcp_profile_uuid):
dhcp_profile = self._switching_profiles.get(dhcp_profile_uuid)
if (dhcp_profile.get('resource_type') !=
nsx_resources.SwitchingProfileTypes.SWITCH_SECURITY):
msg = _("Invalid configuration on the backend for DHCP "
"switching profile %s. Switching Profile must be of type "
"'Switch Security'") % dhcp_profile_uuid
raise n_exc.InvalidInput(error_message=msg)
dhcp_filter = dhcp_profile.get('dhcp_filter')
if (not dhcp_filter or dhcp_filter.get('client_block_enabled') or
dhcp_filter.get('server_block_enabled')):
msg = _("Invalid configuration on the backend for DHCP "
"switching profile %s. DHCP Server Block and Client Block "
"must be disabled") % dhcp_profile_uuid
raise n_exc.InvalidInput(error_message=msg)
def _init_dhcp_switching_profile(self):
dhcp_profile_uuid = cfg.CONF.nsx_v3.default_switching_profile_dhcp_uuid
if not dhcp_profile_uuid:
LOG.warning(_LW("Switching profile for DHCP ports not configured "
"in the config file."))
return
if not uuidutils.is_uuid_like(dhcp_profile_uuid):
LOG.warning(_LW("default_switching_profile_dhcp_uuid: %s. DHCP "
"profile must be configured with a UUID"),
dhcp_profile_uuid)
return
self._validate_dhcp_profile(dhcp_profile_uuid)
return nsx_resources.SwitchingProfileTypeId(
profile_type=(nsx_resources.SwitchingProfileTypes.
SWITCH_SECURITY),
profile_id=dhcp_profile_uuid)
def _get_port_security_profile_id(self):
return nsx_resources.SwitchingProfile.build_switch_profile_ids(
self._switching_profiles, self._get_port_security_profile())[0]
@ -503,9 +538,17 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
vif_uuid = port_data.get('device_id')
attachment_type = port_data.get('device_owner')
profiles = None
profiles = []
if psec_is_on:
profiles = [self._get_port_security_profile_id()]
if port_data.get('device_owner') == const.DEVICE_OWNER_DHCP:
if self._dhcp_profile:
profiles.append(self._dhcp_profile)
else:
LOG.warning(_LW("No DHCP switching profile configured in the "
"config file. DHCP port: %s configured with "
"default profile on the backend"),
port_data['id'])
result = self._port_client.create(
port_data['network_id'], vif_uuid,