Add support for VMware NSXP

NSXP is the OpenStack support for the NSX Policy platform. This is supported from neutron in the Stein version. This patch adds Kolla support This adds a new neutron_plugin_agent type 'vmware_nsxp'. The plugin does not run any neutron agents. Change-Id: I9e9d8f07e586bdc143d293e572031368af7f3fca
2021-09-03 22:38:37 +02:00 · 2021-09-03 22:38:37 +02:00 · 458c8b13df
commit 458c8b13df
parent b16e676be7
12 changed files with 235 additions and 29 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -264,7 +264,7 @@ tunnel_interface_address: "{{ 'tunnel' | kolla_address }}"
 octavia_network_interface_address: "{{ 'octavia_network' | kolla_address }}"
 dpdk_tunnel_interface_address: "{{ 'dpdk_tunnel' | kolla_address }}"

-# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_dvs ]
+# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_nsxp, vmware_dvs ]
 neutron_plugin_agent: "openvswitch"

 # Valid options are [ internal, infoblox ]
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@ -71,7 +71,7 @@ neutron_services:
    container_name: "neutron_dhcp_agent"
    image: "{{ neutron_dhcp_agent_image_full }}"
    privileged: True
-    enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3'] or neutron_ovn_dhcp_agent | bool }}"
+    enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp'] or neutron_ovn_dhcp_agent | bool }}"
    group: "neutron-dhcp-agent"
    host_in_groups: "{{ inventory_hostname in groups['neutron-dhcp-agent'] }}"
    volumes: "{{ neutron_dhcp_agent_default_volumes + neutron_dhcp_agent_extra_volumes }}"
@ -81,7 +81,7 @@ neutron_services:
    container_name: "neutron_l3_agent"
    image: "{{ neutron_l3_agent_image_full }}"
    privileged: True
-    enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] }}"
+    enabled: "{{ neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] }}"
    environment:
      KOLLA_LEGACY_IPTABLES: "{{ neutron_legacy_iptables | bool | lower }}"
    host_in_groups: >-
@ -96,7 +96,7 @@ neutron_services:
    container_name: "neutron_sriov_agent"
    image: "{{ neutron_sriov_agent_image_full }}"
    privileged: True
-    enabled: "{{ enable_neutron_sriov | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3' ] }}"
+    enabled: "{{ enable_neutron_sriov | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
    host_in_groups: "{{ inventory_hostname in groups['compute'] }}"
    volumes: "{{ neutron_sriov_agent_default_volumes + neutron_sriov_agent_extra_volumes }}"
    dimensions: "{{ neutron_sriov_agent_dimensions }}"
@ -104,7 +104,7 @@ neutron_services:
  neutron-mlnx-agent:
    container_name: "neutron_mlnx_agent"
    image: "{{ neutron_mlnx_agent_image_full }}"
-    enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3' ] }}"
+    enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
    host_in_groups: "{{ inventory_hostname in groups['compute'] }}"
    volumes: "{{ neutron_mlnx_agent_default_volumes + neutron_mlnx_agent_extra_volumes }}"
    dimensions: "{{ neutron_mlnx_agent_dimensions }}"
@ -112,7 +112,7 @@ neutron_services:
    container_name: "neutron_eswitchd"
    image: "{{ neutron_eswitchd_image_full }}"
    privileged: True
-    enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3' ] }}"
+    enabled: "{{ enable_neutron_mlnx | bool and neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
    host_in_groups: "{{ inventory_hostname in groups['compute'] }}"
    volumes: "{{ neutron_eswitchd_default_volumes + neutron_eswitchd_extra_volumes }}"
    dimensions: "{{ neutron_eswitchd_dimensions }}"
@ -120,7 +120,7 @@ neutron_services:
    container_name: "neutron_metadata_agent"
    image: "{{ neutron_metadata_agent_image_full }}"
    privileged: True
-    enabled: "{{ neutron_plugin_agent not in [ 'ovn', 'vmware_nsxv', 'vmware_nsxv3' ] }}"
+    enabled: "{{ neutron_plugin_agent not in [ 'ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp' ] }}"
    host_in_groups: >-
      {{
      inventory_hostname in groups['neutron-metadata-agent']
@ -142,7 +142,7 @@ neutron_services:
    container_name: "neutron_bgp_dragent"
    image: "{{ neutron_bgp_dragent_image_full }}"
    privileged: True
-    enabled: "{{ enable_neutron_bgp_dragent | bool and neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] }}"
+    enabled: "{{ enable_neutron_bgp_dragent | bool and neutron_plugin_agent not in ['ovn', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] }}"
    group: "neutron-bgp-dragent"
    host_in_groups: "{{ inventory_hostname in groups['neutron-bgp-dragent'] }}"
    volumes: "{{ neutron_bgp_dragent_default_volumes + neutron_bgp_dragent_extra_volumes }}"
@ -554,6 +554,8 @@ neutron_subprojects:
    enabled: "{{ enable_neutron_bgp_dragent | bool }}"
  - name: "neutron-vpnaas"
    enabled: "{{ enable_neutron_vpnaas | bool }}"
+  - name: "vmware-nsx"
+    enabled: "{{ neutron_plugin_agent in ['vmware_dvs', 'vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp'] }}"

 ####################
 # Mechanism drivers
@ -699,6 +701,19 @@ nsxv3_default_tier0_router: "tier0 router uuid"
 nsxv3_default_vlan_tz: "vlan TZ uuid"
 nsxv3_default_overlay_tz: "overlay TZ uuid"

+####################
+# VMware NSXP
+####################
+vmware_nsxp_metadata_proxy: "metadata proxy uuid or name"
+vmware_nsxp_dhcp_profile: "dhcp service uuid or name"
+vmware_nsxp_native_dhcp_metadata: "true"
+vmware_nsxp_api_user: "admin"
+vmware_nsxp_insecure: "True"
+vmware_nsxp_api_managers: "127.0.0.1"
+vmware_nsxp_default_tier0_router: "tier0 router uuid or name"
+vmware_nsxp_default_vlan_tz: "vlan TZ uuid or name"
+vmware_nsxp_default_overlay_tz: "overlay TZ uuid or name"
+
 ####################
 # VMware DVS
 ####################
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@ -410,7 +410,7 @@
  when:
    - neutron_server.enabled | bool
    - neutron_server.host_in_groups | bool
-    - neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs']
+    - neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs']
  notify:
    - "Restart {{ service_name }} container"

--- a/ansible/roles/neutron/templates/neutron-server.json.j2
+++ b/ansible/roles/neutron/templates/neutron-server.json.j2
@ -1,5 +1,5 @@
 {
-    "command": "neutron-server --config-file /etc/neutron/neutron.conf {% if neutron_plugin_agent in ['openvswitch', 'linuxbridge', 'ovn'] %} --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_vpnaas.conf {% elif neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] %} --config-file /etc/neutron/plugins/vmware/nsx.ini {% endif %}",
+    "command": "neutron-server --config-file /etc/neutron/neutron.conf {% if neutron_plugin_agent in ['openvswitch', 'linuxbridge', 'ovn'] %} --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_vpnaas.conf {% elif neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] %} --config-file /etc/neutron/plugins/vmware/nsx.ini {% endif %}",
    "config_files": [
        {
            "source": "{{ container_config_directory }}/neutron.conf",
@ -19,12 +19,11 @@
            "owner": "neutron",
            "perm": "0600"
        },{% endif %}
-{% if neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs'] -%}
+{% if neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] -%}
        {
            "source": "{{ container_config_directory }}/nsx.ini",
            "dest": "/etc/neutron/plugins/vmware/nsx.ini",
            "owner": "neutron",
-            "optional": {{ (neutron_plugin_agent not in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_dvs']) | string | lower }},
            "perm": "0600"
        },{% endif %}
 {% if check_extra_ml2_plugins is defined and check_extra_ml2_plugins.matched > 0 %}{% for plugin in check_extra_ml2_plugins.files %}
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@ -45,6 +45,9 @@ core_plugin = vmware_nsx.plugin.NsxVPlugin
 {% elif neutron_plugin_agent == 'vmware_nsxv3' %}
 core_plugin = vmware_nsx.plugin.NsxV3Plugin
 dhcp_agent_notification = False
+{% elif neutron_plugin_agent == 'vmware_nsxp' %}
+core_plugin = vmware_nsx.plugin.NsxPolicyPlugin
+dhcp_agent_notification = False
 {% elif neutron_plugin_agent == 'vmware_dvs' %}
 core_plugin = vmware_nsx.plugin.NsxDvsPlugin
 {% else %}
@ -71,6 +74,8 @@ external_dns_driver = designate
 nsx_extension_drivers = vmware_nsxv_dns
 {% elif neutron_plugin_agent == 'vmware_nsxv3' %}
 nsx_extension_drivers = vmware_nsxv3_dns
+{% elif neutron_plugin_agent == 'vmware_nsxp' %}
+nsx_extension_drivers = vmware_nsxp_dns
 {% elif neutron_plugin_agent == 'vmware_dvs' %}
 nsx_extension_drivers = vmware_dvs_dns
 {% endif %}
--- a/ansible/roles/neutron/templates/nsx.ini.j2
+++ b/ansible/roles/neutron/templates/nsx.ini.j2
@ -26,6 +26,17 @@ nsx_api_managers = {{ nsxv3_api_managers }}
 default_tier0_router = {{ nsxv3_default_tier0_router }}
 default_vlan_tz = {{ nsxv3_default_vlan_tz }}
 default_overlay_tz = {{ nsxv3_default_overlay_tz }}
+{% elif neutron_plugin_agent == 'vmware_nsxp' %}
+[nsx_p]
+metadata_proxy = {{ vmware_nsxp_metadata_proxy }}
+dhcp_profile = {{ vmware_nsxp_dhcp_profile }}
+native_dhcp_metadata = {{ vmware_nsxp_native_dhcp_metadata }}
+nsx_api_password = {{ vmware_nsxp_api_password }}
+nsx_api_user = {{ vmware_nsxp_api_user }}
+nsx_api_managers = {{ vmware_nsxp_api_managers }}
+default_tier0_router = {{ vmware_nsxp_default_tier0_router }}
+default_vlan_tz = {{ vmware_nsxp_default_vlan_tz }}
+default_overlay_tz = {{ vmware_nsxp_default_overlay_tz }}
 {% elif neutron_plugin_agent == 'vmware_dvs' %}
 [dvs]
 host_ip = {{ vmware_dvs_host_ip }}
--- a/ansible/roles/nova-cell/templates/nova.conf.j2
+++ b/ansible/roles/nova-cell/templates/nova.conf.j2
@ -120,7 +120,7 @@ cafile = {{ openstack_cacert }}
 [neutron]
 metadata_proxy_shared_secret = {{ metadata_secret }}
 service_metadata_proxy = true
-{% if neutron_plugin_agent == 'vmware_nsxv3' %}
+{% if neutron_plugin_agent in ['vmware_nsxv3', 'vmware_nsxp'] %}
 ovs_bridge = {{ ovs_bridge }}
 {% endif %}
 auth_url = {{ keystone_admin_url }}
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@ -72,9 +72,6 @@ cafile = {{ openstack_cacert }}
 [neutron]
 metadata_proxy_shared_secret = {{ metadata_secret }}
 service_metadata_proxy = true
-{% if neutron_plugin_agent == 'vmware_nsxv3' %}
-ovs_bridge = {{ ovs_bridge }}
-{% endif %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}
--- a/doc/source/reference/compute/vmware-guide.rst
+++ b/doc/source/reference/compute/vmware-guide.rst
@ -8,8 +8,13 @@ Overview
 ~~~~~~~~

 Kolla can deploy the Nova and Neutron Service(s) for VMware vSphere.
-Depending on the network architecture (NsxV or DVS) you choose, Kolla deploys
-the following OpenStack services for VMware vSphere:
+Depending on the network architecture (NsxT, NsxV or DVS) you choose,
+Kolla deploys the following OpenStack services for VMware vSphere:
+
+For VMware NsxT:
+
+* nova-compute
+* neutron-server

 For VMware NsxV:

@ -35,6 +40,12 @@ into what vSphere/NSX Manager API can understand. Neutron does
 not directly takes control of the Open vSwitch inside the VMware
 environment but through the API exposed by vSphere/NSX Manager.

+.. note::
+
+   VMware NSX plugin is not in the kolla image by default.
+   VMware NSX plugin has to be added in the neutron image and
+   if you are using vmware_dvs also in neutron-dhcp-agent image.
+
 For VMware DVS, the Neutron DHCP agent does not attaches to Open vSwitch inside
 VMware environment, but attach to the Open vSwitch bridge called ``br-dvs`` on
 the OpenStack side and replies to/receives DHCP packets through VLAN. Similar
@ -46,22 +57,34 @@ bridge and works through VLAN.
   VMware NSX-DVS plugin does not support tenant networks, so all VMs should
   attach to Provider VLAN/Flat networks.

-VMware NSX-V
+VMware NSX-T
 ~~~~~~~~~~~~

 Preparation
 -----------

-You should have a working NSX-V environment, this part is out of scope
-of Kolla.
-For more information, please see `VMware NSX-V documentation <https://docs.vmware.com/en/VMware-NSX-for-vSphere/>`__.
+You should have a working NSX-T environment, this part is out of scope
+of Kolla. For more information, please see
+`VMware NSX-T documentation <https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html/>`__.
+The NSX Manager provides a web-based user interface where you can manage
+your NSX-T environment.
+It also hosts the API server that processes API calls.
+The NSX Manager interface provides two modes for configuring resources:

-.. note::
+- Policy mode
+- Manager mode

-   In addition, it is important to modify the firewall rule of vSphere to make
-   sure that VNC is accessible from outside VMware environment.
+In Kolla you will have the choice between both with neutron plugin
+vmware_nsxv3 for Manager mode and vmware_nsxp for Policy Mode.
+For more information, please see
+`documentation <https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/installation/GUID-BB26CDC8-2A90-4C7E-9331-643D13FEEC4A.html/>`__.

-   On every VMware host, edit ``/etc/vmware/firewall/vnc.xml`` as below:
+------------------------------------------------------------------------------
+
+In addition, it is important to modify the firewall rule of vSphere to make
+sure that VNC is accessible from outside VMware environment.
+
+On every VMware host, edit ``/etc/vmware/firewall/vnc.xml`` as below:

 .. code-block:: xml

@ -104,6 +127,155 @@ Verify that the firewall config is applied:

   # esxcli network firewall ruleset list

+------------------------------------------------------------------------------
+
+Deployment
+----------
+
+The deployment below covers the Policy mode (vmware_nsxp)
+
+Enable VMware nova-compute plugin and NSX-T neutron-server plugin in
+``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   enable_openvswitch: no
+   nova_compute_virt_type: "vmware"
+   neutron_plugin_agent: "vmware_nsxp"
+
+If you want to set VMware datastore as cinder backend, enable it in
+``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   enable_cinder: "yes"
+   cinder_backend_vmwarevc_vmdk: "yes"
+   vmware_datastore_name: "TestDatastore"
+
+If you want to set VMware datastore as glance backend, enable it in
+``/etc/kolla/globals.yml``:
+
+.. code-block:: yaml
+
+   glance_backend_vmware: "yes"
+   vmware_vcenter_name: "TestDatacenter"
+   vmware_datastore_name: "TestDatastore"
+
+VMware options are required in ``/etc/kolla/globals.yml``, these options should
+be configured correctly according to your NSX-T environment.
+
+Options for ``nova-compute`` and ``ceilometer``:
+
+.. code-block:: yaml
+
+   vmware_vcenter_host_ip: "127.0.0.1"
+   vmware_vcenter_host_username: "admin"
+   vmware_vcenter_cluster_name: "cluster-1"
+   vmware_vcenter_insecure: "True"
+   vmware_vcenter_datastore_regex: ".*"
+
+.. note::
+
+   The VMware vCenter password has to be set in ``/etc/kolla/passwords.yml``.
+
+   .. code-block:: yaml
+
+      vmware_vcenter_host_password: "admin"
+
+Options for Neutron NSX-T support:
+
+.. code-block:: yaml
+
+   vmware_nsxp_api_user: "admin"
+   vmware_nsxp_insecure: true
+   vmware_nsxp_default_tier0_router: "T0-Example"
+   vmware_nsxp_dhcp_profile: "dhcp-profile-example"
+   vmware_nsxp_metadata_proxy: "metadata_proxy-example"
+   vmware_nsxp_api_managers: "nsx-manager.local"
+   vmware_nsxp_default_vlan_tz: "vlan-tz-example"
+   vmware_nsxp_default_overlay_tz: "overlay-tz-example"
+
+.. yaml
+
+.. note::
+
+   If you want to set secure connections to VMware, set ``vmware_vcenter_insecure``
+   to false.
+   Secure connections to vCenter requires a CA file, copy the vCenter CA file to
+   ``/etc/kolla/config/vmware_ca``.
+
+.. note::
+
+   The VMware NSX-T password has to be set in ``/etc/kolla/passwords.yml``.
+
+   .. code-block:: yaml
+
+      vmware_nsxp_api_password: "xxxxx"
+      vmware_nsxp_metadata_proxy_shared_secret: "xxxxx"
+
+Then you should start :command:`kolla-ansible` deployment normally as
+KVM/QEMU deployment.
+
+VMware NSX-V
+~~~~~~~~~~~~
+
+Preparation
+-----------
+
+You should have a working NSX-V environment, this part is out of scope
+of Kolla.
+For more information, please see
+`VMware NSX-V documentation <https://docs.vmware.com/en/VMware-NSX-for-vSphere/>`__.
+
+------------------------------------------------------------------------------
+
+In addition, it is important to modify the firewall rule of vSphere to make
+sure that VNC is accessible from outside VMware environment.
+
+On every VMware host, edit ``/etc/vmware/firewall/vnc.xml`` as below:
+
+.. code-block:: xml
+
+   <!-- FirewallRule for VNC Console -->
+   <ConfigRoot>
+   <service>
+   <id>VNC</id>
+   <rule id = '0000'>
+   <direction>inbound</direction>
+   <protocol>tcp</protocol>
+   <porttype>dst</porttype>
+   <port>
+   <begin>5900</begin>
+   <end>5999</end>
+   </port>
+   </rule>
+   <rule id = '0001'>
+   <direction>outbound</direction>
+   <protocol>tcp</protocol>
+   <porttype>dst</porttype>
+   <port>
+   <begin>0</begin>
+   <end>65535</end>
+   </port>
+   </rule>
+   <enabled>true</enabled>   <required>false</required>
+   </service>
+   </ConfigRoot>
+
+Then refresh the firewall config by:
+
+.. code-block:: console
+
+   # esxcli network firewall refresh
+
+Verify that the firewall config is applied:
+
+.. code-block:: console
+
+   # esxcli network firewall ruleset list
+
+------------------------------------------------------------------------------
+
 Deployment
 ----------

@ -211,7 +383,8 @@ Before deployment, you should have a working VMware vSphere environment.
 Create a cluster and a vSphere Distributed Switch with all the host in the
 cluster attached to it.

-For more information, please see `Setting Up Networking with vSphere Distributed Switches <http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.networking.doc/GUID-375B45C7-684C-4C51-BA3C-70E48DFABF04.html>`__.
+For more information, please see
+`Setting Up Networking with vSphere Distributed Switches <http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.networking.doc/GUID-375B45C7-684C-4C51-BA3C-70E48DFABF04.html>`__.

 Deployment
 ----------
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@ -152,8 +152,8 @@
 # addresses for that reason.
 #neutron_external_interface: "eth1"

-# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_dvs ]
-# if vmware_nsxv3 is selected, enable_openvswitch MUST be set to "no" (default is yes)
+# Valid options are [ openvswitch, ovn, linuxbridge, vmware_nsxv, vmware_nsxv3, vmware_nsxp, vmware_dvs ]
+# if vmware_nsxv3 or vmware_nsxp is selected, enable_openvswitch MUST be set to "no" (default is yes)
 #neutron_plugin_agent: "openvswitch"

 # Valid options are [ internal, infoblox ]
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@ -29,6 +29,8 @@ vmware_dvs_host_password:
 vmware_nsxv_password:
 vmware_vcenter_host_password:
 nsxv3_api_password:
+vmware_nsxp_api_password:
+vmware_nsxp_metadata_proxy_shared_secret:

 #####################
 # Hitachi NAS support
--- a/releasenotes/notes/add-nsxp-support-10a750d077d51ac6.yaml
+++ b/releasenotes/notes/add-nsxp-support-10a750d077d51ac6.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add support for the VMware NSX Policy plugin