x
/
vmware-nsx
Code Issues Proposed changes

MP2P migration: Add pre migration check 

Before starting the migration, check for unsupported configurations
that will fail the migration.
Currently those include:
- Tier0 with BGP disabled and BGP rules
- DFW/Edge firewall sections witl 1500 rules or more

Change-Id: I702417c287b629844f2b8e1adda98b137e1ee9ff
This commit is contained in:
asarfaty 2020-06-29 13:21:01 +02:00 committed by Adit Sarfaty
parent 8ad6232458
commit 4955b3514e
1 changed files with 67 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
vmware_nsx/shell/admin/plugins/nsxv3/resources/migration.py
View File

@ -388,9 +388,13 @@ def get_configured_values(plugin, az_attribute):
return values return values
def get_neurton_tier0s(plugin):
return get_configured_values(plugin, '_default_tier0_router')
def migrate_tier0s(nsxlib, nsxpolicy, plugin): def migrate_tier0s(nsxlib, nsxpolicy, plugin):
# First prepare a list of neutron related tier0s from the config # First prepare a list of neutron related tier0s from the config
neutron_t0s = get_configured_values(plugin, '_default_tier0_router') neutron_t0s = get_neurton_tier0s(plugin)
# Add tier0s used specifically in external networks # Add tier0s used specifically in external networks
ctx = context.get_admin_context() ctx = context.get_admin_context()
with ctx.session.begin(subtransactions=True): with ctx.session.begin(subtransactions=True):
@ -852,6 +856,16 @@ def migrate_groups(nsxlib, nsxpolicy):
migrate_resource(nsxlib, 'NS_GROUP', entries, MIGRATE_LIMIT_NS_GROUP) migrate_resource(nsxlib, 'NS_GROUP', entries, MIGRATE_LIMIT_NS_GROUP)
def dfw_migration_cond(resource):
return (resource.get('enforced_on') == 'VIF' and
resource.get('category') == 'Default' and
resource.get('section_type') == 'LAYER3' and
not resource.get('is_default') and
# Migrate only DFW sections only and no edge FW sections
'applied_tos' in resource and
resource['applied_tos'][0].get('target_type', '') == 'NSGroup')
def migrate_dfw_sections(nsxlib, nsxpolicy, plugin): def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):
def get_policy_id_callback(res, policy_id): def get_policy_id_callback(res, policy_id):
# In case of plugin init section: give it the id the policy plugin # In case of plugin init section: give it the id the policy plugin
@ -862,14 +876,6 @@ def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):
return policy_id return policy_id
def cond(resource):
return (resource.get('enforced_on') == 'VIF' and
resource.get('category') == 'Default' and
resource.get('section_type') == 'LAYER3' and
not resource.get('is_default') and
# Migrate only DFW sections only and no edge FW sections
resource['applied_tos'][0].get('target_type', '') == 'NSGroup')
def add_metadata(entry, policy_id, resource): def add_metadata(entry, policy_id, resource):
# Add category, sequence, domain, and rule ids # Add category, sequence, domain, and rule ids
ctx = context.get_admin_context() ctx = context.get_admin_context()
@ -913,7 +919,7 @@ def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):
entries = get_resource_migration_data( entries = get_resource_migration_data(
nsxlib.firewall_section, nsxlib.firewall_section,
['os-neutron-secgr-id', 'os-neutron-id'], ['os-neutron-secgr-id', 'os-neutron-id'],
'DFW_SECTION', resource_condition=cond, 'DFW_SECTION', resource_condition=dfw_migration_cond,
policy_resource_get=get_policy_section, policy_resource_get=get_policy_section,
policy_id_callback=get_policy_id_callback, policy_id_callback=get_policy_id_callback,
metadata_callback=add_metadata) metadata_callback=add_metadata)
@ -1041,6 +1047,13 @@ def migrate_lb_services(nsxlib, nsxpolicy):
MIGRATE_LIMIT_LB_SERVICE) MIGRATE_LIMIT_LB_SERVICE)
def edge_firewall_migration_cond(resource):
return (resource.get('display_name') == 'Default LR Layer3 Section' and
resource.get('enforced_on') == 'LOGICALROUTER' and
resource.get('category') == 'Default' and
resource.get('section_type') == 'LAYER3')
def migrate_fwaas_resources(nsxlib, nsxpolicy, migrated_routers): def migrate_fwaas_resources(nsxlib, nsxpolicy, migrated_routers):
def get_policy_id_callback(res, policy_id): def get_policy_id_callback(res, policy_id):
# Policy id should be the Policy tier1 id (=neutron id) # Policy id should be the Policy tier1 id (=neutron id)
@ -1051,10 +1064,7 @@ def migrate_fwaas_resources(nsxlib, nsxpolicy, migrated_routers):
def cond(resource): def cond(resource):
# Migrate only Edge firewalls related to the migrated tier1s # Migrate only Edge firewalls related to the migrated tier1s
return (resource.get('display_name') == 'Default LR Layer3 Section' and return (edge_firewall_migration_cond(resource) and
resource.get('enforced_on') == 'LOGICALROUTER' and
resource.get('category') == 'Default' and
resource.get('section_type') == 'LAYER3' and
resource['applied_tos'][0].get( resource['applied_tos'][0].get(
'target_id', '') in migrated_routers) 'target_id', '') in migrated_routers)
@ -1197,8 +1207,9 @@ def _delete_segment_profiles_bindings(nsxpolicy, segment_id):
def post_migration_actions(nsxlib, nsxpolicy, plugin): def post_migration_actions(nsxlib, nsxpolicy, plugin):
# Update created policy resources that does not match the policy plugins' """Update created policy resources that does not match the policy plugins'
# expectations expectations.
"""
LOG.info("Starting post-migration actions") LOG.info("Starting post-migration actions")
ctx = context.get_admin_context() ctx = context.get_admin_context()
@ -1329,6 +1340,39 @@ def post_migration_actions(nsxlib, nsxpolicy, plugin):
LOG.info("Post-migration actions done.") LOG.info("Post-migration actions done.")
def pre_migration_checks(nsxlib, plugin):
"""Check for unsupported configuration that will block the migration
"""
# Tier0 with disabled BGP config
neutron_t0s = get_neurton_tier0s(plugin)
for tier0 in neutron_t0s:
bgp_conf = nsxlib.logical_router.get_bgp_config(tier0)
if not bgp_conf['enabled']:
# Verify there are no neighbors configured
if nsxlib.logical_router.get_bgp_neighbors(tier0)['result_count']:
LOG.error("Pre migration check failed: Tier0 %s has BGP "
"neighbors but BGP is disabled. Please remove the "
"neighbors or enable BGP and try again.", tier0)
return False
# Firewall section with too many rules
fw_sections = nsxlib.firewall_section.list()
for section in fw_sections:
if (dfw_migration_cond(section) or
edge_firewall_migration_cond(section)):
n_rules = nsxlib.firewall_section.get_rules(
section['id'])['result_count']
if n_rules >= MIGRATE_LIMIT_SECTION_AND_RULES:
LOG.error("Pre migration check failed: Firewall section %s "
"has %s rules and cannot be migrated. Please make "
"sure each section has less than %s rules and try "
"again.", section['id'], n_rules,
MIGRATE_LIMIT_SECTION_AND_RULES)
return False
return True
@admin_utils.output_header @admin_utils.output_header
def t_2_p_migration(resource, event, trigger, **kwargs): def t_2_p_migration(resource, event, trigger, **kwargs):
"""Migrate NSX resources and neutron DB from NSX-T (MP) to Policy""" """Migrate NSX resources and neutron DB from NSX-T (MP) to Policy"""
@ -1378,8 +1422,13 @@ def t_2_p_migration(resource, event, trigger, **kwargs):
conf_path=cfg.CONF.nsx_v3) conf_path=cfg.CONF.nsx_v3)
with utils.NsxV3PluginWrapper(verbose=verbose) as plugin: with utils.NsxV3PluginWrapper(verbose=verbose) as plugin:
res = migrate_t_resources_2_p(nsxlib, nsxpolicy, plugin) if not pre_migration_checks(nsxlib, plugin):
if not res: # Failed
LOG.error("T2P migration cannot run. Please fix the configuration "
"and try again\n\n")
return
if not migrate_t_resources_2_p(nsxlib, nsxpolicy, plugin):
# Failed # Failed
LOG.error("T2P migration failed. Aborting\n\n") LOG.error("T2P migration failed. Aborting\n\n")
return return