Replace an old tier0 (that might have been deleted) with a new one
Usage:
nsxadmin -r routers -o update-tier0 --property old-tier0=<id>
--property new-tier0=<id>
Change-Id: I83200508b827586cb0a404f43ac7ec23966d1675
Admin util can set realization and purge cycle interval on
policy appliance
Depends-on: Ie60e3a04980ae9d6a747f80497168e923f119824
Change-Id: I91be76d8cd2741ec36f5f80529cd295a3ee6addb
- Add api reply support in the policy plugin
- Move some api_replay common code to the common_v3 plugin
- Add support for avaiablity zones in the api_replay
Change-Id: Idb376e2d8c0b24f2fea5f051af2191f77831803c
This patch bumps the hacking, bandit and flake8 requirements to match
suit with similar work (ex [1]). It also updates the code to fix a few
new pep8 errors as well as adds a local tox target for
requirements-check-dev.
[1] https://review.opendev.org/#/c/658245/
Change-Id: I6caeb52dc1a5842338ec989a742ae5989608e0da
Commit Ia4f4b335295c0e6add79fe0db5dd31b4327fdb54 removed all the
neutron-lbaas code from the master (Train) branch
Change-Id: I9035f6238773aad0591436c856550b7a5e01e687
To support the case of 2 instalations on teh same NSX backend,
The newer installation should reuse the default Os section & NS group.
Usage:
nsxadmin -r firewall-sections -o reuse
Change-Id: I0e187cea6ffa9ca3cdb6d215530426e611c8ae20
While using nsxv_use_routers_as_lbaas_platform option, FWaaS rules do
not apply to LBaaS VIPs because of metadata's VSERule.
Change-Id: If09a3f2cc445cb6867c6dd0f389f9105471a3cde
The plugin used to create domain per openstack project. However
nsx policy is phasing out domains as a concept. The plugin will
now place all configuration in default domain.
Change-Id: I4b597d66a0dcd866034ec1cc5b92597d16c60f1c
nsxadmin -r orphaned-firewall-sections -o nsx-list/clean will now
also detect/delete orphaned rules inside nsx sections that belong to
neutron security groups.
Change-Id: I7f733676e29f6a2b1177b4155e5b36aee3670438
Due to neutron bug, some metadata components in the various backend Edge
appliances are missing. The patch is supposed to address these
issues.
Admin util command can run per Edge, per AZ or for the whole cloud.
Cases handled by the utility:
- Existing metadata proxies' internal IP is different than the IPs which are
defined in the Edge's loadbalancer object.
This case can happen when the metadata proxies are recreated for some reason.
- Edge appliance is lacking the metadata network connectivity, and the
loadbalancer objects.
This case can happen while a router or a DHCP was created by the Neutron
parent process, which failed to initialize with metadata due to a bug.
- The Edge is missing the metadata firewall rules.
This case can happen while the first interface attachment to the router was
done in the Neutron parent process context due to the bug described above.
Command syntax:
Update AZ:
nsxadmin -r metadata -o nsx-update --property az-name=az123
Update single Edge appliance:
nsxadmin -r metadata -o nsx-update --property edge-id=edge-15
Update entire cloud:
nsxadmin -r metadata -o nsx-update
Change-Id: I77de9e0a0c627e43d3b1c95573d151e0414a34a9
1. List spoofguard policies with mismatching ips or mac, globally or for a specific network
nsxadmin -r spoofguard-policy -o list-mismatches (--property network=<neutron net id>)
2. Fix the spoofguard ips of a neutron port
nsxadmin -r spoofguard-policy -o fix-mismatch --property port=<neutron port id>
Change-Id: I18723007fff89ffd4a250106fed1b7ea615eb648
All plugin processes should have fwaas_callbacks initialized,
but only one should have it with the rpc listener to handle fwaas
plugin requests.
This patch initialized the fwaas callbacks with rpc only from the after_spawn
callback, and for the rest of the forked processses - without rpc.
Change-Id: I05d4982c89929344dd8a614cc46ed516721a71bb
Admin util should validate allow_passthrough config before performing
client cert operations. This is until these are implemented against
policy.
Change-Id: I1b3fa3fc502a70b0a456dda2de2eb1c9f6b99eac
The NSX backend does not support this flag without a service router
any more, so setting this flag will be done when creating the service
router, and it will be unset when removing the service router.
Change-Id: Iea4ea637359783c0d1de9b89b96135b63900ae26
Enabling Standby relocation in the plugin
and adding adminUtil to enable it on routers
that were created without it.
Change-Id: I6e8525ba06f03ac6c593922f271f10052cb3fdf7
Signed-off-by: Michal Kelner Mishali <mkelnermishal@vmware.com>
Adding devstack support for policy plugin with certificate and the certificate
admin utilis which are needed for the devstack support.
Change-Id: I5c9d23c7f0a83cbf4cb71fed4da488bafa230be4
The use needs to configure nsx-policies using their IDs, which are hard
to find in the VC. The new admin utility will make this easier.
Change-Id: I8869272ff02389193ba546833b52734cf4b71ff2
All of the functionality of CommonDbMixin is now available in
neutron-lib and there's no need to inherit from CommonDbMixin anymore.
This patch removes usage of neutron.db.common_db.
Change-Id: I912b2c081357867c20de36b4491b429fe3c9e7d9
Adding the infrastracture for the policy plugin admin utils with one
example utility to list the security groups, networks & routers.
Depend-on: I10a3f691b33e37e1cd8ec8094f4bfa89d7a96f35
Change-Id: I8094b241255537a1668837ed4ca1dad8094dcc41
PLR distributed routers edges and logical switches were considered as orphaned.
This patch adds the logic to validate those as well.
Change-Id: I4a77e34b6b345364d074160ebec80db965068265
The LB VIP should be advertised by the Tier1 router only if it is on the
external network.
To do that, the global advertise vp flag will not be set, and instead a rule with a
filter to advertise only the VIPs on the external network is added.
In addition, an admin utility is added to update already existing routers with
loadbalancers.
Since VPNaaS also uses the router advertisement rules, its code was also updated so
that each application will handle only its own rules.
Change-Id: Ibfac0406a8c3009c323828cc42c96012e70cb0a9
Access to neutron.db.api's context manager is already in neutron-lib
and in fact neutron is already using it as a shim. This patch switches
over context manager access to use neutron-lib's accessors.
Also see https://review.openstack.org/#/c/613122
Change-Id: I13eb3a25a5bd83bb00dfa4a7430324551fea0f2e
Admin utilities mock plugin should skip the RPC initialization.
This patch is fixing the name of hte overriding method.
Change-Id: I6bad63cf642a91c25fc6aaf53d0b91daa5179ab5
While lising the neutron ports to seach for mismatches, the NSX plugin
should be used so all the attributes are populated.
Change-Id: I2ffa8204d8c1c419b8c7b9066f5e7b29fb1bc71a
During plugin init the default firewall section is created.
If it already exists, it will be updated, which causes race condition
in case of multiple controllers.
There is no need to update the default section during init, unless the
nsx.ini configuration changed, in which case admin utility should be used
to update the section: nsxadmin -r firewall-sections -o nsx-update
In addition, catch exceptions when creating the section, as there also might
be a race condition there.
Change-Id: I19b238a561af95e856d9dae32764ce4d484df767
For the fire cell anti affinity to work as designed, there is a need to use different
groups & rules per host group, since those hostgroups can be different for differnet
availability zones
Change-Id: I092f5c228489a3a0d73f060380f1a1a6c526fb00
On the plugin init there is a side process going over all the security
group rules in the NSX DFW checking if their logging flag should be
updated according to the global configuration flag.
Since this is relevant only in case the global config flag
log_security_groups_allowed_traffic was updated by the user, which is very rare,
this patch removed it from the code, and replaced it with an admin utility
that can be used.
This will make the plugin initialization process quicker and prevent unnecessary
load on the NSX.
Change-Id: I233915e589b53ccb4b76a3ef3d24bb56c0459e92
The housekeeper GET will run the job with readonly mode
The PUT command will run it with readonly=False (unless it is globally
configured as readonlyi, which will cause a failure)
Change-Id: Ifcac0bbe6f447ae431c75f66f3c7f8682c9e9408
