Browse Source

MP2P migration: Add pre migration check

Before starting the migration, check for unsupported configurations
that will fail the migration.
Currently those include:
- Tier0 with BGP disabled and BGP rules
- DFW/Edge firewall sections witl 1500 rules or more

Change-Id: I702417c287b629844f2b8e1adda98b137e1ee9ff
changes/58/738558/1
asarfaty 1 week ago
committed by Adit Sarfaty
parent
commit
cac5816740
1 changed files with 67 additions and 18 deletions
  1. +67
    -18
      vmware_nsx/shell/admin/plugins/nsxv3/resources/migration.py

+ 67
- 18
vmware_nsx/shell/admin/plugins/nsxv3/resources/migration.py View File

@@ -388,9 +388,13 @@ def get_configured_values(plugin, az_attribute):
return values


def get_neurton_tier0s(plugin):
return get_configured_values(plugin, '_default_tier0_router')


def migrate_tier0s(nsxlib, nsxpolicy, plugin):
# First prepare a list of neutron related tier0s from the config
neutron_t0s = get_configured_values(plugin, '_default_tier0_router')
neutron_t0s = get_neurton_tier0s(plugin)
# Add tier0s used specifically in external networks
ctx = context.get_admin_context()
with ctx.session.begin(subtransactions=True):
@@ -852,6 +856,16 @@ def migrate_groups(nsxlib, nsxpolicy):
migrate_resource(nsxlib, 'NS_GROUP', entries, MIGRATE_LIMIT_NS_GROUP)


def dfw_migration_cond(resource):
return (resource.get('enforced_on') == 'VIF' and
resource.get('category') == 'Default' and
resource.get('section_type') == 'LAYER3' and
not resource.get('is_default') and
# Migrate only DFW sections only and no edge FW sections
'applied_tos' in resource and
resource['applied_tos'][0].get('target_type', '') == 'NSGroup')


def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):
def get_policy_id_callback(res, policy_id):
# In case of plugin init section: give it the id the policy plugin
@@ -862,14 +876,6 @@ def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):

return policy_id

def cond(resource):
return (resource.get('enforced_on') == 'VIF' and
resource.get('category') == 'Default' and
resource.get('section_type') == 'LAYER3' and
not resource.get('is_default') and
# Migrate only DFW sections only and no edge FW sections
resource['applied_tos'][0].get('target_type', '') == 'NSGroup')

def add_metadata(entry, policy_id, resource):
# Add category, sequence, domain, and rule ids
ctx = context.get_admin_context()
@@ -913,7 +919,7 @@ def migrate_dfw_sections(nsxlib, nsxpolicy, plugin):
entries = get_resource_migration_data(
nsxlib.firewall_section,
['os-neutron-secgr-id', 'os-neutron-id'],
'DFW_SECTION', resource_condition=cond,
'DFW_SECTION', resource_condition=dfw_migration_cond,
policy_resource_get=get_policy_section,
policy_id_callback=get_policy_id_callback,
metadata_callback=add_metadata)
@@ -1041,6 +1047,13 @@ def migrate_lb_services(nsxlib, nsxpolicy):
MIGRATE_LIMIT_LB_SERVICE)


def edge_firewall_migration_cond(resource):
return (resource.get('display_name') == 'Default LR Layer3 Section' and
resource.get('enforced_on') == 'LOGICALROUTER' and
resource.get('category') == 'Default' and
resource.get('section_type') == 'LAYER3')


def migrate_fwaas_resources(nsxlib, nsxpolicy, migrated_routers):
def get_policy_id_callback(res, policy_id):
# Policy id should be the Policy tier1 id (=neutron id)
@@ -1051,10 +1064,7 @@ def migrate_fwaas_resources(nsxlib, nsxpolicy, migrated_routers):

def cond(resource):
# Migrate only Edge firewalls related to the migrated tier1s
return (resource.get('display_name') == 'Default LR Layer3 Section' and
resource.get('enforced_on') == 'LOGICALROUTER' and
resource.get('category') == 'Default' and
resource.get('section_type') == 'LAYER3' and
return (edge_firewall_migration_cond(resource) and
resource['applied_tos'][0].get(
'target_id', '') in migrated_routers)

@@ -1197,8 +1207,9 @@ def _delete_segment_profiles_bindings(nsxpolicy, segment_id):


def post_migration_actions(nsxlib, nsxpolicy, plugin):
# Update created policy resources that does not match the policy plugins'
# expectations
"""Update created policy resources that does not match the policy plugins'
expectations.
"""
LOG.info("Starting post-migration actions")
ctx = context.get_admin_context()

@@ -1329,6 +1340,39 @@ def post_migration_actions(nsxlib, nsxpolicy, plugin):
LOG.info("Post-migration actions done.")


def pre_migration_checks(nsxlib, plugin):
"""Check for unsupported configuration that will block the migration
"""
# Tier0 with disabled BGP config
neutron_t0s = get_neurton_tier0s(plugin)
for tier0 in neutron_t0s:
bgp_conf = nsxlib.logical_router.get_bgp_config(tier0)
if not bgp_conf['enabled']:
# Verify there are no neighbors configured
if nsxlib.logical_router.get_bgp_neighbors(tier0)['result_count']:
LOG.error("Pre migration check failed: Tier0 %s has BGP "
"neighbors but BGP is disabled. Please remove the "
"neighbors or enable BGP and try again.", tier0)
return False

# Firewall section with too many rules
fw_sections = nsxlib.firewall_section.list()
for section in fw_sections:
if (dfw_migration_cond(section) or
edge_firewall_migration_cond(section)):
n_rules = nsxlib.firewall_section.get_rules(
section['id'])['result_count']
if n_rules >= MIGRATE_LIMIT_SECTION_AND_RULES:
LOG.error("Pre migration check failed: Firewall section %s "
"has %s rules and cannot be migrated. Please make "
"sure each section has less than %s rules and try "
"again.", section['id'], n_rules,
MIGRATE_LIMIT_SECTION_AND_RULES)
return False

return True


@admin_utils.output_header
def t_2_p_migration(resource, event, trigger, **kwargs):
"""Migrate NSX resources and neutron DB from NSX-T (MP) to Policy"""
@@ -1378,8 +1422,13 @@ def t_2_p_migration(resource, event, trigger, **kwargs):
conf_path=cfg.CONF.nsx_v3)

with utils.NsxV3PluginWrapper(verbose=verbose) as plugin:
res = migrate_t_resources_2_p(nsxlib, nsxpolicy, plugin)
if not res:
if not pre_migration_checks(nsxlib, plugin):
# Failed
LOG.error("T2P migration cannot run. Please fix the configuration "
"and try again\n\n")
return

if not migrate_t_resources_2_p(nsxlib, nsxpolicy, plugin):
# Failed
LOG.error("T2P migration failed. Aborting\n\n")
return


Loading…
Cancel
Save