This patch adds an option to collect per cluster or per endpoint API
call records during _proxy() call. This enables client side API auditing
without the need to rely on NSX support bundles. By default this option
is disabled.
Change-Id: Ied30d90fc745d5009850c1c83c74eacd46d5fbd9
If IP block is created by Policy API, we need
{'X-Allow-Overwrite': 'true'} in header to delete subnet
Change-Id: Ib05437fef32d2ea206ee5af67b441f710d6f5016
This patch adds uri_segment as an alias of resource for all MP LB
resources, enabling proper use of _get_resource_by_name_or_id for these
resources.
Change-Id: I548519a8d2ea25d4324060894e0a3a0d03dd7e7e
In a multi cluster setup, an adaptive API rate limit is more useful as
utilization can be dynamically balanced across all active clusters.
AIMD from TCP congestion control is a simple but effective algorithm
that fits our need here, as:
- API rate is similar to TCP window size. Each API call sent
concurrently is similar to packets in the fly.
- Each successful API call that was blocked before sent will cause rate
limit to be increased by 1. Similar to each ACK received.
- Each failed API call due to Server Busy (429/503) will cause rate
limit to be decreased by half. Similar to packet loss.
When adaptive rate is set to AIMD, a custom hard limit can still be set,
max at 100/s. TCP slow start is not implemented as the upperbound of
rate is relativly small. API rate will be adjusted per period. API
rate under no circumstances will exceed the hard limit.
Change-Id: I7360f422c704d63adf59895b893dcdbef05cfd23
The user will be able to specify exception config object, that
defines which exceptions bring endpoint down, and which exceptions
trigger retry.
This change removes exception handling from the client class, which
hopefully makes the code more readable and easier to follow.
Change-Id: If4dd5c01e4bc83c9704347c2c7c8638c5ac1d72c
Currently in nsxlib, there's no client side API rate throttling. In a
scale setup it is deemed to easily overwhelm NSX backend. This patch
introduces a per-endpoint rate limiter that blocks over-limit calls.
Change-Id: Iccd1d2675bed16833d36fa40cc2ef56cf3464652
Some tenacity apis now get a single retry_state parameter which contain
all the previous information.
Change-Id: I8c83c21fe424bd6884a8e61893f1bda22dc7787b
The backend no longer returns tag length limit in corresponding API,
hence we need to update default values to reflect limits in 2.4 onwards
Change-Id: Id8a92f16577899e1f137eb865fb6819a91e244d9
Those tags can be used for policy resources, where there is no need
to add the os resource id to the tags, as it is the same as the NSX id.
Change-Id: I4e9644957dbfd16194f556cbff5447f2a2e49669
- Move some NSX services code to utils so it can be reused by the policy api consumers
- Add IPProtocolServiceEntry support
Change-Id: I50b5415c05a8a0f5b2432fa797c7e18f244a19e7
This patch will add support for the case nsxlib is configured with
a cluster (few nsx managers), which change their availability, and
in a specific point in time might all be DOWN.
1) The nsxlib will succeed even if currently all the managers are
unavailable (state DOWN)
2) By configuration of cluster_unavailable_retry=True, when a request
is issues and all managers are DOWN, the endpoint selected will be
retried until one of the managers is back UP, or until max retries
is reached (10 by default)
Change-Id: I2e3d1a9734f37ef82859baf0082b39c11d6ce149
The NSX does not except few characters in the LS display name.
Replace those with '.' before creating or updating the LS name
Change-Id: I1fc4bb1530e37f09f61f92713c09ad0307e12d47
The NsxLibApiBase can have the nsxlib_config passed as None.
In order to use the retry logic we retrieve the max_attempts from
the client object. This is always set.
Change-Id: I4ac60f9a3d89b60d9b35390825578cb7f849dfa8
A small refactor to the nsxlib:
1. change the security object code to be more similar to the other resources
2. Use retry code in base resources class only and not in resources
implementations
3. generelize the resource update code, to avoid duplications in different
classes
4. Adding some tests to verify the fix does not damage anything
Change-Id: Iac2cc1d55d3525ad21cb6399da691e212d6d4722
In case of too many requests in a short period of time, the NSX will
return response 429.
In this case (if configured) the nsxlib client will retry sending the request.
This option is controlled by a new parameter in the nsxlib config
rate_limit_retry which is enabled by default.
Change-Id: I20fca36d553e1e74da61292342a87247b53b5d13
The NSX has various tag limitations. For example the maximum
length of the tags and the maximum amount of tags per resource.
This may increase with NSX versions.
This patch enables the library to learn from the NSX the tag limits.
Change-Id: Ie2eac9c51a36496908140018d7ca1d15ed0e9d58
The patch removes the neutron-lib from the dependencies. We do not
want/need the consumers of this library to pull in all of the
neutron-lib dependencies.
The patch adds the following:
1. callback to bind is_attr_set - set_is_attr_callback
2. A new exception NsxLibInvalidInput - this is raised when inputs
are invalid.
Change-Id: Ia8ec71dee2d5de921700a9b4fd7e789d2aed4679
Enable application to bind to a callback that will inject
headers to the requests sent to the NSX. This can for example
be: 'X-NSX-EUSER' which will provide the NSX context of the user
on behalf of whom the opertaion is done.
A new method set_inject_headers_callback(in is added. This method
receives a callback that should return a dictionary of headers to
be added.
Change-Id: I90fa7ea8c7828bf97aec66321e4169588108760e
Adding a caching mechanism to remember previous results of get commands
and return them if they are not too old.
This mechanism is disabled for most of the nsxlib resources, and used only
by a few resources that are accessed frequently and modifies rarely
such as transport zones.
Change-Id: I4c1c723ee878feab9a86ff9015246c9e1773bd8b
Adding log messages before & after each retry call, to help debugging.
The before message (will not appear before the first call):
Retrying call to 'func-name' for the #th time:[Last exception here]
The after message:
Finished retry number #th to 'func-name' after X(s) with args: (...):
[Last exception here]
Change-Id: Ib4a91fbfd45d9454bbd92d9f77f8c888cec80efa
On the NSX each resource has a resource-type and could be searched by it.
The new property of the resources can be used when using search_by_tags
Change-Id: I120bc9e31faa2bebb13f24a0ccbac314f8b2a1bf
Adding nat_pass parameter to router NAT rules creation.
The backend default value for this parameter is True, meaning the
firewall rules will be bypassed.
So this is also the default of the api, for backwards compatibility.
This parameter is acceptable only since nsx v2, so the api needs the
ability to check the supported features before creating the request body.
For that use, the core_resources will now get the nsxlib object at init.
Change-Id: I7c9dfe13a146a47b180fc3df2d4d6174f252e0a3
Allow resources get operations to be silent, and also not log
the validate result warning if silent.
The reason is that get actions are sometimes used in order to verify
that the object does not exist, and so we do not want to log it.
Change-Id: Ib32637da86e72ff22a7c5684a3f179b91f09406f
This patch adds API wrapper classes for nsxv3 load balancer
resources including the followings:
- ApplicationProfile
- PersistenceProfile
- ClientSslProfile
- ServerSslProfile
- Monitor
- Pool
- VirtualServer
- Service
These nsxlib classes are used initially for neutron LBaaS/Octavia.
But can also be consumed by other use cases.
Change-Id: I0fc80e20551e0994888d8c222a9a620dcb2f6e32
This patch changes the class of some nsxlib resources to match the ones
in core_resources, and moves some resources between the 2 files.
The recommended way to consume all nsxlib resources is through the nsxlib object.
Some resources were duplicated and now unified into one.
This change is backwards compatible, leaving old classes at their old location
with deprecation warnings.
Change-Id: I3093cab65ee73af560c89c9fef12cab5e6167acb
There were some directories excluded from the pep8 run, and many checks
were ignored.
This cleans the exclude list, and fixes the PEP8 issues.
Change-Id: Ib56d45443009349a42fecfc14a792fdaa6d88d67
We are replacing all usages of the retrying package with
tenacity with an end goal of removing the retrying package
from our requirements.
(Cherry picked from: Ie1b082848ac6153d29af7779de914071dc8c1ba5)
Change-Id: I6b6c57e772723f41d8182a83d2efcc4afc6290a2
Shawn Wang
Danting Liu
Salvatore Orlando
asarfaty
Anna Khmelnitsky
Spark Fan
Gary Kotton
Tong Liu
Roey Chen