IPv4 support for Policy DHCP depending on the NSX version & on config.
Including devstack support for configuration & cleanup, and admin utilility
for migration from MP implementation to Policy one.
IPv6 support will follow in a future patch.
Change-Id: I01bfb5bd530c63ca8b635bbebcac47659187077e
In case using the cleantup with a newutron_db, tier0 logical ports
were not deleted, becasue the tier0 routers could not be found in
the neutron DB.
Change-Id: I78e6641f2d94331a081bae218a99bbc2973f2540
The policy plugin do not use per-tenant domain any more, so
it should delete objects from the default domain instead.
Change-Id: Ia93d9e1c888105305db880e8166c98a3d2fcad9f
This patch bumps the hacking, bandit and flake8 requirements to match
suit with similar work (ex [1]). It also updates the code to fix a few
new pep8 errors as well as adds a local tox target for
requirements-check-dev.
[1] https://review.opendev.org/#/c/658245/
Change-Id: I6caeb52dc1a5842338ec989a742ae5989608e0da
The NSX backend needs each logical router to have a locale-service
entry, which should also be deleted before the router is deleted.
Change-Id: If64c1b67c19906105b07c6facedf5d07ac36176d
Adding segment profiles to the backend port Including mac learning support,
port security & spoofguard.
In addition - adding the exclude port tag for ports without port security
Change-Id: Ief4a3989316f7b7097c5be6145aae169cde87e8e
Fixing the ID of the rules remote/local NSX groups,
and adding devstck cleanup for those.
In addition, this patch adds try clauses around all cleanup actions,
to make sure the cleanup runs through even if some actions fail.
Change-Id: I9c0d70ceb174dcf8e00ac209e1eedc4afc833cc8
Additional actions will be added with nsxlib support
Depends-on: I10a3f691b33e37e1cd8ec8094f4bfa89d7a96f35
Change-Id: I92fff433646202a0245c1cef9630173fe245a296
Code to support nsx policy in devstack
Change-Id: I41a702c69d8869475e4f6dc9009fd63e88b62a9e
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
Refactor the devstack cleanup script to use nsxlib instead of accessing
the nsxmanager directly.
This patch is needed for the XSRF support.
Change-Id: Ib2e8c4031aae22f97f5a400d9dc5e49a945f7aed
If ports are added to the exclude list directly (not using tags),
they should also be deleted when using devstack cleanup.
Change-Id: Id2bc3690bf11be41a52e6b3301995cd71da0af3b
Commit 3d24d19309f21e698b91385e39edf77e6309135a resulted in
networks not being deleted. This is due to the fact that some
ports on a network may not be stored in the DB. For example
a metadata port.
Change-Id: I192b5b85d99e08989bd68ebef73e592d398edbd4
firewall sections were not deleted properly causing other objects not
to be deleted too.
Fixed 2 things:
- backend list results do not always have the cursor field
- delete the fw section with cascade instead of deleting each rule.
Change-Id: Ib96ab16cc49e12111e729ead716953c8114fa99c
When certificate storage is nsx-db and nsx_client_cert_pk_password
is provided in configuration, private key will be stored encrypted.
Change-Id: Id0e6f3b614da9eb2381c80d1a76043e38d2d11ee
Client certificate authentication is disabled by default.
To enable client auth, define the following in nsx.ini:
nsx_use_client_auth = True
nsx_client_cert_storage = nsx-db
nsx_client_cert_file = <file to store certificate and private key>
To enable client auth in devstack, define the following in local.conf:
NSX_USE_CLIENT_CERT_AUTH=True
This commit covers only DB type of cert storage. Barbican storage
and imported cert will be added later. Also planned for near future:
reload cert from DB if NSX connection failes due to bad cert
show warning when cert nears expiration
delete cert file from file system on neutron exit
Change-Id: Ic70a949b740d9149d71187b02640d3071a3e0159
nsxv_cleanup and nsxv3_cleanup scripts are called by unstack.sh and
removes all backend resources, even resources which may have been
created by other devstack deployments using the same backend.
This patch fix this issue, when calling 'unstack.sh' the script will
only remove backend resources that have db record, if 'clean.sh' is
called, then previous behavior is used and all backend resources created
by openstack are removed.
To run the scripts manually, in such way that only backend resources
with db records are cleaned, one must specify '--db-connection' (e.g -
iniget /etc/neutron/neutron.conf database connection) option so the script can
query the DB.
When '--db-connection' option is not specified then all
backend resources are cleaned.
Change-Id: I2283bdb2758c303a46574296e0067f458a6eefcf
NSX-V3 limits get-list APIs to 1000 objects per page.
Before this commit, unstack.sh would not clean up all objects on backend
if more than 1000 objects were present.
Change-Id: I1c5354e5638ad08538477bbba2483dc67e316f38
This code adds an extension for policy-id in a security group.
when this feature is enabled (new nsxv config: use_nsx_policies):
- Each security group will be linked to an nsx policy.
- No rules will be added to any of the security groups
- Only admin can edit security groups (depending on the policy.json)
- the default security group will be using the new nsx.ini config
default_policy_id
Change-Id: Iad5e90245c2f70ed88f65f0c5e6ec46cb2eedbbc
Add a new function to delete backend logical DHCP servers
created via openstack plugin when running devstack cleanup script.
Change-Id: Ib98c036af2d3e065eb73e9855501262aba30641a
