MP2P migration: Add pre migration check
Before starting the migration, check for unsupported configurations that will fail the migration. Currently those include: - Tier0 with BGP disabled and BGP rules - DFW/Edge firewall sections witl 1500 rules or more Change-Id: I702417c287b629844f2b8e1adda98b137e1ee9ff
This commit is contained in:
parent
8ad6232458
commit
4955b3514e
|
@ -388,9 +388,13 @@ def get_configured_values(plugin, az_attribute):
|
||||||
return values
|
return values
|
||||||
|
|
||||||
|
|
||||||
|
def get_neurton_tier0s(plugin):
|
||||||
|
return get_configured_values(plugin, '_default_tier0_router')
|
||||||
|
|
||||||
|
|
||||||
def migrate_tier0s(nsxlib, nsxpolicy, plugin):
|
def migrate_tier0s(nsxlib, nsxpolicy, plugin):
|
||||||
# First prepare a list of neutron related tier0s from the config
|
# First prepare a list of neutron related tier0s from the config
|
||||||
neutron_t0s = get_configured_values(plugin, '_default_tier0_router')
|
neutron_t0s = get_neurton_tier0s(plugin)
|
||||||
# Add tier0s used specifically in external networks
|
# Add tier0s used specifically in external networks
|
||||||
ctx = context.get_admin_context()
|
ctx = context.get_admin_context()
|
||||||
with ctx.session.begin(subtransactions=True):
|
with ctx.session.begin(subtransactions=True):
|
||||||
|
@ -852,6 +856,16 @@ def migrate_groups(nsxlib, nsxpolicy):
|
||||||
migrate_resource(nsxlib, 'NS_GROUP', entries, MIGRATE_LIMIT_NS_GROUP)
|
migrate_resource(nsxlib, 'NS_GROUP', entries, MIGRATE_LIMIT_NS_GROUP)
|
||||||
|
|
||||||
|
|
||||||
|
def dfw_migration_cond(resource):
|
||||||
|
return (resource.get('enforced_on') == 'VIF' and
|
||||||
|
resource.get('category') == 'Default' and
|
||||||
|
resource.get('section_type') == 'LAYER3' and
|
||||||
|
not resource.get('is_default') and
|
||||||
|
# Migrate only DFW sections only and no edge FW sections
|
||||||
|
'applied_tos' in resource and
|
||||||
|
resource['applied_tos'][0].get('target_type', '') == 'NSGroup')
|
||||||
|
|
||||||
|
|
||||||
def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):
|
def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):
|
||||||
def get_policy_id_callback(res, policy_id):
|
def get_policy_id_callback(res, policy_id):
|
||||||
# In case of plugin init section: give it the id the policy plugin
|
# In case of plugin init section: give it the id the policy plugin
|
||||||
|
@ -862,14 +876,6 @@ def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):
|
||||||
|
|
||||||
return policy_id
|
return policy_id
|
||||||
|
|
||||||
def cond(resource):
|
|
||||||
return (resource.get('enforced_on') == 'VIF' and
|
|
||||||
resource.get('category') == 'Default' and
|
|
||||||
resource.get('section_type') == 'LAYER3' and
|
|
||||||
not resource.get('is_default') and
|
|
||||||
# Migrate only DFW sections only and no edge FW sections
|
|
||||||
resource['applied_tos'][0].get('target_type', '') == 'NSGroup')
|
|
||||||
|
|
||||||
def add_metadata(entry, policy_id, resource):
|
def add_metadata(entry, policy_id, resource):
|
||||||
# Add category, sequence, domain, and rule ids
|
# Add category, sequence, domain, and rule ids
|
||||||
ctx = context.get_admin_context()
|
ctx = context.get_admin_context()
|
||||||
|
@ -913,7 +919,7 @@ def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):
|
||||||
entries = get_resource_migration_data(
|
entries = get_resource_migration_data(
|
||||||
nsxlib.firewall_section,
|
nsxlib.firewall_section,
|
||||||
['os-neutron-secgr-id', 'os-neutron-id'],
|
['os-neutron-secgr-id', 'os-neutron-id'],
|
||||||
'DFW_SECTION', resource_condition=cond,
|
'DFW_SECTION', resource_condition=dfw_migration_cond,
|
||||||
policy_resource_get=get_policy_section,
|
policy_resource_get=get_policy_section,
|
||||||
policy_id_callback=get_policy_id_callback,
|
policy_id_callback=get_policy_id_callback,
|
||||||
metadata_callback=add_metadata)
|
metadata_callback=add_metadata)
|
||||||
|
@ -1041,6 +1047,13 @@ def migrate_lb_services(nsxlib, nsxpolicy):
|
||||||
MIGRATE_LIMIT_LB_SERVICE)
|
MIGRATE_LIMIT_LB_SERVICE)
|
||||||
|
|
||||||
|
|
||||||
|
def edge_firewall_migration_cond(resource):
|
||||||
|
return (resource.get('display_name') == 'Default LR Layer3 Section' and
|
||||||
|
resource.get('enforced_on') == 'LOGICALROUTER' and
|
||||||
|
resource.get('category') == 'Default' and
|
||||||
|
resource.get('section_type') == 'LAYER3')
|
||||||
|
|
||||||
|
|
||||||
def migrate_fwaas_resources(nsxlib, nsxpolicy, migrated_routers):
|
def migrate_fwaas_resources(nsxlib, nsxpolicy, migrated_routers):
|
||||||
def get_policy_id_callback(res, policy_id):
|
def get_policy_id_callback(res, policy_id):
|
||||||
# Policy id should be the Policy tier1 id (=neutron id)
|
# Policy id should be the Policy tier1 id (=neutron id)
|
||||||
|
@ -1051,10 +1064,7 @@ def migrate_fwaas_resources(nsxlib, nsxpolicy, migrated_routers):
|
||||||
|
|
||||||
def cond(resource):
|
def cond(resource):
|
||||||
# Migrate only Edge firewalls related to the migrated tier1s
|
# Migrate only Edge firewalls related to the migrated tier1s
|
||||||
return (resource.get('display_name') == 'Default LR Layer3 Section' and
|
return (edge_firewall_migration_cond(resource) and
|
||||||
resource.get('enforced_on') == 'LOGICALROUTER' and
|
|
||||||
resource.get('category') == 'Default' and
|
|
||||||
resource.get('section_type') == 'LAYER3' and
|
|
||||||
resource['applied_tos'][0].get(
|
resource['applied_tos'][0].get(
|
||||||
'target_id', '') in migrated_routers)
|
'target_id', '') in migrated_routers)
|
||||||
|
|
||||||
|
@ -1197,8 +1207,9 @@ def _delete_segment_profiles_bindings(nsxpolicy, segment_id):
|
||||||
|
|
||||||
|
|
||||||
def post_migration_actions(nsxlib, nsxpolicy, plugin):
|
def post_migration_actions(nsxlib, nsxpolicy, plugin):
|
||||||
# Update created policy resources that does not match the policy plugins'
|
"""Update created policy resources that does not match the policy plugins'
|
||||||
# expectations
|
expectations.
|
||||||
|
"""
|
||||||
LOG.info("Starting post-migration actions")
|
LOG.info("Starting post-migration actions")
|
||||||
ctx = context.get_admin_context()
|
ctx = context.get_admin_context()
|
||||||
|
|
||||||
|
@ -1329,6 +1340,39 @@ def post_migration_actions(nsxlib, nsxpolicy, plugin):
|
||||||
LOG.info("Post-migration actions done.")
|
LOG.info("Post-migration actions done.")
|
||||||
|
|
||||||
|
|
||||||
|
def pre_migration_checks(nsxlib, plugin):
|
||||||
|
"""Check for unsupported configuration that will block the migration
|
||||||
|
"""
|
||||||
|
# Tier0 with disabled BGP config
|
||||||
|
neutron_t0s = get_neurton_tier0s(plugin)
|
||||||
|
for tier0 in neutron_t0s:
|
||||||
|
bgp_conf = nsxlib.logical_router.get_bgp_config(tier0)
|
||||||
|
if not bgp_conf['enabled']:
|
||||||
|
# Verify there are no neighbors configured
|
||||||
|
if nsxlib.logical_router.get_bgp_neighbors(tier0)['result_count']:
|
||||||
|
LOG.error("Pre migration check failed: Tier0 %s has BGP "
|
||||||
|
"neighbors but BGP is disabled. Please remove the "
|
||||||
|
"neighbors or enable BGP and try again.", tier0)
|
||||||
|
return False
|
||||||
|
|
||||||
|
# Firewall section with too many rules
|
||||||
|
fw_sections = nsxlib.firewall_section.list()
|
||||||
|
for section in fw_sections:
|
||||||
|
if (dfw_migration_cond(section) or
|
||||||
|
edge_firewall_migration_cond(section)):
|
||||||
|
n_rules = nsxlib.firewall_section.get_rules(
|
||||||
|
section['id'])['result_count']
|
||||||
|
if n_rules >= MIGRATE_LIMIT_SECTION_AND_RULES:
|
||||||
|
LOG.error("Pre migration check failed: Firewall section %s "
|
||||||
|
"has %s rules and cannot be migrated. Please make "
|
||||||
|
"sure each section has less than %s rules and try "
|
||||||
|
"again.", section['id'], n_rules,
|
||||||
|
MIGRATE_LIMIT_SECTION_AND_RULES)
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
@admin_utils.output_header
|
@admin_utils.output_header
|
||||||
def t_2_p_migration(resource, event, trigger, **kwargs):
|
def t_2_p_migration(resource, event, trigger, **kwargs):
|
||||||
"""Migrate NSX resources and neutron DB from NSX-T (MP) to Policy"""
|
"""Migrate NSX resources and neutron DB from NSX-T (MP) to Policy"""
|
||||||
|
@ -1378,8 +1422,13 @@ def t_2_p_migration(resource, event, trigger, **kwargs):
|
||||||
conf_path=cfg.CONF.nsx_v3)
|
conf_path=cfg.CONF.nsx_v3)
|
||||||
|
|
||||||
with utils.NsxV3PluginWrapper(verbose=verbose) as plugin:
|
with utils.NsxV3PluginWrapper(verbose=verbose) as plugin:
|
||||||
res = migrate_t_resources_2_p(nsxlib, nsxpolicy, plugin)
|
if not pre_migration_checks(nsxlib, plugin):
|
||||||
if not res:
|
# Failed
|
||||||
|
LOG.error("T2P migration cannot run. Please fix the configuration "
|
||||||
|
"and try again\n\n")
|
||||||
|
return
|
||||||
|
|
||||||
|
if not migrate_t_resources_2_p(nsxlib, nsxpolicy, plugin):
|
||||||
# Failed
|
# Failed
|
||||||
LOG.error("T2P migration failed. Aborting\n\n")
|
LOG.error("T2P migration failed. Aborting\n\n")
|
||||||
return
|
return
|
||||||
|
|
Loading…
Reference in New Issue