365 Commits

Author SHA1 Message Date
Kobi Samoray
4be41bb4b4 NSXv: Cleanup redundant FW rules from VDR
Change-Id: Ida99b5793e9537b581e562fa329d0dc880fc3621
2019-08-28 17:55:38 +03:00
Adit Sarfaty
0705f382dc NSX|P: Remove warning logs from admin utilities
Change-Id: Ieec32145af8544c87c10d24696937d72e3426cdf
2019-07-31 06:35:26 +00:00
Zuul
32484dd503 Merge "NSX|P Add admin utility usage information" 2019-07-22 09:42:24 +00:00
Adit Sarfaty
69f7c89658 TVD: Add log messages to admin utility
Change-Id: Ie7cd7449343a8c80307d3c1109aeb2ba54b4a13a
2019-07-21 11:53:59 +03:00
Adit Sarfaty
7cfcd5c97f NSX|P Add admin utility usage information
Change-Id: I115c0cef979df689c9b21a783887a7a81961a84c
2019-07-21 11:45:21 +03:00
Adit Sarfaty
e2a5007884 NSX|V3+P: Admin utility to replace tier0
Replace an old tier0 (that might have been deleted) with a new one
Usage:
nsxadmin -r routers -o  update-tier0  --property old-tier0=<id>
                                      --property new-tier0=<id>

Change-Id: I83200508b827586cb0a404f43ac7ec23966d1675
2019-07-15 14:10:35 +03:00
Anna Khmelnitsky
e7914520ba NSX|P: Add control over realization interval
Admin util can set realization and purge cycle interval on
policy appliance

Depends-on: Ie60e3a04980ae9d6a747f80497168e923f119824
Change-Id: I91be76d8cd2741ec36f5f80529cd295a3ee6addb
2019-07-15 06:04:53 +00:00
Adit Sarfaty
905310e2fc api_replay for migration into the policy plugin
- Add api reply support in the policy plugin
- Move some api_replay common code to the common_v3 plugin
- Add support for avaiablity zones in the api_replay

Change-Id: Idb376e2d8c0b24f2fea5f051af2191f77831803c
2019-07-10 15:32:02 +00:00
Boden R
5362c65416 update bandit, hacking and flake8 requirements
This patch bumps the hacking, bandit and flake8 requirements to match
suit with similar work (ex [1]). It also updates the code to fix a few
new pep8 errors as well as adds a local tox target for
requirements-check-dev.

[1] https://review.opendev.org/#/c/658245/

Change-Id: I6caeb52dc1a5842338ec989a742ae5989608e0da
2019-05-31 08:42:37 -06:00
Adit Sarfaty
d753ec6945 Remove neutron-lbaas support & dependencies
Commit Ia4f4b335295c0e6add79fe0db5dd31b4327fdb54 removed all the
neutron-lbaas code from the master (Train) branch

Change-Id: I9035f6238773aad0591436c856550b7a5e01e687
2019-05-19 11:16:45 +03:00
Zuul
451a871b03 Merge "NSX|V: Fix metadata admin utility from missing config" 2019-05-16 11:38:14 +00:00
Adit Sarfaty
f7ad7929d3 NSX|V: Fix metadata admin utility from missing config
Change-Id: I1887f07426b26c03e4a85b45d97120ab01d35835
2019-05-13 14:43:39 +03:00
Adit Sarfaty
c479499f97 NSX|V3: Admin utility for reusing existing default section
To support the case of 2 instalations on teh same NSX backend,
The newer installation should reuse the default Os section & NS group.

Usage:
nsxadmin -r firewall-sections -o reuse

Change-Id: I0e187cea6ffa9ca3cdb6d215530426e611c8ae20
2019-05-13 07:52:47 +03:00
Kobi Samoray
7a39f6f524 NSXv: Resolve FWaaS-LBaaS conflict
While using nsxv_use_routers_as_lbaas_platform option, FWaaS rules do
not apply to LBaaS VIPs because of metadata's VSERule.

Change-Id: If09a3f2cc445cb6867c6dd0f389f9105471a3cde
2019-04-28 13:53:03 +00:00
Adit Sarfaty
032b6b8e46 NSX|V adminUtils: detect and clean orphaned section rules
nsxadmin -r orphaned-rules -o list/nsx-clean will detect/delete orphaned
rules inside nsx sections that belong to neutron security groups.

Change-Id: I18ee55e70b8e3a97d7d5d2453b7994bc07d2c97c
2019-04-28 10:01:46 +00:00
Zuul
df7d9da7f1 Merge "NSX|P: Always use default domain" 2019-04-21 05:36:29 +00:00
Anna Khmelnitsky
6ce6b4a77f NSX|P: Always use default domain
The plugin used to create domain per openstack project. However
nsx policy is phasing out domains as a concept. The plugin will
now place all configuration in default domain.

Change-Id: I4b597d66a0dcd866034ec1cc5b92597d16c60f1c
2019-04-17 10:51:14 -07:00
Adit Sarfaty
edac5ce48c NSX|V3 adminUtils: detect and clean orphaned section rules
nsxadmin -r orphaned-firewall-sections -o nsx-list/clean will now
also detect/delete orphaned rules inside nsx sections that belong to
neutron security groups.

Change-Id: I7f733676e29f6a2b1177b4155e5b36aee3670438
2019-04-11 14:09:59 +03:00
Kobi Samoray
0e97278c8a NSXv: admin util metadata breakage recovery
Due to neutron bug, some metadata components in the various backend Edge
appliances are missing. The patch is supposed to address these
issues.

Admin util command can run per Edge, per AZ or for the whole cloud.

Cases handled by the utility:
- Existing metadata proxies' internal IP is different than the IPs which are
defined in the Edge's loadbalancer object.
This case can happen when the metadata proxies are recreated for some reason.

- Edge appliance is lacking the metadata network connectivity, and the
loadbalancer objects.
This case can happen while a router or a DHCP was created by the Neutron
parent process, which failed to initialize with metadata due to a bug.

- The Edge is missing the metadata firewall rules.
This case can happen while the first interface attachment to the router was
done in the Neutron parent process context due to the bug described above.

Command syntax:
Update AZ:
    nsxadmin -r metadata -o nsx-update --property az-name=az123

Update single Edge appliance:
    nsxadmin -r metadata -o nsx-update --property edge-id=edge-15

Update entire cloud:
    nsxadmin -r metadata -o nsx-update

Change-Id: I77de9e0a0c627e43d3b1c95573d151e0414a34a9
2019-03-15 12:06:50 +02:00
Adit Sarfaty
fd8500ba42 NSX|V admin utils: Find and fix spoofguard policies mismatches
1. List spoofguard policies with mismatching ips or mac, globally or for a specific network
    nsxadmin -r spoofguard-policy -o list-mismatches (--property network=<neutron net id>)
2. Fix the spoofguard ips of a neutron port
    nsxadmin -r spoofguard-policy -o fix-mismatch --property port=<neutron port id>

Change-Id: I18723007fff89ffd4a250106fed1b7ea615eb648
2019-03-04 12:05:20 +02:00
Adit Sarfaty
58525c3f98 NSX|V+V3: Fix FWaaS RPC bindings
All plugin processes should have fwaas_callbacks initialized,
but only one should have it with the rpc listener to handle fwaas
plugin requests.
This patch initialized the fwaas callbacks with rpc only from the after_spawn
callback, and for the rest of the forked processses - without rpc.

Change-Id: I05d4982c89929344dd8a614cc46ed516721a71bb
2019-02-21 14:43:21 +02:00
Zuul
78948848e6 Merge "NSX|P: Forbid cert operations without passthrough" 2019-02-07 09:31:40 +00:00
Adit Sarfaty
df47dde1cc Remove FWaaS V1 code
FWaaS is about to be removed from neutron, and should be removed from
vmware_nsx as well.

Change-Id: I6e621e63896dc6a6e6bbacc464c79319fce1f92d
2019-02-05 06:21:45 +00:00
Anna Khmelnitsky
5805c03044 NSX|P: Forbid cert operations without passthrough
Admin util should validate allow_passthrough config before performing
client cert operations. This is until these are implemented against
policy.

Change-Id: I1b3fa3fc502a70b0a456dda2de2eb1c9f6b99eac
2019-01-30 18:10:16 -08:00
Adit Sarfaty
d77a0f2565 NSX|V3+P: Set router standby relocation when creating service router
The NSX backend does not support this flag without a service router
any more, so setting this flag will be done when creating the service
router, and it will be unset when removing the service router.

Change-Id: Iea4ea637359783c0d1de9b89b96135b63900ae26
2019-01-16 13:34:59 +02:00
Michal Kelner Mishali
2ce50df04b NSX|T: Add enable standby relocation
Enabling Standby relocation in the plugin
and adding adminUtil to enable it on routers
that were created without it.

Change-Id: I6e8525ba06f03ac6c593922f271f10052cb3fdf7
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
2019-01-07 13:13:03 +00:00
Adit Sarfaty
5b95817834 NSX|P Availability zones support
For networks & routers

Change-Id: I338147bafdf4e1950db4c2cbb8166c515404d5c1
2018-12-30 15:37:24 +02:00
Zuul
b21cb20b77 Merge "NSX|P: Initial availability zone support" 2018-12-13 20:09:09 +00:00
Anna Khmelnitsky
e9c4ca538c NSX|P: Initial availability zone support
Create a base class for V3 and P AZs.

Change-Id: Icb735a9d79e258179a2678a4db06eb401cf4cd59
2018-12-12 15:42:29 -08:00
Zuul
d7c6466204 Merge "Policy plugin: Add devstack/admin-utils for client auth" 2018-12-11 07:42:02 +00:00
Adit Sarfaty
57776776d4 Policy plugin: Add devstack/admin-utils for client auth
Adding devstack support for policy plugin with certificate and the certificate
admin utilis which are needed for the devstack support.

Change-Id: I5c9d23c7f0a83cbf4cb71fed4da488bafa230be4
2018-12-09 13:15:55 +02:00
Adit Sarfaty
460f590fd0 NSX|V Fix AdminUtils get apis to use the right context
Change-Id: I799a5e2ea5d282be7713048e080139f8343fef0d
2018-12-04 11:29:45 +02:00
Adit Sarfaty
5e5af50640 NSX|V New admin utility to list existing NSX policies
The use needs to configure nsx-policies using their IDs, which are hard
to find in the VC. The new admin utility will make this easier.

Change-Id: I8869272ff02389193ba546833b52734cf4b71ff2
2018-11-29 07:22:17 +00:00
Zuul
a78306f15f Merge "NSX|P: Initial admin utilities" 2018-11-21 06:58:05 +00:00
Boden R
38505fd6bb stop using common_db
All of the functionality of CommonDbMixin is now available in
neutron-lib and there's no need to inherit from CommonDbMixin anymore.
This patch removes usage of neutron.db.common_db.

Change-Id: I912b2c081357867c20de36b4491b429fe3c9e7d9
2018-11-16 10:55:55 -07:00
Adit Sarfaty
f7795e275d NSX|P: Initial admin utilities
Adding the infrastracture for the policy plugin admin utils with one
example utility to list the security groups, networks & routers.

Depend-on: I10a3f691b33e37e1cd8ec8094f4bfa89d7a96f35
Change-Id: I8094b241255537a1668837ed4ca1dad8094dcc41
2018-11-14 12:29:14 +00:00
Zuul
f6ba68e511 Merge "NSX|V3: Fix LB VIP advertisement" 2018-11-11 11:00:40 +00:00
Adit Sarfaty
6a851c4b50 NSX|V Fix orphaned networks and bindings
PLR distributed routers edges and logical switches were considered as orphaned.
This patch adds the logic to validate those as well.

Change-Id: I4a77e34b6b345364d074160ebec80db965068265
2018-11-11 09:00:08 +00:00
Adit Sarfaty
b263b592b9 NSX|V3: Fix LB VIP advertisement
The LB VIP should be advertised by the Tier1 router only if it is on the
external network.
To do that, the global advertise vp flag will not be set, and instead a rule with a
filter to advertise only the VIPs on the external network is added.
In addition, an admin utility is added to update already existing routers with
loadbalancers.
Since VPNaaS also uses the router advertisement rules, its code was also updated so
that each application will handle only its own rules.

Change-Id: Ibfac0406a8c3009c323828cc42c96012e70cb0a9
2018-11-11 08:59:54 +00:00
Boden R
d29a0baa80 use context manager from neutron-lib
Access to neutron.db.api's context manager is already in neutron-lib
and in fact neutron is already using it as a shim. This patch switches
over context manager access to use neutron-lib's accessors.
Also see https://review.openstack.org/#/c/613122

Change-Id: I13eb3a25a5bd83bb00dfa4a7430324551fea0f2e
2018-10-24 11:52:05 -06:00
Adit Sarfaty
c5ab00d5b5 NSX|V admin utils: Fix rpc method override
Admin utilities mock plugin should skip the RPC initialization.
This patch is fixing the name of hte overriding method.

Change-Id: I6bad63cf642a91c25fc6aaf53d0b91daa5179ab5
2018-10-16 09:57:16 +00:00
Zuul
f0a8363a4d Merge "NSX|V3 adminUtils: Use nsx plugin to get ports" 2018-08-30 11:14:12 +00:00
Adit Sarfaty
ec9c7465bc NSX|V3 Validate rate-limit value in admin utilitiy
Change-Id: Id516e068cec06973fe670a2956d762b26ace7e6a
2018-08-30 09:14:12 +03:00
Adit Sarfaty
bad230ba26 NSX|V3 adminUtils: Use nsx plugin to get ports
While lising the neutron ports to seach for mismatches, the NSX plugin
should be used so all the attributes are populated.

Change-Id: I2ffa8204d8c1c419b8c7b9066f5e7b29fb1bc71a
2018-08-28 09:33:46 +03:00
Adit Sarfaty
f9aa6bd805 NSX|V: Avoid updating the default section at init
During plugin init the default firewall section is created.
If it already exists, it will be updated, which causes race condition
in case of multiple controllers.
There is no need to update the default section during init, unless the
nsx.ini configuration changed, in which case admin utility should be used
to update the section: nsxadmin -r firewall-sections -o nsx-update

In addition, catch exceptions when creating the section, as there also might
be a race condition there.

Change-Id: I19b238a561af95e856d9dae32764ce4d484df767
2018-08-25 15:19:16 +00:00
Adit Sarfaty
cda47aa304 NSX|V: Fix host groups for DRS HA for AZ
For the fire cell anti affinity to work as designed, there is a need to use different
groups & rules per host group, since those hostgroups can be different for differnet
availability zones

Change-Id: I092f5c228489a3a0d73f060380f1a1a6c526fb00
2018-08-16 13:08:39 +03:00
Adit Sarfaty
caa451920b NSX|V3: New admin utility to show MP cluster managers IPs
Usage:
nsxadmin -r cluster -o show

Output example:
NSX Cluster has 3 manager nodes:
10.192.210.183
10.192.210.184
10.192.210.185

Change-Id: I1a138c759c52e25481fdf34f1ed3d861470adf3e
2018-08-09 05:37:14 +00:00
Adit Sarfaty
dac109662e NSX|V+V3: Move FW section logging update to admin utility
On the plugin init there is a side process going over all the security
group rules in the NSX DFW checking if their logging flag should be
updated according to the global configuration flag.
Since this is relevant only in case the global config flag
log_security_groups_allowed_traffic was updated by the user, which is very rare,
this patch removed it from the code, and replaced it with an admin utility
that can be used.
This will make the plugin initialization process quicker and prevent unnecessary
load on the NSX.

Change-Id: I233915e589b53ccb4b76a3ef3d24bb56c0459e92
2018-08-01 04:32:13 +00:00
Zuul
b09de3485d Merge "Add housekeeper GET/PUT run options" 2018-07-05 12:06:10 +00:00
Adit Sarfaty
7179642aea Add housekeeper GET/PUT run options
The housekeeper GET will run the job with readonly mode
The PUT command will run it with readonly=False (unless it is globally
configured as readonlyi, which will cause a failure)

Change-Id: Ifcac0bbe6f447ae431c75f66f3c7f8682c9e9408
2018-07-04 13:40:35 +00:00