Admin Utility ============= NSX-V and NSX-T support the nsxadmin utility. This enables and administrator to determine and rectify inconsistencies between the Neutron DB and NSX. usage: nsxadmin -r -o NSX-V Plugin ------------ The following resources are supported: 'security-groups', 'edges', 'networks', 'firewall-sections', 'orphaned-edges', 'spoofguard-policy', 'missing-edges', 'backup-edges', 'nsx-security-groups', 'dhcp-binding' and 'metadata' Edges ~~~~~ - List backend NSX edges with their id, name and some more information:: nsxadmin -r edges -o nsx-list - List backend NSX edges with more details:: nsxadmin -r edges -o nsx-list --verbose - Neutron list:: nsxadmin -r edges -o neutron-list - Update Resource pool / Datastore on all edges in the backend. This utility can update resource pool and datastore ID of all edges to the nsx.ini configuration:: nsxadmin -r edges -o nsx-update-all --property appliances=True - Update Resource pool / Datastore / edge HA of an edge: This utility can be used on upgrade after the customer added ha_datastore_id to the nsx.ini configuration or after changing the resource pool / data store globally or per availability zone. This Utility can update the deployment of existing edges:: nsxadmin -r edges -o nsx-update --property edge-id= --property appliances=True - Update the size of an edge:: nsxadmin -r edges -o nsx-update --property edge-id=edge-55 --property size=compact - Update the high availability of an edge: enable/disable high availability of an edge:: nsxadmin -r edges -o nsx-update --property edge-id=edge-55 --property highavailability= - Update syslog config on edge (syslog-proto and syslog-server2 are optional):: nsxadmin -o nsx-update -r edges -p edge-id=edge-55 --property syslog-server= --property syslog-server2= --property syslog-proto= - Delete syslog config on edge:: nsxadmin -o nsx-update -r edges -p edge-id=edge-55 --property syslog-server=none - Enable logging with specified log level for specific module (routing, dns, dhcp, highavailability, loadbalancer) on edge:: nsxadmin -o nsx-update -r edges -p edge-id=edge-55 --property routing-log-level=debug - Enable logging with specified log level for all supported modules on edge:: nsxadmin -o nsx-update -r edges -p edge-id=edge-55 --property log-level=debug - Disable logging on edge:: nsxadmin -o nsx-update -r edges -p edge-id=edge-55 --property log-level=none - Update reservations of an edge:: nsxadmin -o nsx-update -r edges -p edge-id=edge-55 --property resource= --property limit= --property reservation= --property shares= - Update DRS hostgroups for an edge:: nsxadmin -o nsx-update -r edges -p edge-id=edge-55 --property hostgroup=update|all - Update DRS hostgroups for all edges:: nsxadmin -o nsx-update -r edges --property hostgroup=all - Clean all DRS hostgroups for all edges:: nsxadmin -o nsx-update -r edges --property hostgroup=clean Orphaned Edges ~~~~~~~~~~~~~~ - List orphaned edges (exist on NSXv backend but don't have a corresponding binding in Neutron DB):: nsxadmin -r orphaned-edges -o list - Clean orphaned edges (delete edges from NSXv backend):: nsxadmin -r orphaned-edges -o clean Orphaned Router bindings ~~~~~~~~~~~~~~~~~~~~~~~~ - List orphaned router bindings entries (exist on the router bindings DB table, but the neutron object behind them (router, network, or loadbalancer) is missing):: nsxadmin -r orphaned-bindings -o list - Clean orphaned router bindings entries (delete DB entry):: nsxadmin -r orphaned-bindings -o clean Orphaned Router VNICs ~~~~~~~~~~~~~~~~~~~~~ - List orphaned router vnic entries (exist on the edge vnics bindings DB table, but the neutron interface port behind them is missing):: nsxadmin -r orphaned-vnics -o list - Clean orphaned router vnics (delete DB entry, and NSX router interface):: nsxadmin -r orphaned-vnics -o clean Missing Edges ~~~~~~~~~~~~~ - List missing edges on NSX. This includes missing networks on those edges:: nsxadmin -r missing-edges -o list Backup Edges ~~~~~~~~~~~~ - List backend backup edges with their id, name and some more information:: nsxadmin -r backup-edges -o list - Delete backup edge:: nsxadmin -r backup-edges -o clean --property edge-id=edge-9 [--force] - Delete all backup edges existing in both neutron and backend when scope is neutron, else backend only:: nsxadmin -r backup-edges -o clean-all --property scope=[neutron/all] [--force] - List Edge name mismatches between DB and backend, and backup edges that are missing from the backend:: nsxadmin -r backup-edges -o list-mismatches - Fix Edge name mismatch between DB and backend by updating the name on the backend:: nsxadmin -r backup-edges -o fix-mismatch --property edge-id=edge-9 [--force] - Delete a backup edge from the DB and NSX by it's router ID:: nsxadmin -r backup-edges -o neutron-clean --property router-id=backup-26ab1a3a-d73d DHCP Bindings ~~~~~~~~~~~~~ - List missing DHCP bindings: list dhcp edges that are missing from the NSXv backend:: nsxadmin -r dhcp-binding -o list - Update DHCP bindings on an edge:: nsxadmin -r dhcp-binding -o nsx-update --property edge-id=edge-15 - Recreate DHCP edge by moving all the networks to other edges:: nsxadmin -r dhcp-binding -o nsx-recreate --property edge-id=edge-222 - Recreate DHCP edge for a specific network (when the edge does not exist):: nsxadmin -r dhcp-binding -o nsx-recreate --property net-id=5253ae45-75b4-4489-8aa1-6a9e1cfa80a6 - Redistribute networks on dhcp edges (for example when configuration of share_edges_between_tenants changes):: nsxadmin -r dhcp-binding -o nsx-redistribute Routers ~~~~~~~ - Recreate a router edge by moving the router/s to other edge/s:: nsxadmin -r routers -o nsx-recreate --property edge-id=edge-308 - Recreate a router on the NSX backend by removing it from the current edge (if any), and attaching to a new one:: nsxadmin -r routers -o nsx-recreate --property router-id=8cdd6d06-b457-4cbb-a0b1-41e08ccce287 - Redistribute shared routers on edges (for example when configuration of share_edges_between_tenants changes):: nsxadmin -r routers -o nsx-redistribute - Migrate NSXv metadata infrastructure for VDRs - use regular DHCP edges for VDR:: nsxadmin -r routers -o migrate-vdr-dhcp Networks ~~~~~~~~ - Ability to update or get the teaming policy for a DVS:: nsxadmin -r networks -o nsx-update --property dvs-id= --property teamingpolicy= - List backend networks and their network morefs:: nsxadmin -r networks -o list Missing Networks ~~~~~~~~~~~~~~~~ - List networks which are missing from the backend:: nsxadmin -r missing-networks -o list Orphaned Networks ~~~~~~~~~~~~~~~~~ - List networks which are missing from the neutron DB:: nsxadmin -r orphaned-networks -o list - Delete a backend network by it's moref:: nsxadmin -r orphaned-networks -o nsx-clean --property moref= Portgroups ~~~~~~~~~~ - List all NSX portgroups on the configured dvs:: nsxadmin -r nsx-portgroups -o list - Delete all NSX portgroups on the configured dvs:: nsxadmin -r nsx-portgroups -o nsx-cleanup <--force> Security Groups, Firewall and Spoofguard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - List NSX firewall sections:: nsxadmin -r firewall-section -o list - List neutron security groups that does not have a matching NSX firewall section:: nsxadmin -r firewall-section -o list-mismatches - List NSX firewall sections that does not have a matching neutron security group:: nsxadmin -r firewall-section -o list-unused - Delete NSX firewall sections that does not have a matching neutron security group:: nsxadmin -r firewall-section -o nsx-clean - Reorder the NSX L3 firewall sections to correctly support the policy security groups:: nsxadmin -r firewall-sections -o nsx-reorder - List NSX service composer policies, that can be used in security groups:: nsxadmin -r firewall-sections -o list-policies - Update the default cluster section:: nsxadmin -r firewall-sections -o nsx-update - List NSX security groups:: nsxadmin -r nsx-security-groups -o list - List neutron security groups that does not have a matching NSX security group:: nsxadmin -r nsx-security-groups -o list-mismatches - List all the neutron security groups together with their NSX security groups and firewall sections:: nsxadmin -r security-groups -o list - Recreate missing NSX security groups ans firewall sections:: nsxadmin -r security-groups -o fix-mismatch - Migrate a security group from using rules to using a policy:: nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-10 --property security-group-id=733f0741-fa2c-4b32-811c-b78e4dc8ec39 - Update logging flag of the security groups on the NSX DFW:: nsxadmin -r security-groups -o update-logging --property log-allowed-traffic=true - Spoofguard support:: nsxadmin -r spoofguard-policy -o clean --property policy-id=spoofguardpolicy-10 nsxadmin -r spoofguard-policy -o list --property reverse (entries defined on NSXv and not in Neutron) nsxadmin -r spoofguard-policy -o list-mismatches (--property network=) - List spoofguard policies with mismatching ips or mac, globally or for a specific network nsxadmin -r spoofguard-policy -o fix-mismatch --property port= - Fix the spoofgurad ips of a neutron port - Orphaned rules in NSX section:: nsxadmin -r orphaned-rules -o list nsxadmin -r orphaned-rules -o nsx-clean Metadata ~~~~~~~~ - Update metadata infrastructure on all router and DHCP edges:: nsxadmin -r metadata -o nsx-update - Update metadata infrastructure on availability zone's router and DHCP edges:: nsxadmin -r metadata -o nsx-update --property az-name=az123 - Update metadata infrastructure on specific router or DHCP edge:: nsxadmin -r metadata -o nsx-update --property edge-id=edge-15 - Update shared secret on router and DHCP edges:: nsxadmin -r metadata -o nsx-update-secret - Retrieve metadata connectivity - optionally for a specific network:: nsxadmin -r metadata -o status [--property network_id=] Config ~~~~~~ - Validate the configuration in the nsx.ini and backend connectivity:: nsxadmin -r config -o validate NSX-T Plugin ------------ The following resources are supported: 'security-groups', 'routers', 'networks', 'nsx-security-groups', 'dhcp-binding', 'metadata-proxy', 'orphaned-dhcp-servers', 'firewall-sections', 'certificate', 'orphaned-networks', 'orphaned-routers', and 'ports'. Networks ~~~~~~~~ - List missing networks:: nsxadmin -r networks -o list-mismatches Orphaned Networks ~~~~~~~~~~~~~~~~~ - List networks (logical switches) which are missing from the neutron DB:: nsxadmin -r orphaned-networks -o list - Delete a backend network (logical switch) by it's nsx-id:: nsxadmin -r orphaned-networks -o nsx-clean --property nsx-id= Routers ~~~~~~~ - List missing routers:: nsxadmin -r routers -o list-mismatches - Update NAT rules on all routers to stop bypassing the FW rules. This is useful for NSX version 2.0 & up, before starting to use FWaaS:: nsxadmin -r routers -o nsx-update-rules - Update DHCP relay service on NSX router ports according to the current configuration:: nsxadmin -r routers -o nsx-update-dhcp-relay - Enable standby relocation on NSX routers that were created without it:: nsxadmin -r routers -o nsx-enable-standby-relocation Orphaned Routers ~~~~~~~~~~~~~~~~~ - List logical routers which are missing from the neutron DB:: nsxadmin -r orphaned-routers -o list - Delete a backend logical router by it's nsx-id:: nsxadmin -r orphaned-routers -o nsx-clean --property nsx-id= Ports ~~~~~ - List missing ports, and ports that exist on backend but without the expected switch profiles or address bindings:: nsxadmin -r ports -o list-mismatches - Update the VMs ports (all or of a specific project) on the backend after migrating NSX-V -> NSX-T:: nsxadmin -r ports -o nsx-migrate-v-v3 (--property project-id=<> --property host-moref=<> --property respool-moref=<> --property net-name=<> --property datastore-moref=<>)) --plugin nsxv3 - Migrate exclude ports to use tags:: nsxadmin -r ports -o migrate-exclude-ports - Tag ports to be part of the default OS security group:: nsxadmin -r ports -o nsx-tag-default Security Groups & NSX Security Groups ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - List NSX backend security groups:: nsxadmin -r nsx-security-groups -o list - List neutron security groups:: nsxadmin -r security-groups -o list - List security groups with sections missing on the NSX backend:: nsxadmin -r nsx-security-groups -o list-mismatches - Fix mismatch security groups by recreating missing sections & NS groups on the NSX backend:: nsxadmin -r security-groups -o fix-mismatch - Update NSX security groups dynamic criteria for NSX-T CrossHairs:: nsxadmin -r nsx-security-groups -o migrate-to-dynamic-criteria - Update logging flag of the security groups on the NSX DFW:: nsxadmin -r security-groups -o update-logging --property log-allowed-traffic=true Firewall Sections ~~~~~~~~~~~~~~~~~ - List NSX backend firewall sections:: nsxadmin -r firewall-sections -o list - List security groups with missing sections on the NSX backend:: nsxadmin -r firewall-sections -o list-mismatches - Reuse default NSX section ans NS group from a previous installation:: nsxadmin -r firewall-sections -o reuse Orphaned Firewall Sections ~~~~~~~~~~~~~~~~~~~~~~~~~~ - List orphaned firewall sections & rules (exist on NSXv3 backend but don't have a corresponding binding in Neutron DB):: nsxadmin -r orphaned-firewall-sections -o nsx-list - Delete orphaned firewall sections & rules (exist on NSXv3 backend but don't have a corresponding binding in Neutron DB):: nsxadmin -r orphaned-firewall-sections -o nsx-clean Metadata Proxy ~~~~~~~~~~~~~~ - List version 1.0.0 metadata networks in Neutron:: nsxadmin -r metadata-proxy -o list - Resync metadata proxies for NSX-T version 1.1.0 and above (enable md proxy, or update the uuid). This is only for migrating to native metadata support:: nsxadmin -r metadata-proxy -o nsx-update --property metadata_proxy_uuid= - update the ip of the Nova server in the metadata proxy server on the NSX:: nsxadmin -r metadata-proxy -o nsx-update-ip --property server-ip= --property availability-zone= DHCP Bindings ~~~~~~~~~~~~~ - List DHCP bindings in Neutron:: nsxadmin -r dhcp-binding -o list - Resync DHCP bindings for NSX-T version 1.1.0 and above. This is only for migrating to native DHCP support:: nsxadmin -r dhcp-binding -o nsx-update --property dhcp_profile_uuid= - Recreate dhcp server for a neutron network:: nsxadmin -r dhcp-binding -o nsx-recreate --property net-id= Orphaned DHCP Servers ~~~~~~~~~~~~~~~~~~~~~ - List orphaned DHCP servers (exist on NSX-T backend but don't have a corresponding binding in Neutron DB):: nsxadmin -r orphaned-dhcp-servers -o nsx-list - Clean orphaned DHCP servers (delete logical DHCP servers from NSX-T backend):: nsxadmin -r orphaned-dhcp-servers -o nsx-clean Client Certificate ~~~~~~~~~~~~~~~~~~ - Generate new client certificate (this command will delete previous certificate if exists):: nsxadmin -r certificate -o generate [--property username= --property password= --property key-size= --property sig-alg= --property valid-days= --property country= --property state= --property org= --property unit= --property host=] - Delete client certificate:: nsxadmin -r certificate -o clean - Show client certificate details:: nsxadmin -r certificate -o show - Import external certificate to NSX:: nsxadmin -r certificate -o import [--property username= --property password= --property filename=] - List certificates associated with openstack principal identity in NSX:: nsxadmin -r certificate -o nsx-list BGP GW edges ~~~~~~~~~~~~ - Create new BGP GW edge:: nsxadmin -r bgp-gw-edge -o create --property name= --property local-as= --property external-iface=: --property internal-iface=: - Delete BGP GW edge:: nsxadmin -r bgp-gw-edge -o delete --property gw-edge-id= - List BGP GW edges:: nsxadmin -r bgp-gw-edge -o list - Add a redistribution rule to a BGP GW edges:: nsxadmin -r routing-redistribution-rule -o create --property edge-ids=[,...] [--property prefix=] --property learner-protocol= --property learn-from=ospf,bgp,connected,static --property action= - Remove a redistribution rule from BGP GW edges:: nsxadmin -r routing-redistribution-rule -o delete --property gw-edge-ids=[,...] [--property prefix-name=] - Add a new BGP neighbour to BGP GW edges:: nsxadmin -r bgp-neighbour -o create --property gw-edge-ids=[,...] --property ip-address= --property remote-as= --property --password= - Remove BGP neighbour from BGP GW edges:: nsxadmin -r bgp-neighbour -o delete --property gw-edge-ids=[,...] --property ip-address= LBaaS ~~~~~ - List NSX LB services:: nsxadmin -r lb-services -o list - List NSX LB virtual servers:: nsxadmin -r lb-virtual-servers -o list - List NSX LB pools:: nsxadmin -r lb-pools -o list - List NSX LB monitors:: nsxadmin -r lb-monitors -o list - Update advertisement of LB vips on routers:: nsxadmin -r lb-advertisement -o nsx-update Rate Limit ~~~~~~~~~~ - Show the current NSX rate limit:: nsxadmin -r rate-limit -o show - Update the NSX rate limit:: nsxadmin -r rate-limit -o nsx-update --property value=<> Cluster ~~~~~~~ - Show the NSX cluster managers ips:: nsxadmin -r cluster -o show Config ~~~~~~ - Validate the configuration in the nsx.ini and backend connectivity:: nsxadmin -r config -o validate NSXtvd Plugin ------------- - All the NSX-V/T utilities can be used by calling:: nsxadmin --plugin nsxv/v3 -r <> -o <> - Add mapping between existing projects and old (v) plugin before starting to use the tvd plugin:: nsxadmin -r projects -o import --property plugin=nsx-v --property project=<> - Migrate a specific project from V to T:: nsxadmin -r projects -o nsx-migrate-v-v3 --property project-id= --property external-net= (--property from-file=True) NSX Policy Plugin ----------------- - List all the neutron security groups together with their NSX Policy objects and realization state:: nsxadmin -r security-groups -o list - List all the neutron networks together with their NSX Policy objects and realization state:: nsxadmin -r networks -o list - Sync admin state of networks and ports (Once upgraded to NSX 3.0 which supports policy admin state):: nsxadmin -r networks -o nsx-update-state - List all the neutron routers together with their NSX Policy objects and realization state:: nsxadmin -r routers -o list - Set intent realization and purge cycle interval (in minutes) on policy manager:: nsxadmin -r system -o set -p realization_interval=1 Client Certificate ~~~~~~~~~~~~~~~~~~ - Generate new client certificate (this command will delete previous certificate if exists):: nsxadmin -r certificate -o generate [--property username= --property password= --property key-size= --property sig-alg= --property valid-days= --property country= --property state= --property org= --property unit= --property host=] - Delete client certificate:: nsxadmin -r certificate -o clean - Show client certificate details:: nsxadmin -r certificate -o show - Import external certificate to NSX:: nsxadmin -r certificate -o import [--property username= --property password= --property filename=] - List certificates associated with openstack principal identity in NSX:: nsxadmin -r certificate -o nsx-list Upgrade Steps (NSX-T Version 1.0.0 to Version 1.1.0) ---------------------------------------------------- 1. Upgrade NSX backend from version 1.0.0 to version 1.1.0 2. Create a DHCP-Profile and a Metadata-Proxy in NSX backend 3. Stop Neutron 4. Install version 1.1.0 Neutron plugin 5. Run admin tools to migrate version 1.0.0 objects to version 1.1.0 objects nsxadmin -r metadata-proxy -o nsx-update --property metadata_proxy_uuid= nsxadmin -r dhcp-binding -o nsx-update --property dhcp_profile_uuid= 6. Start Neutron 7. Make sure /etc/nova/nova.conf has metadata_proxy_shared_secret = 8. Restart VMs or ifdown/ifup their network interface to get new DHCP options Steps to create a TVD admin user ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Do the following steps:: source devstack/openrc admin admin openstack project create admin_v --domain=default --or-show -f value -c id openstack user create admin_v --password password --domain=default --email=alt_demo@example.com --or-show -f value -c id openstack role add admin --user --project Or run: devstack/tools/create_userrc.sh Then: openstack project plugin create --plugin nsx-v