# Copyright 2012 VMware, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from oslo_config import cfg from oslo_config import types from oslo_log import log as logging from neutron.conf.db import l3_hamode_db from vmware_nsx._i18n import _ from vmware_nsx.common import exceptions as nsx_exc from vmware_nsx.dvs import dvs_utils from vmware_nsx.extensions import projectpluginmap from vmware_nsx.extensions import routersize LOG = logging.getLogger(__name__) DEFAULT_VDR_TRANSIT_NETWORK = "169.254.2.0/28" DEFAULT_PLR_ADDRESS = "169.254.2.3" class AgentModes(object): AGENT = 'agent' AGENTLESS = 'agentless' COMBINED = 'combined' class MetadataModes(object): DIRECT = 'access_network' INDIRECT = 'dhcp_host_route' class ReplicationModes(object): SERVICE = 'service' SOURCE = 'source' base_opts = [ cfg.IntOpt('max_lp_per_bridged_ls', default=5000, deprecated_group='NVP', help=_("Maximum number of ports of a logical switch on a " "bridged transport zone. The recommended value for " "this parameter varies with NSX version.\nPlease use:\n" "NSX 2.x -> 64\nNSX 3.0, 3.1 -> 5000\n" "NSX 3.2 -> 10000")), cfg.IntOpt('max_lp_per_overlay_ls', default=256, deprecated_group='NVP', help=_("Maximum number of ports of a logical switch on an " "overlay transport zone")), cfg.IntOpt('concurrent_connections', default=10, deprecated_group='NVP', help=_("Maximum concurrent connections to each NSX " "controller.")), cfg.IntOpt('nsx_gen_timeout', default=-1, deprecated_name='nvp_gen_timeout', deprecated_group='NVP', help=_("Number of seconds a generation id should be valid for " "(default -1 meaning do not time out)")), cfg.StrOpt('metadata_mode', default=MetadataModes.DIRECT, deprecated_group='NVP', help=_("If set to access_network this enables a dedicated " "connection to the metadata proxy for metadata server " "access via Neutron router. If set to dhcp_host_route " "this enables host route injection via the dhcp agent. " "This option is only useful if running on a host that " "does not support namespaces otherwise access_network " "should be used.")), cfg.StrOpt('default_transport_type', default='stt', deprecated_group='NVP', help=_("The default network tranport type to use (stt, gre, " "bridge, ipsec_gre, or ipsec_stt)")), cfg.StrOpt('agent_mode', default=AgentModes.AGENT, deprecated_group='NVP', help=_("Specifies in which mode the plugin needs to operate " "in order to provide DHCP and metadata proxy services " "to tenant instances. If 'agent' is chosen (default) " "the NSX plugin relies on external RPC agents (i.e. " "dhcp and metadata agents) to provide such services. " "In this mode, the plugin supports API extensions " "'agent' and 'dhcp_agent_scheduler'. If 'agentless' " "is chosen (experimental in Icehouse), the plugin will " "use NSX logical services for DHCP and metadata proxy. " "This simplifies the deployment model for Neutron, in " "that the plugin no longer requires the RPC agents to " "operate. When 'agentless' is chosen, the config option " "metadata_mode becomes ineffective. The 'agentless' " "mode works only on NSX 4.1. Furthermore, a 'combined' " "mode is also provided and is used to support existing " "deployments that want to adopt the agentless mode. " "With this mode, existing networks keep being served by " "the existing infrastructure (thus preserving backward " "compatibility, whereas new networks will be served by " "the new infrastructure. Migration tools are provided " "to 'move' one network from one model to another; with " "agent_mode set to 'combined', option " "'network_auto_schedule' in neutron.conf is ignored, as " "new networks will no longer be scheduled to existing " "dhcp agents.")), cfg.StrOpt('replication_mode', default=ReplicationModes.SERVICE, choices=(ReplicationModes.SERVICE, ReplicationModes.SOURCE), help=_("Specifies which mode packet replication should be done " "in. If set to service a service node is required in " "order to perform packet replication. This can also be " "set to source if one wants replication to be performed " "locally (NOTE: usually only useful for testing if one " "does not want to deploy a service node). In order to " "leverage distributed routers, replication_mode should " "be set to 'service'.")), cfg.FloatOpt('qos_peak_bw_multiplier', default=2.0, min=1.0, help=_("The QoS rules peak bandwidth value will be the " "configured maximum bandwidth of the QoS rule, " "multiplied by this value. Value must be bigger than" " 1")), ] sync_opts = [ cfg.IntOpt('state_sync_interval', default=10, deprecated_group='NVP_SYNC', help=_("Interval in seconds between runs of the status " "synchronization task. The plugin will aim at " "resynchronizing operational status for all resources " "in this interval, and it should be therefore large " "enough to ensure the task is feasible. Otherwise the " "plugin will be constantly synchronizing resource " "status, ie: a new task is started as soon as the " "previous is completed. If this value is set to 0, the " "state synchronization thread for this Neutron instance " "will be disabled.")), cfg.IntOpt('max_random_sync_delay', default=0, deprecated_group='NVP_SYNC', help=_("Random additional delay between two runs of the state " "synchronization task. An additional wait time between " "0 and max_random_sync_delay seconds will be added on " "top of state_sync_interval.")), cfg.IntOpt('min_sync_req_delay', default=1, deprecated_group='NVP_SYNC', help=_("Minimum delay, in seconds, between two status " "synchronization requests for NSX. Depending on chunk " "size, controller load, and other factors, state " "synchronization requests might be pretty heavy. This " "means the controller might take time to respond, and " "its load might be quite increased by them. This " "parameter allows to specify a minimum interval between " "two subsequent requests. The value for this parameter " "must never exceed state_sync_interval. If this does, " "an error will be raised at startup.")), cfg.IntOpt('min_chunk_size', default=500, deprecated_group='NVP_SYNC', help=_("Minimum number of resources to be retrieved from NSX " "in a single status synchronization request. The actual " "size of the chunk will increase if the number of " "resources is such that using the minimum chunk size " "will cause the interval between two requests to be " "less than min_sync_req_delay")), cfg.BoolOpt('always_read_status', default=False, deprecated_group='NVP_SYNC', help=_("Enable this option to allow punctual state " "synchronization on show operations. In this way, show " "operations will always fetch the operational status " "of the resource from the NSX backend, and this might " "have a considerable impact on overall performance.")) ] connection_opts = [ cfg.StrOpt('nsx_user', default='admin', deprecated_name='nvp_user', help=_('User name for NSX controllers in this cluster')), cfg.StrOpt('nsx_password', default='admin', deprecated_name='nvp_password', secret=True, help=_('Password for NSX controllers in this cluster')), cfg.IntOpt('http_timeout', default=75, help=_('Time before aborting a request on an ' 'unresponsive controller (Seconds)')), cfg.IntOpt('retries', default=2, help=_('Maximum number of times a particular request ' 'should be retried')), cfg.IntOpt('redirects', default=2, help=_('Maximum number of times a redirect response ' 'should be followed')), cfg.ListOpt('nsx_controllers', default=[], deprecated_name='nvp_controllers', help=_('Comma-separated list of NSX controller ' 'endpoints (:). When port is omitted, ' '443 is assumed. This option MUST be specified. ' 'e.g.: aa.bb.cc.dd, ee.ff.gg.hh.ee:80')), cfg.IntOpt('conn_idle_timeout', default=900, help=_('Reconnect connection to nsx if not used within this ' 'amount of time.')), ] cluster_opts = [ cfg.StrOpt('default_tz_uuid', help=_("This is uuid of the default NSX Transport zone that " "will be used for creating tunneled isolated " "\"Neutron\" networks. It needs to be created in NSX " "before starting Neutron with the nsx plugin.")), cfg.StrOpt('default_l3_gw_service_uuid', help=_("(Optional) UUID of the NSX L3 Gateway " "service which will be used for implementing routers " "and floating IPs")), cfg.StrOpt('default_l2_gw_service_uuid', help=_("(Optional) UUID of the NSX L2 Gateway service " "which will be used by default for network gateways")), cfg.StrOpt('default_service_cluster_uuid', help=_("(Optional) UUID of the Service Cluster which will " "be used by logical services like dhcp and metadata")), cfg.StrOpt('nsx_default_interface_name', default='breth0', deprecated_name='default_interface_name', help=_("Name of the interface on a L2 Gateway transport node " "which should be used by default when setting up a " "network connection")), ] nsx_common_opts = [ cfg.StrOpt('nsx_l2gw_driver', help=_("Specify the class path for the Layer 2 gateway " "backend driver (i.e. NSX-T/NSX-V). This field will be " "used when a L2 Gateway service plugin is configured.")), cfg.StrOpt('locking_coordinator_url', help=_("(Optional) URL for distributed locking coordination " "resource for lock manager. This value is passed as a " "parameter to tooz coordinator. By default, value is " "None and oslo_concurrency is used for single-node " "lock management.")), cfg.BoolOpt('api_replay_mode', default=False, help=_("If true, the server then allows the caller to " "specify the id of resources. This should only " "be enabled in order to allow one to migrate an " "existing install of neutron to the NSX-T plugin.")), cfg.ListOpt('nsx_extension_drivers', default=[], help=_("An ordered list of extension driver " "entrypoints to be loaded from the " "vmware_nsx.extension_drivers namespace.")), cfg.StrOpt('smtp_gateway', help=_("(Optional) IP address of SMTP gateway to use for" "admin warnings.")), cfg.StrOpt('smtp_from_addr', help=_("(Optional) email address to use for outgoing admin" "notifications.")), cfg.ListOpt('snmp_to_list', default=[], help=_("(Optional) List of email addresses for " "notifications.")), cfg.IntOpt('octavia_stats_interval', default=10, help=_("Interval in seconds for Octavia statistics reporting. " "0 means no reporting")), ] nsx_v3_and_p = [ cfg.ListOpt('nsx_api_user', default=['admin'], help=_('User names for the NSX managers')), cfg.ListOpt('nsx_api_password', default=['default'], secret=True, help=_('Passwords for the NSX managers')), cfg.ListOpt('nsx_api_managers', default=[], help=_("IP address of one or more NSX managers separated " "by commas. The IP address should be of the form:\n" "[://][:]\nIf scheme is not " "provided https is used. If port is not provided port " "80 is used for http and port 443 for https.")), cfg.BoolOpt('nsx_use_client_auth', default=False, help=_("Use client certificate in NSX manager " "authentication")), cfg.StrOpt('nsx_client_cert_file', default='', help=_("File to contain client certificate and private key")), cfg.StrOpt('nsx_client_cert_pk_password', default="", secret=True, help=_("password for private key encryption")), cfg.StrOpt('nsx_client_cert_storage', default='nsx-db', choices=['nsx-db', 'none'], help=_("Storage type for client certificate sensitive data")), cfg.IntOpt('retries', default=10, help=_('Maximum number of times to retry API requests upon ' 'stale revision errors.')), cfg.ListOpt('ca_file', help=_('Specify a CA bundle files to use in verifying the NSX ' 'Managers server certificate. This option is ignored ' 'if "insecure" is set to True. If "insecure" is set to ' 'False and ca_file is unset, the system root CAs will ' 'be used to verify the server certificate.')), cfg.BoolOpt('insecure', default=True, help=_('If true, the NSX Manager server certificate is not ' 'verified. If false the CA bundle specified via ' '"ca_file" will be used or if unsest the default ' 'system root CAs will be used.')), cfg.IntOpt('http_timeout', default=10, help=_('The time in seconds before aborting a HTTP connection ' 'to a NSX manager.')), cfg.IntOpt('http_read_timeout', default=180, help=_('The time in seconds before aborting a HTTP read ' 'response from a NSX manager.')), cfg.IntOpt('http_retries', default=3, help=_('Maximum number of times to retry a HTTP connection.')), cfg.IntOpt('concurrent_connections', default=10, help=_("Maximum concurrent connections to each NSX " "manager.")), cfg.IntOpt('conn_idle_timeout', default=10, help=_("The amount of time in seconds to wait before ensuring " "connectivity to the NSX manager if no manager " "connection has been used.")), cfg.IntOpt('redirects', default=2, help=_('Number of times a HTTP redirect should be followed.')), cfg.BoolOpt('log_security_groups_blocked_traffic', default=False, help=_("(Optional) Indicates whether distributed-firewall " "rule for security-groups blocked traffic is logged.")), cfg.BoolOpt('log_security_groups_allowed_traffic', default=False, help=_("(Optional) Indicates whether distributed-firewall " "security-groups rules are logged.")), cfg.ListOpt('network_vlan_ranges', default=[], help=_("List of :: " "specifying Transport Zone UUID usable for VLAN " "provider networks, as well as ranges of VLAN " "tags on each available for allocation to networks.")), cfg.ListOpt('availability_zones', default=[], help=_('Optional parameter defining the networks availability ' 'zones names for the native dhcp configuration. The ' 'configuration of each zone will be under a group ' 'names [az:]')), cfg.StrOpt('metadata_proxy', help=_("This is the name or UUID of the NSX Metadata Proxy " "that will be used to enable native metadata service. " "It needs to be created in NSX before starting Neutron " "with the NSX plugin.")), cfg.StrOpt('dhcp_profile', help=_("This is the name or UUID of the NSX DHCP Profile " "that will be used to enable native DHCP service. It " "needs to be created in NSX before starting Neutron " "with the NSX plugin")), cfg.StrOpt('native_metadata_route', default="169.254.169.254/31", help=_("The metadata route used for native metadata proxy " "service.")), cfg.StrOpt('dns_domain', default='openstacklocal', help=_("Domain to use for building the hostnames.")), cfg.ListOpt('nameservers', default=[], help=_("List of nameservers to configure for the DHCP " "binding entries. These will be used if there are no " "nameservers defined on the subnet.")), cfg.StrOpt('edge_cluster', help=_("(Optional) Specifying an edge cluster for Tier1 " "routers to connect other that the one connected to" " the Tier0 router")), cfg.ListOpt('transit_networks', default=['100.64.0.0/16', 'fc3d:e3c3:7b93::/48'], help=_("List of transit networks used by NSX tier0 routers. " "Neutron subnets will not be allowed to use those " "cidrs")), cfg.BoolOpt('init_objects_by_tags', default=False, help=_("When True, the configured transport zones, router and " "profiles will be found by tags on the NSX. The scope " "of the tag will be the value of search_objects_" "scope. The value of the search tag will be the name " "configured in each respective configuration.")), cfg.StrOpt('search_objects_scope', help=_("This is the scope of the tag that will be used for " "finding the objects uuids on the NSX during plugin " "init.")), cfg.IntOpt('dhcp_lease_time', default=86400, help=_("DHCP default lease time.")), ] nsx_v3_opts = nsx_v3_and_p + [ cfg.StrOpt('default_overlay_tz', help=_("This is the name or UUID of the default NSX overlay " "transport zone that will be used for creating " "tunneled isolated Neutron networks. It needs to be " "created in NSX before starting Neutron with the NSX " "plugin.")), cfg.StrOpt('default_vlan_tz', help=_("(Optional) Only required when creating VLAN or flat " "provider networks. Name or UUID of default NSX VLAN " "transport zone that will be used for bridging between " "Neutron networks, if no physical network has been " "specified")), cfg.StrOpt('default_bridge_cluster', deprecated_for_removal=True, help=_("(Optional) Name or UUID of the default NSX bridge " "cluster that will be used to perform L2 gateway " "bridging between VXLAN and VLAN networks. If default " "bridge cluster UUID is not specified, admin will have " "to manually create a L2 gateway corresponding to a " "NSX Bridge Cluster using L2 gateway APIs. This field " "must be specified on one of the active neutron " "servers only.")), cfg.StrOpt('default_bridge_endpoint_profile', help=_("(Optional) Name or UUID of the default NSX bridge " "endpoint profile that will be used to perform L2 " "bridging between networks in the NSX fabric and " "VLANs external to NSX. If not specified, operators " "will need to explictly create a layer-2 gateway in " "Neutron using the L2 gateway APIs.")), cfg.StrOpt('default_tier0_router', help=_("Name or UUID of the default tier0 router that will be " "used for connecting to tier1 logical routers and " "configuring external networks")), cfg.IntOpt('number_of_nested_groups', default=8, help=_("(Optional) The number of nested groups which are used " "by the plugin, each Neutron security-groups is added " "to one nested group, and each nested group can contain " "as maximum as 500 security-groups, therefore, the " "maximum number of security groups that can be created " "is 500 * number_of_nested_groups. The default is 8 " "nested groups, which allows a maximum of 4k " "security-groups, to allow creation of more " "security-groups, modify this figure.")), cfg.StrOpt('metadata_mode', default=MetadataModes.DIRECT, help=_("If set to access_network this enables a dedicated " "connection to the metadata proxy for metadata server " "access via Neutron router. If set to dhcp_host_route " "this enables host route injection via the dhcp agent. " "This option is only useful if running on a host that " "does not support namespaces otherwise access_network " "should be used.")), cfg.BoolOpt('metadata_on_demand', default=False, help=_("If true, an internal metadata network will be created " "for a router only when the router is attached to a " "DHCP-disabled subnet.")), cfg.BoolOpt('native_dhcp_metadata', default=True, help=_("If true, DHCP and metadata proxy services will be " "provided by NSX backend.")), cfg.ListOpt('switching_profiles', default=[], help=_("Optional parameter defining a list switching profiles " "uuids that will be attached to all neutron created " "nsx ports.")), cfg.BoolOpt('ens_support', default=False, help=_("(Optional) Indicates whether ENS transport zones can " "be used")), cfg.BoolOpt('disable_port_security_for_ens', default=False, help=_("When True, port security will be set to False for " "newly created ENS networks and ports, overriding " "user settings")), cfg.StrOpt('dhcp_relay_service', help=_("(Optional) This is the name or UUID of the NSX dhcp " "relay service that will be used to enable DHCP relay " "on router ports.")), cfg.ListOpt('housekeeping_jobs', default=['orphaned_dhcp_server', 'orphaned_logical_switch', 'orphaned_logical_router', 'mismatch_logical_port', 'orphaned_firewall_section'], help=_("List of the enabled housekeeping jobs")), cfg.ListOpt('housekeeping_readonly_jobs', default=[], help=_("List of housekeeping jobs which are enabled in read " "only mode")), cfg.BoolOpt('housekeeping_readonly', default=True, help=_("Housekeeping will only warn about breakage.")), ] nsx_p_opts = nsx_v3_and_p + [ cfg.StrOpt('default_tier0_router', help=_("Name or UUID of the default tier0 router that will be " "used for connecting to tier1 logical routers and " "configuring external networks. If only one tier0 " " router is present on backend, it will be assumed " "as default unless this value is provided")), cfg.StrOpt('default_overlay_tz', help=_("This is the name or UUID of the default NSX overlay " "transport zone that will be used for creating " "tunneled isolated Neutron networks. It needs to be " "created in NSX before starting Neutron with the NSX " "plugin. If only one overlay transport zone is present " "on backend, it will be assumed as default unless this " "value is provided")), cfg.StrOpt('default_vlan_tz', help=_("(Optional) Only required when creating VLAN or flat " "provider networks. Name or UUID of default NSX VLAN " "transport zone that will be used for bridging between " "Neutron networks, if no physical network has been " "specified. If only one VLAN transport zone is present " "on backend, it will be assumed as default unless this " "value is provided")), cfg.StrOpt('waf_profile', help=_("(Optional) Name or UUID of the default WAF profile to " "be attached to L7 loadbalancer listeners")), cfg.BoolOpt('waf_protect', default=False, help=_("If True and waf_profile is set, it will be used with " "protection mode. If False - it will be used only for " "detection")), cfg.BoolOpt('allow_passthrough', default=True, help=_("If True, use nsx manager api for cases which are not " "supported by the policy manager api")), cfg.IntOpt('realization_max_attempts', default=50, help=_("(Optional) Maximum number of times to retry while " "waiting for a resource to be realized")), cfg.IntOpt('realization_wait_sec', default=1.0, help=_("(Optional) Number of seconds to wait between attempts " "for a resource to be realized")), ] DEFAULT_STATUS_CHECK_INTERVAL = 2000 DEFAULT_MINIMUM_POOLED_EDGES = 1 DEFAULT_MAXIMUM_POOLED_EDGES = 3 DEFAULT_MAXIMUM_TUNNELS_PER_VNIC = 20 nsxv_opts = [ cfg.StrOpt('user', default='admin', help=_('User name for NSXv manager')), cfg.StrOpt('password', default='default', secret=True, help=_('Password for NSXv manager')), cfg.StrOpt('manager_uri', help=_('URL for NSXv manager')), cfg.StrOpt('ca_file', help=_('Specify a CA bundle file to use in verifying the NSXv ' 'server certificate.')), cfg.BoolOpt('insecure', default=True, help=_('If true, the NSXv server certificate is not verified. ' 'If false, then the default CA truststore is used for ' 'verification. This option is ignored if "ca_file" is ' 'set.')), cfg.ListOpt('cluster_moid', default=[], help=_('(Required) Parameter listing the IDs of the clusters ' 'which are used by OpenStack.')), cfg.StrOpt('datacenter_moid', help=_('Required parameter identifying the ID of datacenter ' 'to deploy NSX Edges')), cfg.StrOpt('deployment_container_id', help=_('Optional parameter identifying the ID of datastore to ' 'deploy NSX Edges')), cfg.StrOpt('resource_pool_id', help=_('Optional parameter identifying the ID of resource to ' 'deploy NSX Edges')), cfg.ListOpt('availability_zones', default=[], help=_('Optional parameter defining the availability zones ' 'names for deploying NSX Edges. The configuration of ' 'each zone will be under a group names [az:]')), cfg.StrOpt('datastore_id', help=_('Optional parameter identifying the ID of datastore to ' 'deploy NSX Edges')), cfg.StrOpt('ha_datastore_id', help=_('Optional parameter identifying the ID of datastore to ' 'deploy NSX Edges in addition to data_store_id in case' 'edge_ha is True')), cfg.BoolOpt('ha_placement_random', default=False, help=_('When True and in case edge_ha is True, half of the ' 'edges will be placed in the primary datastore as ' 'active and the other half will be placed in the ' 'ha_datastore')), cfg.ListOpt('edge_host_groups', default=[], help=_('(Optional) If edge HA is used then this will ensure ' 'that active/backup edges are placed in the listed ' 'host groups. At least 2 predefined host groups need ' 'to be configured.')), cfg.StrOpt('external_network', help=_('(Required) Network ID for physical network ' 'connectivity')), cfg.IntOpt('task_status_check_interval', default=DEFAULT_STATUS_CHECK_INTERVAL, help=_("(Optional) Asynchronous task status check interval. " "Default is 2000 (millisecond)")), cfg.StrOpt('vdn_scope_id', help=_('(Optional) Network scope ID for VXLAN virtual wires')), cfg.StrOpt('dvs_id', help=_('(Optional) DVS MoRef ID for DVS connected to ' 'Management / Edge cluster')), cfg.IntOpt('maximum_tunnels_per_vnic', default=DEFAULT_MAXIMUM_TUNNELS_PER_VNIC, min=1, max=110, help=_('(Optional) Maximum number of sub interfaces supported ' 'per vnic in edge.')), cfg.ListOpt('backup_edge_pool', default=['service:compact:4:10', 'vdr:compact:4:10'], help=_("Defines edge pool's management range with the format: " ":[edge_size]::." "edge_type: service,vdr. " "edge_size: compact, large, xlarge, quadlarge " "and default is compact. By default, edge pool manager " "would manage service edge with compact size " "and distributed edge with compact size as following: " "service:compact:4:10,vdr:compact:" "4:10")), cfg.IntOpt('retries', default=20, help=_('Maximum number of API retries on endpoint.')), cfg.StrOpt('mgt_net_moid', help=_('(Optional) Portgroup MoRef ID for metadata proxy ' 'management network')), cfg.ListOpt('mgt_net_proxy_ips', default=[], help=_('(Optional) Comma separated list of management network ' 'IP addresses for metadata proxy.')), cfg.StrOpt('mgt_net_proxy_netmask', help=_("(Optional) Management network netmask for metadata " "proxy.")), cfg.StrOpt('mgt_net_default_gateway', help=_("(Optional) Management network default gateway for " "metadata proxy.")), cfg.ListOpt('nova_metadata_ips', default=[], help=_("(Optional) IP addresses used by Nova metadata " "service.")), cfg.PortOpt('nova_metadata_port', default=8775, help=_("(Optional) TCP Port used by Nova metadata server.")), cfg.StrOpt('metadata_shared_secret', secret=True, help=_("(Optional) Shared secret to sign metadata requests.")), cfg.BoolOpt('metadata_insecure', default=True, help=_("(Optional) If True, the end to end connection for " "metadata service is not verified. If False, the " "default CA truststore is used for verification.")), cfg.StrOpt('metadata_nova_client_cert', help=_('(Optional) Client certificate to use when metadata ' 'connection is to be verified. If not provided, ' 'a self signed certificate will be used.')), cfg.StrOpt('metadata_nova_client_priv_key', help=_("(Optional) Private key of client certificate.")), cfg.BoolOpt('spoofguard_enabled', default=True, help=_("(Optional) If True then plugin will use NSXV " "spoofguard component for port-security feature.")), cfg.BoolOpt('use_exclude_list', default=True, help=_("(Optional) If True then plugin will use NSXV exclude " "list component when port security is disabled and " "spoofguard is enabled.")), cfg.ListOpt('tenant_router_types', default=['shared', 'distributed', 'exclusive'], help=_("Ordered list of router_types to allocate as tenant " "routers. It limits the router types that the Nsxv " "can support for tenants:\ndistributed: router is " "supported by distributed edge at the backend.\n" "shared: multiple routers share the same service " "edge at the backend.\nexclusive: router exclusively " "occupies one service edge at the backend.\nNsxv would " "select the first available router type from " "tenant_router_types list if router-type is not " "specified. If the tenant defines the router type with " "'--distributed','--router_type exclusive' or " "'--router_type shared', Nsxv would verify that the " "router type is in tenant_router_types. Admin supports " "all these three router types.")), cfg.StrOpt('edge_appliance_user', secret=True, help=_("(Optional) Username to configure for Edge appliance " "login.")), cfg.StrOpt('edge_appliance_password', secret=True, help=_("(Optional) Password to configure for Edge appliance " "login.")), cfg.IntOpt('dhcp_lease_time', default=86400, help=_("(Optional) DHCP default lease time.")), cfg.BoolOpt('metadata_initializer', default=True, help=_("If True, the server instance will attempt to " "initialize the metadata infrastructure")), cfg.ListOpt('metadata_service_allowed_ports', item_type=types.Port(), default=[], help=_('List of tcp ports, to be allowed access to the ' 'metadata proxy, in addition to the default ' '80,443,8775 tcp ports')), cfg.BoolOpt('edge_ha', default=False, help=_("(Optional) Enable HA for NSX Edges.")), cfg.StrOpt('exclusive_router_appliance_size', default="compact", choices=routersize.VALID_EDGE_SIZES, help=_("(Optional) Edge appliance size to be used for creating " "exclusive router. Valid values: " "['compact', 'large', 'xlarge', 'quadlarge']. This " "exclusive_router_appliance_size will be picked up if " "--router-size parameter is not specified while doing " "neutron router-create")), cfg.StrOpt('shared_router_appliance_size', default="compact", choices=routersize.VALID_EDGE_SIZES, help=_("(Optional) Edge appliance size to be used for creating " "shared router edge. Valid values: " "['compact', 'large', 'xlarge', 'quadlarge'].")), cfg.StrOpt('dns_search_domain', help=_("(Optional) Use this search domain if there is no " "search domain configured on the subnet.")), cfg.ListOpt('nameservers', default=[], help=_('List of nameservers to configure for the DHCP binding ' 'entries. These will be used if there are no ' 'nameservers defined on the subnet.')), cfg.BoolOpt('use_dvs_features', default=False, help=_('If True, dvs features will be supported which ' 'involves configuring the dvs backing nsx_v directly. ' 'If False, only features exposed via nsx_v will be ' 'supported')), cfg.BoolOpt('log_security_groups_blocked_traffic', default=False, help=_("(Optional) Indicates whether distributed-firewall " "rule for security-groups blocked traffic is logged.")), cfg.BoolOpt('log_security_groups_allowed_traffic', default=False, help=_("(Optional) Indicates whether distributed-firewall " "security-groups allowed traffic is logged.")), cfg.StrOpt('service_insertion_profile_id', help=_("(Optional) The profile id of the redirect firewall " "rules that will be used for the Service Insertion " "feature.")), cfg.BoolOpt('service_insertion_redirect_all', default=False, help=_("(Optional) If set to True, the plugin will create " "a redirect rule to send all the traffic to the " "security partner")), cfg.BoolOpt('use_nsx_policies', default=False, help=_("If set to True, the plugin will use NSX policies " "in the neutron security groups.")), cfg.StrOpt('default_policy_id', help=_("(Optional) If use_nsx_policies is True, this policy " "will be used as the default policy for new tenants.")), cfg.BoolOpt('allow_tenant_rules_with_policy', default=False, help=_("(Optional) If use_nsx_policies is True, this value " "will determine if a tenants can add rules to their " "security groups.")), cfg.StrOpt('vdr_transit_network', default=DEFAULT_VDR_TRANSIT_NETWORK, help=_("(Optional) Sets the network address for distributed " "router TLR-PLR connectivity, with " "/ syntax")), cfg.BoolOpt('bind_floatingip_to_all_interfaces', default=False, help=_("If set to False, router will associate floating ip " "with external interface of only, thus denying " "connectivity between hosts on same network via " "their floating ips. If True, floating ip will " "be associated with all router interfaces.")), cfg.BoolOpt('exclusive_dhcp_edge', default=False, help=_("(Optional) Have exclusive DHCP edge per network.")), cfg.IntOpt('bgp_neighbour_hold_down_timer', default=4, help=_("(Optional) Set the interval (Seconds) for BGP " "neighbour hold down time.")), cfg.IntOpt('bgp_neighbour_keep_alive_timer', default=1, help=_("(Optional) Set the interval (Seconds) for BGP " "neighbour keep alive time.")), cfg.IntOpt('ecmp_wait_time', default=2, help=_("(Optional) Set the wait time (Seconds) between " "enablement of ECMP.")), cfg.ListOpt('network_vlan_ranges', default=[], help=_("List of :: " "specifying DVS MoRef ID usable for VLAN provider " "networks, as well as ranges of VLAN tags on each " "available for allocation to networks.")), cfg.IntOpt('nsx_transaction_timeout', default=240, help=_("Timeout interval for NSX backend transactions.")), cfg.BoolOpt('share_edges_between_tenants', default=True, help=_("If False, different tenants will not use the same " "DHCP edge or router edge.")), cfg.ListOpt('housekeeping_jobs', default=['error_dhcp_edge', 'error_backup_edge'], help=_("List of the enabled housekeeping jobs")), cfg.ListOpt('housekeeping_readonly_jobs', default=[], help=_("List of housekeeping jobs which are enabled in read " "only mode")), cfg.BoolOpt('housekeeping_readonly', default=True, help=_("Housekeeping will only warn about breakage.")), cfg.BoolOpt('use_default_block_all', default=False, help=_("Use default block all rule when no security groups " "are set on a port and port security is enabled")), cfg.BoolOpt('use_routers_as_lbaas_platform', default=False, help=_("Use subnet's exclusive router as a platform for " "LBaaS")), cfg.BoolOpt('allow_multiple_ip_addresses', default=False, help=_("Allow associating multiple IPs to VMs " "without spoofguard limitations")), ] # define the configuration of each NSX-V availability zone. # the list of expected zones is under nsxv group: availability_zones # Note: if any of the optional arguments is missing - the global one will be # used instead. nsxv_az_opts = [ cfg.StrOpt('resource_pool_id', help=_('Identifying the ID of resource to deploy NSX Edges')), cfg.StrOpt('datastore_id', help=_('Identifying the ID of datastore to deploy NSX Edges')), cfg.BoolOpt('edge_ha', default=False, help=_("(Optional) Enable HA for NSX Edges.")), cfg.StrOpt('ha_datastore_id', help=_('Optional parameter identifying the ID of datastore to ' 'deploy NSX Edges in addition to data_store_id in case' 'edge_ha is True')), cfg.BoolOpt('ha_placement_random', help=_('When True and in case edge_ha is True, half of the ' 'edges will be placed in the primary datastore as ' 'active and the other half will be placed in the ' 'ha_datastore. If this value is not set, the global ' 'one will be used')), cfg.ListOpt('edge_host_groups', default=[], help=_('(Optional) If edge HA is used then this will ensure ' 'that active/backup edges are placed in the listed ' 'host groups. At least 2 predefined host groups need ' 'to be configured.')), cfg.StrOpt('datacenter_moid', help=_('(Optional) Identifying the ID of datacenter to deploy ' 'NSX Edges')), cfg.ListOpt('backup_edge_pool', help=_("(Optional) Defines edge pool's management range for " "the availability zone. If not defined, the global one " "will be used")), cfg.StrOpt('mgt_net_moid', help=_('(Optional) Portgroup MoRef ID for metadata proxy ' 'management network')), cfg.ListOpt('mgt_net_proxy_ips', default=[], help=_('(Optional) Comma separated list of management network ' 'IP addresses for metadata proxy.')), cfg.StrOpt('mgt_net_proxy_netmask', help=_("(Optional) Management network netmask for metadata " "proxy.")), cfg.StrOpt('mgt_net_default_gateway', help=_("(Optional) Management network default gateway for " "metadata proxy.")), cfg.StrOpt('external_network', help=_('(Optional) Network ID for physical network ' 'connectivity')), cfg.StrOpt('vdn_scope_id', help=_('(Optional) Network scope ID for VXLAN virtual wires')), cfg.StrOpt('dvs_id', help=_('(Optional) DVS MoRef ID for DVS connected to ' 'Management / Edge cluster')), cfg.BoolOpt('exclusive_dhcp_edge', default=False, help=_("(Optional) Have exclusive DHCP edge per network.")), cfg.BoolOpt('bind_floatingip_to_all_interfaces', default=False, help=_("If set to False, router will associate floating ip " "with external interface of only, thus denying " "connectivity between hosts on same network via " "their floating ips. If True, floating ip will " "be associated with all router interfaces.")), ] # define the configuration of each NSX-V3 availability zone. # the list of expected zones is under nsx_v3 group: availability_zones # Note: if any of the optional arguments is missing - the global one will be # used instead. nsx_v3_and_p_az_opts = [ cfg.StrOpt('metadata_proxy', help=_("The name or UUID of the NSX Metadata Proxy " "that will be used to enable native metadata service. " "It needs to be created in NSX before starting Neutron " "with the NSX plugin.")), cfg.StrOpt('dhcp_profile', help=_("The name or UUID of the NSX DHCP Profile " "that will be used to enable native DHCP service. It " "needs to be created in NSX before starting Neutron " "with the NSX plugin")), cfg.StrOpt('native_metadata_route', help=_("(Optional) The metadata route used for native metadata " "proxy service.")), cfg.StrOpt('dns_domain', help=_("(Optional) Domain to use for building the hostnames.")), cfg.ListOpt('nameservers', help=_("(Optional) List of nameservers to configure for the " "DHCP binding entries. These will be used if there are " "no nameservers defined on the subnet.")), cfg.StrOpt('default_overlay_tz', help=_("(Optional) This is the name or UUID of the default NSX " "overlay transport zone that will be used for creating " "tunneled isolated Neutron networks. It needs to be " "created in NSX before starting Neutron with the NSX " "plugin.")), cfg.StrOpt('default_vlan_tz', help=_("(Optional) Only required when creating VLAN or flat " "provider networks. Name or UUID of default NSX VLAN " "transport zone that will be used for bridging between " "Neutron networks, if no physical network has been " "specified")), cfg.StrOpt('default_tier0_router', help=_("Name or UUID of the default tier0 router that will be " "used for connecting to tier1 logical routers and " "configuring external networks")), cfg.StrOpt('edge_cluster', help=_("(Optional) Specifying an edge cluster for Tier1 " "routers to connect other that the one connected to" " the Tier0 router")), ] nsxv3_az_opts = nsx_v3_and_p_az_opts + [ cfg.ListOpt('switching_profiles', help=_("(Optional) list switching profiles uuids that will be " "attached to all neutron created nsx ports.")), cfg.StrOpt('dhcp_relay_service', help=_("(Optional) This is the name or UUID of the NSX dhcp " "relay service that will be used to enable DHCP relay " "on router ports.")), cfg.StrOpt('default_tier0_router', help=_("Name or UUID of the default tier0 router that will be " "used for connecting to tier1 logical routers and " "configuring external networks")), ] nsxp_az_opts = nsx_v3_and_p_az_opts nsx_tvd_opts = [ cfg.ListOpt('nsx_v_extension_drivers', default=[], help=_("An ordered list of NSX-V extension driver " "entrypoints to be loaded from the " "vmware_nsx.extension_drivers namespace.")), cfg.ListOpt('nsx_v3_extension_drivers', default=[], help=_("An ordered list of NSX-T extension driver " "entrypoints to be loaded from the " "vmware_nsx.extension_drivers namespace.")), cfg.ListOpt('dvs_extension_drivers', default=[], help=_("An ordered list of DVS extension driver " "entrypoints to be loaded from the " "vmware_nsx.extension_drivers namespace.")), cfg.StrOpt('default_plugin', default=projectpluginmap.NsxPlugins.NSX_T, choices=projectpluginmap.VALID_TYPES, help=_("The default plugin that will be used for new projects " "that were not added to the projects plugin mapping.")), cfg.ListOpt('enabled_plugins', default=[projectpluginmap.NsxPlugins.NSX_T, projectpluginmap.NsxPlugins.NSX_V, projectpluginmap.NsxPlugins.DVS], help=_("The list of plugins that the TVD core plugin will " "load")), cfg.ListOpt('nsx_v_default_availability_zones', default=[], help=_("The default availability zones that will be used for " "NSX-V networks and routers creation under the TVD " "plugin.")), cfg.ListOpt('nsx_v3_default_availability_zones', default=[], help=_("The default availability zones that will be used for " "NSX-V3 networks and routers creation under the TVD " "plugin.")), cfg.IntOpt('init_retries', default=3, help=_('Maximum number of times a particular plugin ' 'initialization should be retried')), ] # Register the configuration options cfg.CONF.register_opts(connection_opts) cfg.CONF.register_opts(cluster_opts) cfg.CONF.register_opts(nsx_common_opts) cfg.CONF.register_opts(nsx_p_opts, group="nsx_p") cfg.CONF.register_opts(nsx_v3_opts, group="nsx_v3") cfg.CONF.register_opts(nsxv_opts, group="nsxv") cfg.CONF.register_opts(nsx_tvd_opts, group="nsx_tvd") cfg.CONF.register_opts(base_opts, group="NSX") cfg.CONF.register_opts(sync_opts, group="NSX_SYNC") # register l3_ha config opts. This is due to commit # a7c633dc8e8a67e65e558ecbdf9ea8efc5468251 cfg.CONF.register_opts(l3_hamode_db.L3_HA_OPTS) def _register_nsx_azs(conf, availability_zones, az_opts): # first verify that the availability zones are in the format of a # list of names. The old format was a list of values for each az, # separated with ':' if not availability_zones or len(availability_zones[0].split(':')) > 1: return for az in availability_zones: az_group = 'az:%s' % az conf.register_group(cfg.OptGroup( name=az_group, title="Configuration for availability zone %s" % az)) conf.register_opts(az_opts, group=az_group) # register a group for each nsxv/v3 availability zones def register_nsxv_azs(conf, availability_zones): _register_nsx_azs(conf, availability_zones, nsxv_az_opts) def register_nsxv3_azs(conf, availability_zones): _register_nsx_azs(conf, availability_zones, nsxv3_az_opts) def register_nsxp_azs(conf, availability_zones): _register_nsx_azs(conf, availability_zones, nsxp_az_opts) register_nsxv_azs(cfg.CONF, cfg.CONF.nsxv.availability_zones) register_nsxv3_azs(cfg.CONF, cfg.CONF.nsx_v3.availability_zones) register_nsxp_azs(cfg.CONF, cfg.CONF.nsx_p.availability_zones) def _get_nsx_az_opts(az, opts): az_info = dict() group = 'az:%s' % az if group not in cfg.CONF: raise nsx_exc.NsxInvalidConfiguration( opt_name=group, opt_value='None', reason=(_("Configuration group \'%s\' must be defined") % group)) for opt in opts: az_info[opt.name] = cfg.CONF[group][opt.name] return az_info def get_nsxv_az_opts(az): return _get_nsx_az_opts(az, nsxv_az_opts) def get_nsxv3_az_opts(az): return _get_nsx_az_opts(az, nsxv3_az_opts) def get_nsxp_az_opts(az): return _get_nsx_az_opts(az, nsxp_az_opts) def validate_nsxv_config_options(): if (cfg.CONF.nsxv.manager_uri is None or cfg.CONF.nsxv.user is None or cfg.CONF.nsxv.password is None): error = _("manager_uri, user, and password must be configured!") raise nsx_exc.NsxPluginException(err_msg=error) if cfg.CONF.nsxv.dvs_id is None: LOG.warning("dvs_id must be configured to support VLANs!") if cfg.CONF.nsxv.vdn_scope_id is None: LOG.warning("vdn_scope_id must be configured to support VXLANs!") if cfg.CONF.nsxv.use_dvs_features and not dvs_utils.dvs_is_enabled( dvs_id=cfg.CONF.nsxv.dvs_id): error = _("dvs host/vcenter credentials must be defined to use " "dvs features") raise nsx_exc.NsxPluginException(err_msg=error) def validate_nsx_config_options(): if cfg.CONF.nsx_extension_drivers: error = _("nsx_extension_drivers should not be configured!") raise nsx_exc.NsxPluginException(err_msg=error)