#!/bin/bash # Copyright 2015 VMware, Inc. # # All Rights Reserved # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # Common VMware NSXv and NSXv3 plugin # ----------------------------------- # ensure we don't re-source this in the same environment [[ -z "$_NSX_COMMON" ]] || return 0 declare -r -g _NSX_COMMON=1 function _nsxv_ini_set { if [[ $2 != "" ]]; then iniset /$Q_PLUGIN_CONF_FILE nsxv $1 $2 fi } function install_neutron_projects { pkg_list="networking-l2gw networking-sfc neutron-lbaas neutron-fwaas neutron-dynamic-routing neutron-vpnaas octavia vmware-nsxlib" for pkg in `echo $pkg_list` do if is_plugin_enabled $pkg; then echo "Plugin $pkg enabled explicitly with enable_plugin" elif use_library_from_git $pkg; then echo "Project $pkg enabled explicitly from LIBS_FROM_GIT" else pkg_renamed=`echo $pkg | sed 's/-/_/g'` sudo rm -rf /usr/local/lib/python2.7/dist-packages/${pkg_renamed}* sudo rm -rf /usr/local/lib/python3.5/dist-packages/${pkg_renamed}* sudo rm -rf ./src/${pkg_renamed}* sudo pip install -e "git+https://git.openstack.org/openstack/${pkg}#egg=${pkg_renamed}" sudo chown -R ${USER}:${USER} src/${pkg} fi done sudo rm -rf /usr/local/lib/python2.7/dist-packages/neutron sudo rm -rf /usr/local/lib/python2.7/dist-packages/neutron.egg* sudo rm -rf /usr/local/lib/python3.5/dist-packages/neutron sudo rm -rf /usr/local/lib/python3.5/dist-packages/neutron.egg* sudo pip install -e "git+https://git.openstack.org/openstack/neutron#egg=neutron" sudo chown -R ${USER}:${USER} src/neutron } function nsxv_configure_service { install_neutron_projects if [[ "$NSX_L2GW_DRIVER" != "" ]]; then iniset /$Q_PLUGIN_CONF_FILE DEFAULT nsx_l2gw_driver $NSX_L2GW_DRIVER fi _nsxv_ini_set password "$NSXV_PASSWORD" _nsxv_ini_set user "$NSXV_USER" _nsxv_ini_set vdn_scope_id "$NSXV_VDN_SCOPE_ID" _nsxv_ini_set dvs_id "$NSXV_DVS_ID" _nsxv_ini_set manager_uri "$NSXV_MANAGER_URI" _nsxv_ini_set ca_file "$NSXV_CA_FILE" _nsxv_ini_set insecure "$NSXV_INSECURE" _nsxv_ini_set datacenter_moid "$NSXV_DATACENTER_MOID" _nsxv_ini_set datastore_id "$NSXV_DATASTORE_ID" _nsxv_ini_set resource_pool_id "$NSXV_RESOURCE_POOL_ID" _nsxv_ini_set availability_zones "$NSXV_AVAILABILITY_ZONES" _nsxv_ini_set external_network "$NSXV_EXTERNAL_NETWORK" _nsxv_ini_set cluster_moid "$NSXV_CLUSTER_MOID" _nsxv_ini_set backup_edge_pool "$NSXV_BACKUP_POOL" _nsxv_ini_set mgt_net_proxy_ips "$NSXV_MGT_NET_PROXY_IPS" _nsxv_ini_set mgt_net_moid "$NSXV_MGT_NET_MOID" _nsxv_ini_set mgt_net_proxy_netmask "$NSXV_MGT_NET_PROXY_NETMASK" _nsxv_ini_set nova_metadata_port "$NSXV_NOVA_METADATA_PORT" _nsxv_ini_set nova_metadata_ips "$NSXV_NOVA_METADATA_IPS" _nsxv_ini_set metadata_shared_secret "$NSXV_METADATA_SHARED_SECRET" _nsxv_ini_set metadata_insecure "$NSXV_METADATA_INSECURE" _nsxv_ini_set metadata_nova_client_cert "$NSXV_METADATA_NOVA_CERT" _nsxv_ini_set metadata_nova_client_priv_key "$NSXV_METADATA_NOVA_PRIV_KEY" _nsxv_ini_set metadata_service_allowed_ports "$NSXV_METADATA_SERVICE_ALLOWED_PORTS" _nsxv_ini_set edge_ha "$NSXV_EDGE_HA" _nsxv_ini_set exclusive_router_appliance_size "$NSXV_EXCLUSIVE_ROUTER_APPLIANCE_SIZE" _nsxv_ini_set use_dvs_features "$NSXV_USE_DVS_FEATURES" _nsxv_ini_set use_nsx_policies "$NSXV_USE_NSX_POLICIES" _nsxv_ini_set default_policy_id "$NSXV_DEFAULT_POLICY_ID" _nsxv_ini_set allow_tenant_rules_with_policy "$NSXV_ALLOW_TENANT_RULES_WITH_POLICY" } function _dvs_ini_set { if [[ $2 != "" ]]; then iniset /$Q_PLUGIN_CONF_FILE dvs $1 $2 fi } function dvs_configure_service { _dvs_ini_set host_ip $1 _dvs_ini_set host_username $2 _dvs_ini_set host_password $3 _dvs_ini_set ca_file $4 _dvs_ini_set insecure $5 _dvs_ini_set dvs_name $6 } function _nsxv3_ini_set { if [[ -z $1 || -z $2 ]]; then if [[ $3 != "" ]]; then die $LINENO $3 fi fi if [[ $2 != "" ]]; then iniset /$Q_PLUGIN_CONF_FILE nsx_v3 $1 $2 fi } function nsxv3_configure_service { install_neutron_projects if [[ $1 == "nsx_v3" ]]; then _nsxv3_ini_set default_overlay_tz $DEFAULT_OVERLAY_TZ_UUID "The VMware NSX plugin won't work without a default transport zone." else _nsxv3_ini_set default_overlay_tz $DEFAULT_OVERLAY_TZ_UUID fi _nsxv3_ini_set default_vlan_tz $DEFAULT_VLAN_TZ_UUID if [[ "$DEFAULT_TIER0_ROUTER_UUID" != "" ]]; then _nsxv3_ini_set default_tier0_router $DEFAULT_TIER0_ROUTER_UUID Q_L3_ENABLED=True Q_L3_ROUTER_PER_TENANT=True fi # NSX_MANAGER must be a comma separated string if [[ "$NSX_MANAGERS" != "" ]]; then _nsxv3_ini_set nsx_api_managers $NSX_MANAGERS elif [[ "$NSX_MANAGER" != "" ]]; then _nsxv3_ini_set nsx_api_managers $NSX_MANAGER else if [[ $1 == "nsx_v3" ]]; then die $LINENO "The VMware NSX plugin needs at least one NSX manager." fi fi if [[ "$NSX_L2GW_DRIVER" != "" ]]; then iniset /$Q_PLUGIN_CONF_FILE DEFAULT nsx_l2gw_driver $NSX_L2GW_DRIVER fi _nsxv3_ini_set ens_support $ENS_SUPPORT _nsxv3_ini_set nsx_api_user $NSX_USER _nsxv3_ini_set nsx_api_password $NSX_PASSWORD _nsxv3_ini_set retries $NSX_RETRIES _nsxv3_ini_set insecure $NSX_INSECURE _nsxv3_ini_set ca_file $NSX_CA_FILE _nsxv3_ini_set default_bridge_cluster $DEFAULT_BRIDGE_CLUSTER_UUID _nsxv3_ini_set native_dhcp_metadata $NATIVE_DHCP_METADATA if [[ "$NATIVE_DHCP_METADATA" == "True" ]]; then _nsxv3_ini_set native_metadata_route $NATIVE_METADATA_ROUTE _nsxv3_ini_set dhcp_profile $DHCP_PROFILE_UUID _nsxv3_ini_set metadata_proxy $METADATA_PROXY_UUID _nsxv3_ini_set dhcp_relay_service $DHCP_RELAY_SERVICE iniset $NEUTRON_CONF DEFAULT dhcp_agent_notification False fi if [[ "$NSX_USE_CLIENT_CERT_AUTH" == "True" ]]; then _nsxv3_ini_set nsx_use_client_auth "True" _nsxv3_ini_set nsx_client_cert_file "$CLIENT_CERT_FILE" _nsxv3_ini_set nsx_client_cert_storage "nsx-db" _nsxv3_ini_set nsx_client_cert_pk_password "openstack" fi } function is_neutron_ovs_base_plugin { if [ [ $1 == "nsx_v3" ] -o [ $1 == "nsx_p" ] ]; then # This allows the deployer to decide whether devstack should install OVS. # By default, we install OVS, to change this behavior add "OVS_BASE=1" to your localrc file. # Note: Any KVM compute must have OVS installed on it. return ${OVS_BASE:-0} fi } function neutron_plugin_create_nova_conf { if [ [ $1 == "nsx_v3" ] -o [ $1 == "nsx_p" ] ]; then if [[ "$VIRT_DRIVER" != 'vsphere' ]]; then # if n-cpu or octavia is enabled, then setup integration bridge if is_service_enabled n-cpu || is_service_enabled octavia ; then setup_integration_bridge if is_service_enabled n-cpu ; then iniset $NOVA_CONF neutron ovs_bridge $OVS_BRIDGE fi fi fi # if n-api is enabled, then setup the metadata_proxy_shared_secret if is_service_enabled n-api; then iniset $NOVA_CONF neutron service_metadata_proxy True if [[ "$NATIVE_DHCP_METADATA" == "True" ]]; then iniset $NOVA_CONF neutron metadata_proxy_shared_secret $METADATA_PROXY_SHARED_SECRET if [[ "$METADATA_PROXY_USE_HTTPS" == "True" ]]; then iniset $NOVA_CONF DEFAULT enabled_ssl_apis metadata if [[ "$METADATA_PROXY_CERT_FILE" != "" ]]; then iniset $NOVA_CONF wsgi ssl_cert_file $METADATA_PROXY_CERT_FILE fi if [[ "$METADATA_PROXY_PRIV_KEY_FILE" != "" ]]; then iniset $NOVA_CONF wsgi ssl_key_file $METADATA_PROXY_PRIV_KEY_FILE fi fi fi fi # if n-api-meta is enabled, then setup https on n-api-meta if is_service_enabled n-api-meta; then if [[ "$NATIVE_DHCP_METADATA" == "True" && "$METADATA_PROXY_USE_HTTPS" == "True" ]]; then inidelete $NOVA_METADATA_UWSGI_CONF uwsgi http https=":8775,$METADATA_PROXY_CERT_FILE,$METADATA_PROXY_PRIV_KEY_FILE" iniset $NOVA_METADATA_UWSGI_CONF uwsgi https $https fi fi fi } function neutron_plugin_configure_l3_agent { if [ [ $1 == "nsx_v3" ] -o [ $1 == "nsx_p" ] ]; then # VMware NSX plugin does not run L3 agent die $LINENO "q-l3 should not be executed with VMware NSX plugin!" fi } function neutron_plugin_configure_plugin_agent { if [ [ $1 == "nsx_v3" ] -o [ $1 == "nsx_p" ] ]; then # VMware NSX plugin does not run L2 agent die $LINENO "q-agt must not be executed with VMware NSX plugin!" fi } function get_bridge_up { # NOTE(armando-migliaccio): if running in a nested environment this will work # only with mac learning enabled, portsecurity and security profiles disabled # The public bridge might not exist for the NSX plugin if Q_USE_DEBUG_COMMAND is off # Try to create it anyway sudo ovs-vsctl --may-exist add-br $PUBLIC_BRIDGE sudo ovs-vsctl --may-exist add-port $PUBLIC_BRIDGE $NSX_GATEWAY_NETWORK_INTERFACE # Flush all existing addresses on public bridge sudo ip addr flush dev $PUBLIC_BRIDGE nsx_gw_net_if_mac=$(ip link show $NSX_GATEWAY_NETWORK_INTERFACE | awk '/ether/ {print $2}') sudo ip link set address $nsx_gw_net_if_mac dev $PUBLIC_BRIDGE for address in $addresses; do sudo ip addr add dev $PUBLIC_BRIDGE $address done sudo ip addr add dev $PUBLIC_BRIDGE $NSX_GATEWAY_NETWORK_CIDR sudo ip link set $PUBLIC_BRIDGE up } function set_nsx_gateway_network_cidr { if ! is_set NSX_GATEWAY_NETWORK_CIDR; then NSX_GATEWAY_NETWORK_CIDR=$PUBLIC_NETWORK_GATEWAY/${FLOATING_RANGE#*/} echo "The IP address expected on $PUBLIC_BRIDGE was not specified. " echo "Defaulting to "$NSX_GATEWAY_NETWORK_CIDR fi sudo ip addr del $NSX_GATEWAY_NETWORK_CIDR dev $PUBLIC_BRIDGE # Save and then flush remaining addresses on the interface addresses=$(ip addr show dev $PUBLIC_BRIDGE | grep inet | awk {'print $2'}) sudo ip addr flush $PUBLIC_BRIDGE # Try to detach physical interface from PUBLIC_BRIDGE sudo ovs-vsctl del-port $NSX_GATEWAY_NETWORK_INTERFACE # Restore addresses on NSX_GATEWAY_NETWORK_INTERFACE for address in $addresses; do sudo ip addr add dev $NSX_GATEWAY_NETWORK_INTERFACE $address done }