A set of Neutron drivers for the VMware NSX.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

1195 lines
48 KiB

# Copyright 2013 VMware, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import time
import xml.etree.ElementTree as et
from oslo_config import cfg
from oslo_log import log as logging
from oslo_serialization import jsonutils
from oslo_utils import strutils
import six
from vmware_nsx.common import nsxv_constants
from vmware_nsx.common import utils
from vmware_nsx.plugins.nsx_v.vshield.common import constants
from vmware_nsx.plugins.nsx_v.vshield.common import exceptions
from vmware_nsx.plugins.nsx_v.vshield.common import VcnsApiClient
LOG = logging.getLogger(__name__)
HTTP_GET = "GET"
HTTP_POST = "POST"
HTTP_DELETE = "DELETE"
HTTP_PUT = "PUT"
URI_PREFIX = "/api/4.0/edges"
#FwaaS constants
FIREWALL_SERVICE = "firewall/config"
FIREWALL_RULE_RESOURCE = "rules"
#NSXv Constants
FIREWALL_PREFIX = '/api/4.0/firewall/globalroot-0/config'
FIREWALL_REDIRECT_SEC_TYPE = 'layer3redirectsections'
SECURITYGROUP_PREFIX = '/api/2.0/services/securitygroup'
VDN_PREFIX = '/api/2.0/vdn'
SERVICES_PREFIX = '/api/2.0/services'
SPOOFGUARD_PREFIX = '/api/4.0/services/spoofguard'
TRUSTSTORE_PREFIX = '%s/%s' % (SERVICES_PREFIX, 'truststore')
EXCLUDELIST_PREFIX = '/api/2.1/app/excludelist'
SERVICE_INSERTION_PROFILE_PREFIX = '/api/2.0/si/serviceprofile'
SECURITY_POLICY_PREFIX = '/api/2.0/services/policy/securitypolicy'
APPLICATION_PREFIX = '%s/%s' % (SERVICES_PREFIX, 'application')
#LbaaS Constants
LOADBALANCER_SERVICE = "loadbalancer/config"
LOADBALANCER_STATS = "loadbalancer/statistics"
VIP_RESOURCE = "virtualservers"
POOL_RESOURCE = "pools"
MONITOR_RESOURCE = "monitors"
APP_PROFILE_RESOURCE = "applicationprofiles"
APP_RULE_RESOURCE = "applicationrules"
# IPsec VPNaaS Constants
IPSEC_VPN_SERVICE = 'ipsec/config'
# Dhcp constants
DHCP_SERVICE = "dhcp/config"
DHCP_BINDING_RESOURCE = "bindings"
# Syetem control constants
SYSCTL_SERVICE = 'systemcontrol/config'
# L2 gateway constants
BRIDGE = "bridging/config"
# IPAM constants
IPAM_POOL_SCOPE = "scope/globalroot-0"
IPAM_POOL_SERVICE = "ipam/pools"
# Self Signed Certificate constants
CSR = "csr"
CERTIFICATE = "certificate"
NETWORK_TYPES = ['Network', 'VirtualWire', 'DistributedVirtualPortgroup']
# Dynamic routing constants
ROUTING_CONFIG = "routing/config"
BGP_ROUTING_CONFIG = "routing/config/bgp"
ELAPSED_TIME_THRESHOLD = 30
MAX_EDGE_DEPLOY_TIMEOUT = 1200
def retry_upon_exception_exclude_error_codes(
exc, excluded_errors, delay=0.5, max_delay=4, max_attempts=0):
if not max_attempts:
max_attempts = cfg.CONF.nsxv.retries
return utils.retry_upon_exception_exclude_error_codes(
exc, excluded_errors, delay, max_delay, max_attempts)
def retry_upon_exception(exc, delay=0.5, max_delay=4, max_attempts=0):
if not max_attempts:
max_attempts = cfg.CONF.nsxv.retries
return utils.retry_upon_exception(exc, delay, max_delay, max_attempts)
class Vcns(object):
def __init__(self, address, user, password, ca_file, insecure):
self.address = address
self.user = user
self.password = password
self.ca_file = ca_file
self.insecure = insecure
self.jsonapi_client = VcnsApiClient.VcnsApiHelper(
address, user, password, format='json', ca_file=ca_file,
insecure=insecure, timeout=cfg.CONF.nsxv.nsx_transaction_timeout)
self.xmlapi_client = VcnsApiClient.VcnsApiHelper(
address, user, password, format='xml', ca_file=ca_file,
insecure=insecure, timeout=cfg.CONF.nsxv.nsx_transaction_timeout)
self._nsx_version = None
self._normalized_scoping_objects = None
self._normalized_global_objects = None
@retry_upon_exception(exceptions.ServiceConflict)
def _client_request(self, client, method, uri,
params, headers, encodeParams, timeout=None):
return client(method, uri, params, headers, encodeParams,
timeout=timeout)
def do_request(self, method, uri, params=None, format='json', **kwargs):
msg = ("VcnsApiHelper('%(method)s', '%(uri)s', '%(body)s')" %
{'method': method,
'uri': uri,
'body': jsonutils.dumps(params)})
LOG.debug(strutils.mask_password(msg))
headers = kwargs.get('headers')
encodeParams = kwargs.get('encode', True)
if format == 'json':
_client = self.jsonapi_client.request
else:
_client = self.xmlapi_client.request
timeout = kwargs.get('timeout')
ts = time.time()
header, content = self._client_request(_client, method, uri, params,
headers, encodeParams,
timeout=timeout)
te = time.time()
elapsed_time = te - ts
LOG.debug('VcnsApiHelper for %(method)s %(uri)s took %(seconds)2.4f. '
'reply: header=%(header)s content=%(content)s',
{'method': method, 'uri': uri,
'header': header, 'content': content,
'seconds': elapsed_time})
if elapsed_time > ELAPSED_TIME_THRESHOLD:
LOG.warning('Vcns call for %(method)s %(uri)s took %(seconds)2.4f',
{'method': method, 'uri': uri,
'seconds': elapsed_time})
if content == '':
return header, {}
if kwargs.get('decode', True):
content = jsonutils.loads(content)
return header, content
def edges_lock_operation(self):
uri = URI_PREFIX + "?lockUpdatesOnEdge=true"
return self.do_request(HTTP_POST, uri, decode=False)
@retry_upon_exception(exceptions.ResourceNotFound)
@retry_upon_exception(exceptions.RequestBad)
def deploy_edge(self, request):
uri = URI_PREFIX
return self.do_request(HTTP_POST, uri, request, decode=False,
timeout=MAX_EDGE_DEPLOY_TIMEOUT)
def update_edge(self, edge_id, request):
uri = "%s/%s" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_PUT, uri, request, decode=False)
def get_edge_id(self, job_id):
uri = URI_PREFIX + "/jobs/%s" % job_id
return self.do_request(HTTP_GET, uri, decode=True)
def get_edge_jobs(self, edge_id):
uri = URI_PREFIX + "/%s/jobs" % edge_id
return self.do_request(HTTP_GET, uri, decode=True)
def get_edge_deploy_status(self, edge_id):
uri = URI_PREFIX + "/%s/status?getlatest=false" % edge_id
return self.do_request(HTTP_GET, uri, decode="True")
def delete_edge(self, edge_id):
uri = "%s/%s" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_DELETE, uri)
def add_vdr_internal_interface(self, edge_id, interface):
uri = "%s/%s/interfaces?action=patch" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_POST, uri, interface, decode=True)
def get_vdr_internal_interface(self, edge_id, interface_index):
uri = "%s/%s/interfaces/%s" % (URI_PREFIX, edge_id, interface_index)
return self.do_request(HTTP_GET, uri, decode=True)
def update_vdr_internal_interface(self, edge_id,
interface_index, interface):
uri = "%s/%s/interfaces/%s" % (URI_PREFIX, edge_id, interface_index)
return self.do_request(HTTP_PUT, uri, interface,
format='xml', decode=True)
@retry_upon_exception(exceptions.RequestBad)
def delete_vdr_internal_interface(self, edge_id, interface_index):
uri = "%s/%s/interfaces/%d" % (URI_PREFIX, edge_id, interface_index)
return self.do_request(HTTP_DELETE, uri, decode=True)
def get_interfaces(self, edge_id):
uri = "%s/%s/vnics" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_GET, uri, decode=True)
@retry_upon_exception(exceptions.RequestBad)
def update_interface(self, edge_id, vnic):
uri = "%s/%s/vnics/%d" % (URI_PREFIX, edge_id,
vnic['index'])
return self.do_request(HTTP_PUT, uri, vnic, decode=True)
def delete_interface(self, edge_id, vnic_index):
uri = "%s/%s/vnics/%d" % (URI_PREFIX, edge_id, vnic_index)
return self.do_request(HTTP_DELETE, uri, decode=True)
def get_nat_config(self, edge_id):
uri = "%s/%s/nat/config" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_GET, uri, decode=True)
def update_nat_config(self, edge_id, nat):
uri = "%s/%s/nat/config" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_PUT, uri, nat, decode=True)
def delete_nat_rule(self, edge_id, rule_id):
uri = "%s/%s/nat/config/rules/%s" % (URI_PREFIX, edge_id, rule_id)
return self.do_request(HTTP_DELETE, uri, decode=True)
def get_edge_status(self, edge_id):
uri = "%s/%s/status?getlatest=false" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_GET, uri, decode=True)
def get_edge(self, edge_id):
uri = "%s/%s" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_GET, uri, decode=True)
def _get_edges(self, startindex=0):
uri = '%s?startIndex=%d' % (URI_PREFIX, startindex)
return self.do_request(HTTP_GET, uri, decode=True)
def get_edges(self):
edges = []
h, d = self._get_edges()
edges.extend(d['edgePage']['data'])
paging_info = d['edgePage']['pagingInfo']
page_size = int(paging_info['pageSize'])
count = int(paging_info['totalCount'])
LOG.debug("There are total %s edges and page size is %s",
count, page_size)
pages = count / page_size + 1
for i in range(1, pages):
start_index = page_size * i
h, d = self._get_edges(start_index)
edges.extend(d['edgePage']['data'])
return edges
def get_edge_syslog(self, edge_id):
uri = "%s/%s/syslog/config" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_GET, uri, decode=True)
def update_edge_syslog(self, edge_id, config):
uri = "%s/%s/syslog/config" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_PUT, uri, config)
def delete_edge_syslog(self, edge_id):
uri = "%s/%s/syslog/config" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_DELETE, uri)
def update_edge_config_with_modifier(self, edge_id, module, modifier):
uri = "%s/%s/%s/config" % (URI_PREFIX, edge_id, module)
config = self.do_request(HTTP_GET, uri)[1]
if modifier(config):
return self.do_request(HTTP_PUT, uri, config)
def get_edge_interfaces(self, edge_id):
uri = "%s/%s/interfaces" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_GET, uri, decode=True)
def get_routes(self, edge_id):
uri = "%s/%s/routing/config/static" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_GET, uri)
def update_routes(self, edge_id, routes):
uri = "%s/%s/routing/config/static" % (URI_PREFIX, edge_id)
return self.do_request(HTTP_PUT, uri, routes)
def create_lswitch(self, lsconfig):
uri = "/api/ws.v1/lswitch"
return self.do_request(HTTP_POST, uri, lsconfig, decode=True)
def delete_lswitch(self, lswitch_id):
uri = "/api/ws.v1/lswitch/%s" % lswitch_id
return self.do_request(HTTP_DELETE, uri)
def get_loadbalancer_config(self, edge_id):
uri = self._build_uri_path(edge_id, LOADBALANCER_SERVICE)
return self.do_request(HTTP_GET, uri, decode=True)
def get_loadbalancer_statistics(self, edge_id):
uri = self._build_uri_path(edge_id, LOADBALANCER_STATS)
return self.do_request(HTTP_GET, uri, decode=True)
def enable_service_loadbalancer(self, edge_id, config):
uri = self._build_uri_path(edge_id, LOADBALANCER_SERVICE)
return self.do_request(HTTP_PUT, uri, config)
def sync_firewall(self):
for cluster_id in cfg.CONF.nsxv.cluster_moid:
uri = '/api/4.0/firewall/forceSync/%s' % cluster_id
self.do_request(HTTP_POST, uri)
def update_firewall(self, edge_id, fw_req):
uri = self._build_uri_path(
edge_id, FIREWALL_SERVICE)
return self.do_request(HTTP_PUT, uri, fw_req)
def delete_firewall(self, edge_id):
uri = self._build_uri_path(
edge_id, FIREWALL_SERVICE, None)
return self.do_request(HTTP_DELETE, uri)
def update_firewall_rule(self, edge_id, vcns_rule_id, fwr_req):
uri = self._build_uri_path(
edge_id, FIREWALL_SERVICE,
FIREWALL_RULE_RESOURCE,
vcns_rule_id)
return self.do_request(HTTP_PUT, uri, fwr_req)
def delete_firewall_rule(self, edge_id, vcns_rule_id):
uri = self._build_uri_path(
edge_id, FIREWALL_SERVICE,
FIREWALL_RULE_RESOURCE,
vcns_rule_id)
return self.do_request(HTTP_DELETE, uri)
def add_firewall_rule_above(self, edge_id, ref_vcns_rule_id, fwr_req):
uri = self._build_uri_path(
edge_id, FIREWALL_SERVICE,
FIREWALL_RULE_RESOURCE)
uri += "?aboveRuleId=" + ref_vcns_rule_id
return self.do_request(HTTP_POST, uri, fwr_req)
def add_firewall_rule(self, edge_id, fwr_req):
uri = self._build_uri_path(
edge_id, FIREWALL_SERVICE,
FIREWALL_RULE_RESOURCE)
return self.do_request(HTTP_POST, uri, fwr_req)
def update_firewall_default_policy(self, edge_id, fw_req):
uri = self._build_uri_path(
edge_id, FIREWALL_SERVICE, 'defaultpolicy')
return self.do_request(HTTP_PUT, uri, fw_req)
def get_firewall(self, edge_id):
uri = self._build_uri_path(edge_id, FIREWALL_SERVICE)
return self.do_request(HTTP_GET, uri, decode=True)
def get_firewall_rule(self, edge_id, vcns_rule_id):
uri = self._build_uri_path(
edge_id, FIREWALL_SERVICE,
FIREWALL_RULE_RESOURCE,
vcns_rule_id)
return self.do_request(HTTP_GET, uri, decode=True)
#
#Edge LBAAS call helper
#
def create_vip(self, edge_id, vip_new):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
VIP_RESOURCE)
return self.do_request(HTTP_POST, uri, vip_new)
def get_vip(self, edge_id, vip_vseid):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
VIP_RESOURCE, vip_vseid)
return self.do_request(HTTP_GET, uri, decode=True)
def update_vip(self, edge_id, vip_vseid, vip_new):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
VIP_RESOURCE, vip_vseid)
return self.do_request(HTTP_PUT, uri, vip_new)
def delete_vip(self, edge_id, vip_vseid):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
VIP_RESOURCE, vip_vseid)
return self.do_request(HTTP_DELETE, uri)
def create_pool(self, edge_id, pool_new):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
POOL_RESOURCE)
return self.do_request(HTTP_POST, uri, pool_new)
def get_pool(self, edge_id, pool_vseid):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
POOL_RESOURCE, pool_vseid)
return self.do_request(HTTP_GET, uri, decode=True)
def update_pool(self, edge_id, pool_vseid, pool_new):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
POOL_RESOURCE, pool_vseid)
return self.do_request(HTTP_PUT, uri, pool_new)
def delete_pool(self, edge_id, pool_vseid):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
POOL_RESOURCE, pool_vseid)
return self.do_request(HTTP_DELETE, uri)
def create_health_monitor(self, edge_id, monitor_new):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
MONITOR_RESOURCE)
return self.do_request(HTTP_POST, uri, monitor_new)
def get_health_monitor(self, edge_id, monitor_vseid):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
MONITOR_RESOURCE, monitor_vseid)
return self.do_request(HTTP_GET, uri, decode=True)
def update_health_monitor(self, edge_id, monitor_vseid, monitor_new):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
MONITOR_RESOURCE,
monitor_vseid)
return self.do_request(HTTP_PUT, uri, monitor_new)
def delete_health_monitor(self, edge_id, monitor_vseid):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
MONITOR_RESOURCE,
monitor_vseid)
return self.do_request(HTTP_DELETE, uri)
def create_app_profile(self, edge_id, app_profile):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
APP_PROFILE_RESOURCE)
return self.do_request(HTTP_POST, uri, app_profile)
def update_app_profile(self, edge_id, app_profileid, app_profile):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
APP_PROFILE_RESOURCE, app_profileid)
return self.do_request(HTTP_PUT, uri, app_profile)
def delete_app_profile(self, edge_id, app_profileid):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
APP_PROFILE_RESOURCE,
app_profileid)
return self.do_request(HTTP_DELETE, uri)
def create_app_rule(self, edge_id, app_rule):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
APP_RULE_RESOURCE)
return self.do_request(HTTP_POST, uri, app_rule)
def update_app_rule(self, edge_id, app_ruleid, app_rule):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
APP_RULE_RESOURCE, app_ruleid)
return self.do_request(HTTP_PUT, uri, app_rule)
def delete_app_rule(self, edge_id, app_ruleid):
uri = self._build_uri_path(
edge_id, LOADBALANCER_SERVICE,
APP_RULE_RESOURCE,
app_ruleid)
return self.do_request(HTTP_DELETE, uri)
def update_ipsec_config(self, edge_id, ipsec_config):
uri = self._build_uri_path(edge_id, IPSEC_VPN_SERVICE)
return self.do_request(HTTP_PUT, uri, ipsec_config)
def delete_ipsec_config(self, edge_id):
uri = self._build_uri_path(edge_id, IPSEC_VPN_SERVICE)
return self.do_request(HTTP_DELETE, uri)
def get_ipsec_config(self, edge_id):
uri = self._build_uri_path(edge_id, IPSEC_VPN_SERVICE)
return self.do_request(HTTP_GET, uri)
@retry_upon_exception(exceptions.RequestBad)
def create_virtual_wire(self, vdn_scope_id, request):
"""Creates a VXLAN virtual wire
The method will return the virtual wire ID.
"""
uri = '/api/2.0/vdn/scopes/%s/virtualwires' % vdn_scope_id
return self.do_request(HTTP_POST, uri, request, format='xml',
decode=False)
def delete_virtual_wire(self, virtualwire_id):
"""Deletes a virtual wire."""
uri = '/api/2.0/vdn/virtualwires/%s' % virtualwire_id
return self.do_request(HTTP_DELETE, uri, format='xml')
def create_port_group(self, dvs_id, request):
"""Creates a port group on a DVS
The method will return the port group ID.
"""
uri = '/api/2.0/xvs/switches/%s/networks' % dvs_id
return self.do_request(HTTP_POST, uri, request, format='xml',
decode=False)
def delete_port_group(self, dvs_id, portgroup_id):
"""Deletes a portgroup."""
uri = '/api/2.0/xvs/switches/%s/networks/%s' % (dvs_id,
portgroup_id)
return self.do_request(HTTP_DELETE, uri, format='xml', decode=False)
def get_vdn_switch(self, dvs_id):
uri = '/api/2.0/vdn/switches/%s' % dvs_id
return self.do_request(HTTP_GET, uri, decode=True)
def update_vdn_switch(self, switch):
uri = '/api/2.0/vdn/switches'
return self.do_request(HTTP_PUT, uri, switch)
def query_interface(self, edge_id, vnic_index):
uri = "%s/%s/vnics/%d" % (URI_PREFIX, edge_id, vnic_index)
return self.do_request(HTTP_GET, uri, decode=True)
def reconfigure_dhcp_service(self, edge_id, request_config):
"""Reconfigure dhcp static bindings in the created Edge."""
uri = "/api/4.0/edges/%s/dhcp/config" % edge_id
return self.do_request(HTTP_PUT, uri, request_config)
def query_dhcp_configuration(self, edge_id):
"""Query DHCP configuration from the specific edge."""
uri = "/api/4.0/edges/%s/dhcp/config" % edge_id
return self.do_request(HTTP_GET, uri)
def create_dhcp_binding(self, edge_id, request_config):
"""Append one dhcp static binding on the edge."""
uri = self._build_uri_path(edge_id,
DHCP_SERVICE, DHCP_BINDING_RESOURCE)
return self.do_request(HTTP_POST, uri, request_config, decode=False)
def delete_dhcp_binding(self, edge_id, binding_id):
"""Delete one dhcp static binding on the edge."""
uri = self._build_uri_path(edge_id,
DHCP_SERVICE, DHCP_BINDING_RESOURCE,
binding_id)
return self.do_request(HTTP_DELETE, uri, decode=False)
def get_dhcp_binding(self, edge_id, binding_id):
"""Get a dhcp static binding from the edge."""
uri = self._build_uri_path(edge_id,
DHCP_SERVICE, DHCP_BINDING_RESOURCE,
binding_id)
return self.do_request(HTTP_GET, uri, decode=True)
def create_security_group(self, request):
"""Creates a security group container in nsx.
The method will return the security group ID.
"""
uri = '%s/globalroot-0' % (SECURITYGROUP_PREFIX)
return self.do_request(HTTP_POST, uri, request, format='xml',
decode=False)
def delete_security_group(self, securitygroup_id):
"""Deletes a security group container."""
uri = '%s/%s?force=true' % (SECURITYGROUP_PREFIX, securitygroup_id)
return self.do_request(HTTP_DELETE, uri, format='xml', decode=False)
def update_security_group(self, sg_id, sg_name, description):
"""Updates the NSXv security group name."""
uri = '%s/%s' % (SECURITYGROUP_PREFIX, sg_id)
h, c = self.do_request(HTTP_GET, uri, format='xml', decode=False)
sg = et.fromstring(c)
sg.find('name').text = sg_name
sg.find('description').text = description
return self.do_request(HTTP_PUT, uri, et.tostring(sg),
format='xml', decode=False, encode=False)
def list_security_groups(self):
uri = '%s/scope/globalroot-0' % SECURITYGROUP_PREFIX
return self.do_request(HTTP_GET, uri, format='xml', decode=False)
def get_security_group_id(self, sg_name):
"""Returns NSXv security group id which match the given name."""
h, secgroups = self.list_security_groups()
root = utils.normalize_xml(secgroups)
for sg in root.iter('securitygroup'):
if sg.find('name').text == sg_name:
return sg.find('objectId').text
@retry_upon_exception(exceptions.VcnsApiException)
def create_bridge(self, edge_id, request):
"""Create a bridge."""
uri = self._build_uri_path(edge_id, BRIDGE)
return self.do_request(HTTP_PUT, uri, request, format='xml',
decode=False)
@retry_upon_exception(exceptions.VcnsApiException)
def delete_bridge(self, edge_id):
"""Delete a bridge."""
uri = self._build_uri_path(edge_id, BRIDGE)
return self.do_request(HTTP_DELETE, uri, format='xml', decode=False)
def create_redirect_section(self, request):
"""Creates a layer 3 redirect section in nsx rule table.
The method will return the uri to newly created section.
"""
sec_type = FIREWALL_REDIRECT_SEC_TYPE
uri = '%s/%s?autoSaveDraft=false' % (FIREWALL_PREFIX, sec_type)
uri += '&operation=insert_before&anchorId=1002'
return self.do_request(HTTP_POST, uri, request, format='xml',
decode=False, encode=False)
def create_section(self, type, request,
insert_top=False, insert_before=None):
"""Creates a layer 3 or layer 2 section in nsx rule table.
The method will return the uri to newly created section.
"""
if type == 'ip':
sec_type = 'layer3sections'
else:
sec_type = 'layer2sections'
uri = '%s/%s?autoSaveDraft=false' % (FIREWALL_PREFIX, sec_type)
if insert_top:
uri += '&operation=insert_top'
# We want to place security-group sections before the default cluster
# section, and we want to place the default cluster section before the
# global default section.
elif insert_before:
uri += '&operation=insert_before&anchorId=%s' % insert_before
else:
uri += '&operation=insert_before&anchorId=1003'
return self.do_request(HTTP_POST, uri, request, format='xml',
decode=False, encode=False)
def update_section(self, section_uri, request, h):
"""Replaces a section in nsx rule table."""
uri = '%s?autoSaveDraft=false' % section_uri
headers = self._get_section_header(section_uri, h)
return self.do_request(HTTP_PUT, uri, request, format='xml',
decode=False, encode=False, headers=headers)
def delete_section(self, section_uri):
"""Deletes a section in nsx rule table."""
uri = '%s?autoSaveDraft=false' % section_uri
return self.do_request(HTTP_DELETE, uri, format='xml', decode=False)
def get_section(self, section_uri):
return self.do_request(HTTP_GET, section_uri, format='xml',
decode=False)
def get_default_l3_id(self):
"""Retrieve the id of the default l3 section."""
h, firewall_config = self.get_dfw_config()
root = utils.normalize_xml(firewall_config)
for child in root:
if str(child.tag) == 'layer3Sections':
sections = list(child.iter('section'))
default = sections[-1]
return default.attrib['id']
def get_dfw_config(self):
uri = FIREWALL_PREFIX
return self.do_request(HTTP_GET, uri, decode=False, format='xml')
def update_dfw_config(self, request, h):
uri = FIREWALL_PREFIX
headers = self._get_section_header(None, h)
return self.do_request(HTTP_PUT, uri, request, format='xml',
decode=False, encode=False, headers=headers)
def get_section_id(self, section_name):
"""Retrieve the id of a section from nsx."""
h, firewall_config = self.get_dfw_config()
root = utils.normalize_xml(firewall_config)
for sec in root.iter('section'):
if sec.attrib['name'] == section_name:
return sec.attrib['id']
def update_section_by_id(self, id, type, request):
"""Update a section while building its uri from the id."""
if type == 'ip':
sec_type = 'layer3sections'
else:
sec_type = 'layer2sections'
section_uri = '%s/%s/%s' % (FIREWALL_PREFIX, sec_type, id)
self.update_section(section_uri, request, h=None)
def _get_section_header(self, section_uri, h=None):
if h is None:
h, c = self.do_request(HTTP_GET, section_uri, format='xml',
decode=False)
etag = h['etag']
headers = {'If-Match': etag}
return headers
def remove_rule_from_section(self, section_uri, rule_id):
"""Deletes a rule from nsx section table."""
uri = '%s/rules/%s?autoSaveDraft=false' % (section_uri, rule_id)
headers = self._get_section_header(section_uri)
return self.do_request(HTTP_DELETE, uri, format='xml',
headers=headers)
@retry_upon_exception(exceptions.RequestBad)
def add_member_to_security_group(self, security_group_id, member_id):
"""Adds a vnic member to nsx security group."""
uri = '%s/%s/members/%s?failIfExists=false' % (
SECURITYGROUP_PREFIX, security_group_id, member_id)
return self.do_request(HTTP_PUT, uri, format='xml', decode=False)
def remove_member_from_security_group(self, security_group_id,
member_id):
"""Removes a vnic member from nsx security group."""
uri = '%s/%s/members/%s?failIfAbsent=false' % (
SECURITYGROUP_PREFIX, security_group_id, member_id)
return self.do_request(HTTP_DELETE, uri, format='xml', decode=False)
def set_system_control(self, edge_id, prop):
uri = self._build_uri_path(edge_id, SYSCTL_SERVICE)
payload = {
'featureType': 'systemcontrol',
'property': prop
}
return self.do_request(HTTP_PUT, uri, payload, decode=True)
def get_system_control(self, edge_id):
uri = self._build_uri_path(edge_id, SYSCTL_SERVICE)
return self.do_request(HTTP_GET, uri)
def _get_enforcement_point_body(self, enforcement_points):
e_point_list = []
for enforcement_point in enforcement_points:
e_point_list.append({
'enforcementPoint': {
'id': enforcement_point,
'type': enforcement_point.split('-')[0]
}
})
return {'__enforcementPoints': e_point_list}
@retry_upon_exception_exclude_error_codes(
exceptions.RequestBad, [constants.NSX_ERROR_ALREADY_HAS_SG_POLICY])
def create_spoofguard_policy(self, enforcement_points, name, enable):
uri = '%s/policies/' % SPOOFGUARD_PREFIX
body = {'spoofguardPolicy':
{'name': name,
'operationMode': 'MANUAL' if enable else 'DISABLE',
'allowLocalIPs': 'true'}}
body['spoofguardPolicy'].update(
self._get_enforcement_point_body(enforcement_points))
return self.do_request(HTTP_POST, uri, body,
format='xml', encode=True, decode=False)
@retry_upon_exception(exceptions.RequestBad)
def update_spoofguard_policy(self, policy_id,
enforcement_points, name, enable):
update_uri = '%s/policies/%s' % (SPOOFGUARD_PREFIX, policy_id)
publish_uri = '%s/%s?action=publish' % (SPOOFGUARD_PREFIX, policy_id)
body = {'spoofguardPolicy':
{'policyId': policy_id,
'name': name,
'operationMode': 'MANUAL' if enable else 'DISABLE',
'allowLocalIPs': 'true'}}
body['spoofguardPolicy'].update(
self._get_enforcement_point_body(enforcement_points))
self.do_request(HTTP_PUT, update_uri, body,
format='xml', encode=True, decode=False)
return self.do_request(HTTP_POST, publish_uri, decode=False)
@retry_upon_exception(exceptions.RequestBad)
def delete_spoofguard_policy(self, policy_id):
uri = '%s/policies/%s' % (SPOOFGUARD_PREFIX, policy_id)
return self.do_request(HTTP_DELETE, uri, decode=False)
def get_spoofguard_policy(self, policy_id):
uri = '%s/policies/%s' % (SPOOFGUARD_PREFIX, policy_id)
return self.do_request(HTTP_GET, uri, decode=True)
def get_spoofguard_policies(self):
uri = '%s/policies/' % SPOOFGUARD_PREFIX
return self.do_request(HTTP_GET, uri, decode=True)
def _approve_assigned_addresses(self, policy_id,
vnic_id, mac_addr, addresses):
uri = '%s/%s' % (SPOOFGUARD_PREFIX, policy_id)
addresses = [{'ipAddress': ip_addr} for ip_addr in addresses]
body = {'spoofguardList':
{'spoofguard':
{'id': vnic_id,
'vnicUuid': vnic_id,
'approvedIpAddress': addresses,
'approvedMacAddress': mac_addr,
'publishedIpAddress': addresses,
'publishedMacAddress': mac_addr}}}
try:
return self.do_request(HTTP_POST, '%s?action=approve' % uri,
body, format='xml', decode=False)
except exceptions.VcnsApiException as e:
nsx_errcode = self.xmlapi_client._get_nsx_errorcode(e.response)
if nsx_errcode == constants.NSX_ERROR_ALREADY_EXISTS:
LOG.warning("Spoofguard entry for %s already exists",
vnic_id)
raise exceptions.AlreadyExists(resource=vnic_id)
# raise original exception for retries
raise
@retry_upon_exception(exceptions.RequestBad)
def approve_assigned_addresses(self, policy_id,
vnic_id, mac_addr, addresses):
return self._approve_assigned_addresses(
policy_id, vnic_id, mac_addr, addresses)
@retry_upon_exception(exceptions.VcnsApiException)
def publish_assigned_addresses(self, policy_id, vnic_id):
uri = '%s/%s' % (SPOOFGUARD_PREFIX, policy_id)
publish_vnic_uri = '%s?action=publish&vnicId=%s' % (uri, vnic_id)
return self.do_request(HTTP_POST, publish_vnic_uri, decode=False)
def inactivate_vnic_assigned_addresses(self, policy_id, vnic_id):
try:
self._approve_assigned_addresses(policy_id, vnic_id, '', [])
except exceptions.RequestBad:
LOG.debug("Request failed: inactivate vnic %s assigned addresses",
vnic_id)
else:
return self.publish_assigned_addresses(policy_id, vnic_id)
def _build_uri_path(self, edge_id,
service,
resource=None,
resource_id=None,
parent_resource_id=None,
fields=None,
relations=None,
filters=None,
types=None,
is_attachment=False,
is_async=False):
uri_prefix = "%s/%s/%s" % (URI_PREFIX, edge_id, service)
if resource:
res_path = resource + (resource_id and "/%s" % resource_id or '')
uri_path = "%s/%s" % (uri_prefix, res_path)
else:
uri_path = uri_prefix
if is_async:
return (uri_path + "?async=true")
else:
return uri_path
def add_vm_to_exclude_list(self, vm_id):
uri = '%s/%s' % (EXCLUDELIST_PREFIX, vm_id)
return self.do_request(HTTP_PUT, uri)
def delete_vm_from_exclude_list(self, vm_id):
uri = '%s/%s' % (EXCLUDELIST_PREFIX, vm_id)
return self.do_request(HTTP_DELETE, uri)
def get_scoping_objects(self):
uri = '%s/usermgmt/scopingobjects' % SERVICES_PREFIX
h, scoping_objects = self.do_request(HTTP_GET, uri, decode=False,
format='xml')
return scoping_objects
def _scopingobjects_lookup(self, type_names, object_id, name=None,
use_cache=False):
"""Look for a specific object in the NSX scoping objects."""
# used cached scoping objects during plugin init since it is
# a big structure to retrieve and parse each time.
if use_cache and self._normalized_scoping_objects is not None:
# Use the cached data
root = self._normalized_scoping_objects
else:
# Not using cache, or we do want to use it,
# but it was not saved yet:
# So get the data from the NSX and parse it
so_list = self.get_scoping_objects()
root = utils.normalize_xml(so_list)
# Save it for possible usage next time (even if not using cache)
self._normalized_scoping_objects = root
for obj in root.iter('object'):
if (obj.find('objectTypeName').text in type_names and
obj.find('objectId').text == object_id and
(name is None or obj.find('name').text == name)):
return True
return False
def validate_datacenter_moid(self, object_id, during_init=False):
return self._scopingobjects_lookup(['Datacenter'], object_id,
use_cache=during_init)
def validate_network(self, object_id, during_init=False):
return self._scopingobjects_lookup(NETWORK_TYPES, object_id,
use_cache=during_init)
def validate_network_name(self, object_id, name, during_init=False):
return self._scopingobjects_lookup(NETWORK_TYPES, object_id,
name=name, use_cache=during_init)
def validate_vdn_scope(self, object_id):
uri = '%s/scopes' % VDN_PREFIX
h, scope_list = self.do_request(HTTP_GET, uri, decode=False,
format='xml')
root = utils.normalize_xml(scope_list)
for obj_id in root.iter('objectId'):
if obj_id.text == object_id:
return True
return False
def get_dvs_list(self):
uri = '%s/switches' % VDN_PREFIX
h, dvs_list = self.do_request(HTTP_GET, uri, decode=False,
format='xml')
root = utils.normalize_xml(dvs_list)
dvs_list = []
for obj_id in root.iter('objectId'):
if obj_id.text:
dvs_list.append(obj_id.text)
return dvs_list
def validate_dvs(self, object_id, dvs_list=None):
if not dvs_list:
dvs_list = self.get_dvs_list()
for dvs in dvs_list:
if dvs == object_id:
return True
return False
def validate_inventory(self, object_id):
uri = '%s/inventory/%s/basicinfo' % (SERVICES_PREFIX, object_id)
try:
h, c = self.do_request(HTTP_GET, uri, decode=False)
except exceptions.ResourceNotFound:
return False
return True
def get_inventory_name(self, object_id):
uri = '%s/inventory/%s/basicinfo' % (SERVICES_PREFIX, object_id)
h, c = self.do_request(HTTP_GET, uri, decode=True)
return c['name']
def _get_version(self):
uri = '/api/2.0/services/vsmconfig'
h, c = self.do_request(HTTP_GET, uri, decode=True)
version = c['version']
LOG.debug("NSX Version: %s", version)
return version
def get_version(self):
if self._nsx_version is None:
try:
self._nsx_version = self._get_version()
except Exception as e:
# Versions prior to 6.2.0 do not support the above API
LOG.error("Unable to get NSX version. Exception: %s", e)
# Minimum supported version is 6.1
self._nsx_version = '6.1'
return self._nsx_version
def get_tuning_configuration(self):
uri = '/api/4.0/edgePublish/tuningConfiguration'
h, c = self.do_request(HTTP_GET, uri, decode=True)
return c
def configure_aggregate_publishing(self):
uri = "/api/4.0/edgePublish/tuningConfiguration"
# Ensure that configured values are not changed
config = self.get_tuning_configuration()
LOG.debug("Tuning configuration: %s", config)
tuning = et.Element('tuningConfiguration')
for opt, val in six.iteritems(config):
child = et.Element(opt)
if opt == 'aggregatePublishing':
child.text = 'true'
else:
child.text = str(val)
tuning.append(child)
return self.do_request(HTTP_PUT, uri, et.tostring(tuning),
format='xml', decode=True)
def configure_reservations(self):
uri = "/api/4.0/edgePublish/tuningConfiguration"
config = self.get_tuning_configuration()
tuning = et.Element('tuningConfiguration')
for opt, val in six.iteritems(config):
child = et.Element(opt)
if (opt == 'edgeVCpuReservationPercentage' or
opt == 'edgeMemoryReservationPercentage'):
child.text = '0'
elif opt == 'megaHertzPerVCpu':
child.text = '1500'
else:
child.text = str(val)
tuning.append(child)
return self.do_request(HTTP_PUT, uri, et.tostring(tuning),
format='xml', decode=True)
def enable_ha(self, edge_id, request_config):
"""Enable HA in the given edge."""
uri = "/api/4.0/edges/%s/highavailability/config" % edge_id
return self.do_request(HTTP_PUT, uri, request_config)
def change_edge_appliance_size(self, edge_id, size):
"""Change the size of edge appliances."""
uri = ("/api/4.0/edges/%s/appliances/?size=%s" %
(edge_id, size))
return self.do_request(HTTP_POST, uri)
def change_edge_appliance(self, edge_id, request):
uri = "/api/4.0/edges/%s/appliances" % edge_id
return self.do_request(HTTP_PUT, uri, request)
def get_edge_appliances(self, edge_id):
uri = "/api/4.0/edges/%s/appliances" % edge_id
return self.do_request(HTTP_GET, uri)
def upload_edge_certificate(self, edge_id, request):
"""Creates a certificate on the specified Edge appliance."""
uri = '%s/%s/%s' % (TRUSTSTORE_PREFIX, CERTIFICATE, edge_id)
return self.do_request(HTTP_POST, uri, request, decode=True)
def create_csr(self, edge_id, request=nsxv_constants.CSR_REQUEST):
"""Create a CSR on the specified Edge appliance."""
uri = '%s/%s/%s' % (TRUSTSTORE_PREFIX, CSR, edge_id)
return self.do_request(HTTP_POST, uri, request, format='xml',
decode=False)
def create_csr_cert(self, csr_id):
"""Create a CSR self signed cert on the specified Edge appliance."""
uri = '%s/%s/%s?noOfDays=%s' % (TRUSTSTORE_PREFIX, CSR, csr_id,
nsxv_constants.CERT_NUMBER_OF_DAYS)
return self.do_request(HTTP_PUT, uri)
def get_service_insertion_profile(self, profile_id):
profiles_uri = '%s/%s' % (SERVICE_INSERTION_PROFILE_PREFIX, profile_id)
return self.do_request(HTTP_GET, profiles_uri, format='xml',
decode=False)
def update_service_insertion_profile_binding(self, profile_id, request):
profiles_uri = '%s/%s/%s' % (SERVICE_INSERTION_PROFILE_PREFIX,
profile_id, 'binding')
return self.do_request(HTTP_POST, profiles_uri, request, format='xml',
decode=False)
def create_ipam_ip_pool(self, request):
uri = '%s/%s/%s' % (SERVICES_PREFIX, IPAM_POOL_SERVICE,
IPAM_POOL_SCOPE)
return self.do_request(HTTP_POST, uri, request, format='xml',
decode=False)
def delete_ipam_ip_pool(self, pool_id):
uri = '%s/%s/%s' % (SERVICES_PREFIX, IPAM_POOL_SERVICE, pool_id)
return self.do_request(HTTP_DELETE, uri)
def get_ipam_ip_pool(self, pool_id):
uri = '%s/%s/%s' % (SERVICES_PREFIX, IPAM_POOL_SERVICE, pool_id)
return self.do_request(HTTP_GET, uri, decode=True)
def allocate_ipam_ip_from_pool(self, pool_id, ip_addr=None):
uri = '%s/%s/%s/%s' % (SERVICES_PREFIX, IPAM_POOL_SERVICE, pool_id,
'ipaddresses')
if ip_addr:
request = {'ipAddressRequest': {'allocationMode': 'RESERVE',
'ipAddress': ip_addr}}
else:
request = {'ipAddressRequest': {'allocationMode': 'ALLOCATE'}}
return self.do_request(HTTP_POST, uri, request, format='xml',
decode=False)
def release_ipam_ip_to_pool(self, pool_id, ip_addr):
uri = '%s/%s/%s/%s/%s' % (SERVICES_PREFIX, IPAM_POOL_SERVICE, pool_id,
'ipaddresses', ip_addr)
return self.do_request(HTTP_DELETE, uri)
def get_security_policy(self, policy_id, return_xml=True):
# get the policy configuration as an xml string / dictionary
uri = '%s/%s' % (SECURITY_POLICY_PREFIX, policy_id)
if return_xml:
format = 'xml'
decode = False
else:
format = 'json'
decode = True
h, policy = self.do_request(HTTP_GET, uri, format=format,
decode=decode)
return policy
def update_security_policy(self, policy_id, request):
# update the policy configuration. request should be an xml string
uri = '%s/%s' % (SECURITY_POLICY_PREFIX, policy_id)
return self.do_request(HTTP_PUT, uri, request,
format='xml',
decode=False, encode=True)
def get_security_policies(self):
# get the policies configuration dictionary
uri = '%s/all' % (SECURITY_POLICY_PREFIX)
h, policies = self.do_request(HTTP_GET, uri, decode=True)
return policies
def list_applications(self):
uri = '%s/scope/globalroot-0' % APPLICATION_PREFIX
h, apps = self.do_request(HTTP_GET, uri, decode=True)
return apps
def update_edge_routing_config(self, edge_id, request_config):
uri = self._build_uri_path(edge_id, ROUTING_CONFIG)
return self.do_request(HTTP_PUT, uri,
VcnsApiClient.xmldumps(request_config),
format='xml')
def get_edge_routing_config(self, edge_id):
uri = self._build_uri_path(edge_id, ROUTING_CONFIG)
return self.do_request(HTTP_GET, uri)
def update_bgp_dynamic_routing(self, edge_id, bgp_request):
uri = self._build_uri_path(edge_id, BGP_ROUTING_CONFIG)
return self.do_request(HTTP_PUT, uri,
VcnsApiClient.xmldumps(bgp_request),
format='xml')
def get_bgp_routing_config(self, edge_id):
uri = self._build_uri_path(edge_id, BGP_ROUTING_CONFIG)
return self.do_request(HTTP_GET, uri)
def delete_bgp_routing_config(self, edge_id):
uri = self._build_uri_path(edge_id, BGP_ROUTING_CONFIG)
return self.do_request(HTTP_DELETE, uri)
def get_global_objects(self):
uri = '%s/application/scope/globalroot-0' % SERVICES_PREFIX
h, scoping_objects = self.do_request(HTTP_GET, uri, decode=False,
format='xml')
return scoping_objects
def _globalobjects_lookup(self, name, use_cache=False):
"""Return objectId a specific name in the NSX global objects."""
# used cached scoping objects during plugin init since it is
# a big structure to retrieve and parse each time.
if use_cache and self._normalized_global_objects is not None:
# Use the cached data
root = self._normalized_global_objects
else:
# Not using cache, or we do want to use it,
# but it was not saved yet:
# So get the data from the NSX and parse it
so_list = self.get_global_objects()
root = utils.normalize_xml(so_list)
# Save it for possible usage next time (even if not using cache)
self._normalized_global_objects = root
for obj in root.iter('application'):
if obj.find('name').text == name:
return obj.find('objectId').text
def get_application_id(self, name):
return self._globalobjects_lookup(name, use_cache=True)