x/vmware-nsx
Code Issues Proposed changes

Create NSGroup for port exclusion

Browse Source 
This patch does the followings:
1. Create a NS Group for Excluded ports
2. Add this NS Group to NSX Exclude List

Change-Id: If33306c38790103f4d08c42a1be8bc1bb54a4a59
Co-Authored-By: Shih-Hao Li <shihli@vmware.com>
Co-Authored-By: Roey Chen <roeyc@vmware.com>
Depends-On: I5d5f92cbe19ba94d390c6fecbff1ae2083231657
This commit is contained in:
Gary Kotton 2016-12-04 03:05:06 -08:00 committed by garyk
parent 51d769768e
commit 9ee4db829a
2 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
vmware_nsx/plugins/nsx_v3/plugin.py
View File

@ -104,6 +104,7 @@ NSX_V3_NO_PSEC_PROFILE_NAME = 'nsx-default-spoof-guard-vif-profile'
NSX_V3_DHCP_PROFILE_NAME = 'neutron_port_dhcp_profile'
NSX_V3_MAC_LEARNING_PROFILE_NAME = 'neutron_port_mac_learning_profile'
NSX_V3_FW_DEFAULT_SECTION = 'OS Default Section for Neutron Security-Groups'
NSX_V3_EXCLUDED_PORT_NSGROUP_NAME = 'neutron_excluded_port_nsgroup'
# NOTE(asarfaty): the order of inheritance here is important. in order for the
@ -202,6 +203,15 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
(self._psec_profile, self._no_psec_profile_id, self._dhcp_profile,
self._mac_learning_profile) = self._init_nsx_profiles()
# Include exclude NSGroup
LOG.debug("Initializing NSX v3 Excluded Port NSGroup")
self._excluded_port_nsgroup = None
self._excluded_port_nsgroup = self._init_excluded_port_nsgroup()
if not self._excluded_port_nsgroup:
msg = _("Unable to initialize NSX v3 Excluded Port NSGroup %s"
) % NSX_V3_EXCLUDED_PORT_NSGROUP_NAME
raise nsx_exc.NsxPluginException(err_msg=msg)
# Bind QoS notifications
callbacks_registry.subscribe(qos_utils.handle_qos_notification,
callbacks_resources.QOS_POLICY)
@ -309,6 +319,33 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
'nsx-logical-switch-id':
self._get_network_nsx_id(context, port_data['network_id'])}
@nsxlib_utils.retry_upon_exception(
Exception, max_attempts=cfg.CONF.nsx_v3.retries)
def _init_excluded_port_nsgroup(self):
with locking.LockManager.get_lock('nsxv3_excluded_port_nsgroup_init'):
nsgroup = self._get_excluded_port_nsgroup()
if not nsgroup:
# Create a new NSGroup for excluded ports.
membership_criteria = (
self.nsxlib.ns_group.get_port_tag_expression(
security.PORT_SG_SCOPE, nsxlib_consts.EXCLUDE_PORT))
nsgroup = self.nsxlib.ns_group.create(
NSX_V3_EXCLUDED_PORT_NSGROUP_NAME,
'Neutron Excluded Port NSGroup',
tags=self.nsxlib.build_v3_api_version_tag(),
membership_criteria=membership_criteria)
# Add this NSGroup to NSX Exclusion List.
self.nsxlib.add_member_to_fw_exclude_list(
nsgroup['id'], nsxlib_consts.NSGROUP)
return self._get_excluded_port_nsgroup()
def _get_excluded_port_nsgroup(self):
if self._excluded_port_nsgroup:
return self._excluded_port_nsgroup
nsgroups = self.nsxlib.ns_group.find_by_display_name(
NSX_V3_EXCLUDED_PORT_NSGROUP_NAME)
return nsgroups[0] if nsgroups else None
def _unsubscribe_callback_events(self):
# l3_db explicitly subscribes to the port delete callback. This
# callback is unsubscribed here since l3 APIs are handled by
@ -1492,6 +1529,11 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
port_data.get(mac_ext.MAC_LEARNING) is True))):
profiles.append(self._mac_learning_profile)
if not cfg.CONF.nsx_v3.native_dhcp_metadata:
if device_owner == const.DEVICE_OWNER_DHCP:
tags.append({'scope': security.PORT_SG_SCOPE,
'tag': nsxlib_consts.EXCLUDE_PORT})
name = self._get_port_name(context, port_data)
nsx_net_id = port_data[pbin.VIF_DETAILS]['nsx-logical-switch-id']

4
vmware_nsx/tests/unit/nsx_v3/test_plugin.py
View File

@ -114,6 +114,10 @@ def _mock_nsx_backend_calls():
"vmware_nsxlib.v3.NsxLibBridgeEndpoint.create",
side_effect=_return_id_key).start()
mock.patch(
"vmware_nsxlib.v3.security.NsxLibNsGroup.find_by_display_name",
).start()
mock.patch(
"vmware_nsxlib.v3.NsxLibLogicalSwitch.create",
side_effect=_return_id_key).start()