NSX|V3: admin util for migrating exlcude list ports

NSX version 2.0.0 support ns groups for ports that are in the exclude list. This means that we need to migrate all neutron ports from the exclude list to the NSX group. The command to do this is: nsxadmin -r ports -o migrate-exclude-ports This should be done after the platform is upgraded to 2.0.0 and before neutron ports are added/deleted. Depends-On: I6707b8b3e9d7895fdaa10a2a0ca491c5016a32e4 Change-Id: I3cc3aa2b64e6a8416ae17d651d7438bc7d747c8a
2017-04-14 19:33:36 +03:00 · 2017-04-14 19:33:36 +03:00 · 624ee9b0d4
commit 624ee9b0d4
parent 1c4a66ea31
3 changed files with 63 additions and 1 deletions
--- a/doc/source/admin_util.rst
+++ b/doc/source/admin_util.rst
@ -253,6 +253,10 @@ Ports

    nsxadmin -r ports -o nsx-migrate-v-v3

+- Migrate exclude ports to use tags::
+
+    nsxadmin -r ports -o migrate-exclude-ports
+
 Security Groups & NSX Security Groups
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/vmware_nsx/shell/admin/plugins/nsxv3/resources/ports.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv3/resources/ports.py
@ -17,6 +17,7 @@ from oslo_config import cfg
 from oslo_log import log as logging
 from sqlalchemy.orm import exc

+from vmware_nsx.common import utils as nsx_utils
 from vmware_nsx.db import db as nsx_db
 from vmware_nsx.db import nsx_models
 from vmware_nsx.dvs import dvs
@ -28,7 +29,9 @@ from vmware_nsx.shell.admin.plugins.common import utils as admin_utils
 from vmware_nsx.shell.admin.plugins.nsxv3.resources import utils as v3_utils
 from vmware_nsx.shell import resources as shell
 from vmware_nsxlib.v3 import exceptions as nsx_exc
+from vmware_nsxlib.v3 import nsx_constants as nsxlib_consts
 from vmware_nsxlib.v3 import resources
+from vmware_nsxlib.v3 import security

 from neutron.db import allowedaddresspairs_db as addr_pair_db
 from neutron.db import db_base_plugin_v2
@ -268,6 +271,55 @@ def migrate_compute_ports_vms(resource, event, trigger, **kwargs):
                                   nsx_net_id, device_type)


+def migrate_exclude_ports(resource, event, trigger, **kwargs):
+    _nsx_client = v3_utils.get_nsxv3_client()
+
+    nsxlib = v3_utils.get_connected_nsxlib()
+    version = nsxlib.get_version()
+    if not nsx_utils.is_nsx_version_2_0_0(version):
+        LOG.info("Migration only supported from 2.0 onwards")
+        LOG.info("Version is %s", version)
+        return
+    admin_cxt = neutron_context.get_admin_context()
+    plugin = PortsPlugin()
+    _port_client = resources.LogicalPort(_nsx_client)
+    exclude_list = nsxlib.firewall_section.get_excludelist()
+    for member in exclude_list['members']:
+        if member['target_type'] == 'LogicalPort':
+            port_id = member['target_id']
+            # Get port
+            try:
+                nsx_port = _port_client.get(port_id)
+            except nsx_exc.ResourceNotFound:
+                LOG.info("Port %s not found", port_id)
+                continue
+            # Validate its a neutron port
+            is_neutron_port = False
+            for tag in nsx_port['tags']:
+                if tag['scope'] == 'os-neutron-port-id':
+                    is_neutron_port = True
+                    neutron_port_id = tag['tag']
+                    break
+            if not is_neutron_port:
+                LOG.info("Port %s is not a neutron port", port_id)
+                continue
+            # Check if this port exists in the DB
+            try:
+                plugin.get_port(admin_cxt, neutron_port_id)
+            except Exception:
+                LOG.info("Port %s is not defined in DB", neutron_port_id)
+                continue
+            # Update tag for the port
+            tags_update = [{'scope': security.PORT_SG_SCOPE,
+                            'tag': nsxlib_consts.EXCLUDE_PORT}]
+            _port_client.update(port_id, None,
+                                tags_update=tags_update)
+            # Remove port from the exclude list
+            nsxlib.firewall_section.remove_member_from_fw_exclude_list(
+                port_id, nsxlib_consts.TARGET_TYPE_LOGICAL_PORT)
+            LOG.info("Port %s successfully updated", port_id)
+
+
 registry.subscribe(list_missing_ports,
                   constants.PORTS,
                   shell.Operations.LIST_MISMATCHES.value)
@ -275,3 +327,7 @@ registry.subscribe(list_missing_ports,
 registry.subscribe(migrate_compute_ports_vms,
                   constants.PORTS,
                   shell.Operations.NSX_MIGRATE_V_V3.value)
+
+registry.subscribe(migrate_exclude_ports,
+                   constants.PORTS,
+                   shell.Operations.NSX_MIGRATE_EXCLUDE_PORTS.value)
--- a/vmware_nsx/shell/resources.py
+++ b/vmware_nsx/shell/resources.py
@ -51,6 +51,7 @@ class Operations(enum.Enum):
    MIGRATE_TO_DYNAMIC_CRITERIA = 'migrate-to-dynamic-criteria'
    NSX_MIGRATE_V_V3 = 'nsx-migrate-v-v3'
    MIGRATE_TO_POLICY = 'migrate-to-policy'
+    NSX_MIGRATE_EXCLUDE_PORTS = 'migrate-exclude-ports'
    STATUS = 'status'
    GENERATE = 'generate'
    IMPORT = 'import'
@ -83,7 +84,8 @@ nsxv3_resources = {
                                 [Operations.LIST_MISMATCHES.value]),
    constants.PORTS: Resource(constants.PORTS,
                              [Operations.LIST_MISMATCHES.value,
-                               Operations.NSX_MIGRATE_V_V3.value]),
+                               Operations.NSX_MIGRATE_V_V3.value,
+                               Operations.NSX_MIGRATE_EXCLUDE_PORTS.value]),
    constants.ROUTERS: Resource(constants.ROUTERS,
                                [Operations.LIST_MISMATCHES.value]),
    constants.DHCP_BINDING: Resource(constants.DHCP_BINDING,