vmware-nsx/vmware_nsx/common/config.py
Adit Sarfaty a88b99b6c9 NSX|v3 replace configuration uuids with names
Support configuration of name or uuid (instead of only uuid) for 4 nsx_v3
parameters: default_overlay_tz, default_vlan_tz, default_bridge_cluster
and default_tier0_router.

Assert on init if the uuid or name was no found on the backend, or if the
name is not unique.

DocImpact: Configuration options default_overlay_tz_uuid, default_vlan_tz_uuid,
           default_bridge_cluster_uuid and default_tier0_router_uuid were
           replaced with default_overlay_tz, default_vlan_tz, default_bridge_cluster
           and default_tier0_router and support name or uuid now.

Change-Id: Id153d4d69165b161c04c403b578657c51af20e9c
2016-04-18 16:28:09 +03:00

573 lines
30 KiB
Python

# Copyright 2012 VMware, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import logging
from oslo_config import cfg
from vmware_nsx._i18n import _, _LW
from vmware_nsx.common import exceptions as nsx_exc
from vmware_nsx.dvs import dvs_utils
from vmware_nsx.extensions import routersize
LOG = logging.getLogger(__name__)
class AgentModes:
AGENT = 'agent'
AGENTLESS = 'agentless'
COMBINED = 'combined'
class MetadataModes:
DIRECT = 'access_network'
INDIRECT = 'dhcp_host_route'
class ReplicationModes:
SERVICE = 'service'
SOURCE = 'source'
base_opts = [
cfg.IntOpt('max_lp_per_bridged_ls', default=5000,
deprecated_group='NVP',
help=_("Maximum number of ports of a logical switch on a "
"bridged transport zone. The recommended value for "
"this parameter varies with NSX version.\nPlease use:\n"
"NSX 2.x -> 64\nNSX 3.0, 3.1 -> 5000\n"
"NSX 3.2 -> 10000")),
cfg.IntOpt('max_lp_per_overlay_ls', default=256,
deprecated_group='NVP',
help=_("Maximum number of ports of a logical switch on an "
"overlay transport zone")),
cfg.IntOpt('concurrent_connections', default=10,
deprecated_group='NVP',
help=_("Maximum concurrent connections to each NSX "
"controller.")),
cfg.IntOpt('nsx_gen_timeout', default=-1,
deprecated_name='nvp_gen_timeout',
deprecated_group='NVP',
help=_("Number of seconds a generation id should be valid for "
"(default -1 meaning do not time out)")),
cfg.StrOpt('metadata_mode', default=MetadataModes.DIRECT,
deprecated_group='NVP',
help=_("If set to access_network this enables a dedicated "
"connection to the metadata proxy for metadata server "
"access via Neutron router. If set to dhcp_host_route "
"this enables host route injection via the dhcp agent. "
"This option is only useful if running on a host that "
"does not support namespaces otherwise access_network "
"should be used.")),
cfg.StrOpt('default_transport_type', default='stt',
deprecated_group='NVP',
help=_("The default network tranport type to use (stt, gre, "
"bridge, ipsec_gre, or ipsec_stt)")),
cfg.StrOpt('agent_mode', default=AgentModes.AGENT,
deprecated_group='NVP',
help=_("Specifies in which mode the plugin needs to operate "
"in order to provide DHCP and metadata proxy services "
"to tenant instances. If 'agent' is chosen (default) "
"the NSX plugin relies on external RPC agents (i.e. "
"dhcp and metadata agents) to provide such services. "
"In this mode, the plugin supports API extensions "
"'agent' and 'dhcp_agent_scheduler'. If 'agentless' "
"is chosen (experimental in Icehouse), the plugin will "
"use NSX logical services for DHCP and metadata proxy. "
"This simplifies the deployment model for Neutron, in "
"that the plugin no longer requires the RPC agents to "
"operate. When 'agentless' is chosen, the config option "
"metadata_mode becomes ineffective. The 'agentless' "
"mode works only on NSX 4.1. Furthermore, a 'combined' "
"mode is also provided and is used to support existing "
"deployments that want to adopt the agentless mode. "
"With this mode, existing networks keep being served by "
"the existing infrastructure (thus preserving backward "
"compatibility, whereas new networks will be served by "
"the new infrastructure. Migration tools are provided "
"to 'move' one network from one model to another; with "
"agent_mode set to 'combined', option "
"'network_auto_schedule' in neutron.conf is ignored, as "
"new networks will no longer be scheduled to existing "
"dhcp agents.")),
cfg.StrOpt('replication_mode', default=ReplicationModes.SERVICE,
choices=(ReplicationModes.SERVICE, ReplicationModes.SOURCE),
help=_("Specifies which mode packet replication should be done "
"in. If set to service a service node is required in "
"order to perform packet replication. This can also be "
"set to source if one wants replication to be performed "
"locally (NOTE: usually only useful for testing if one "
"does not want to deploy a service node). In order to "
"leverage distributed routers, replication_mode should "
"be set to 'service'.")),
]
sync_opts = [
cfg.IntOpt('state_sync_interval', default=10,
deprecated_group='NVP_SYNC',
help=_("Interval in seconds between runs of the status "
"synchronization task. The plugin will aim at "
"resynchronizing operational status for all resources "
"in this interval, and it should be therefore large "
"enough to ensure the task is feasible. Otherwise the "
"plugin will be constantly synchronizing resource "
"status, ie: a new task is started as soon as the "
"previous is completed. If this value is set to 0, the "
"state synchronization thread for this Neutron instance "
"will be disabled.")),
cfg.IntOpt('max_random_sync_delay', default=0,
deprecated_group='NVP_SYNC',
help=_("Random additional delay between two runs of the state "
"synchronization task. An additional wait time between "
"0 and max_random_sync_delay seconds will be added on "
"top of state_sync_interval.")),
cfg.IntOpt('min_sync_req_delay', default=1,
deprecated_group='NVP_SYNC',
help=_("Minimum delay, in seconds, between two status "
"synchronization requests for NSX. Depending on chunk "
"size, controller load, and other factors, state "
"synchronization requests might be pretty heavy. This "
"means the controller might take time to respond, and "
"its load might be quite increased by them. This "
"parameter allows to specify a minimum interval between "
"two subsequent requests. The value for this parameter "
"must never exceed state_sync_interval. If this does, "
"an error will be raised at startup.")),
cfg.IntOpt('min_chunk_size', default=500,
deprecated_group='NVP_SYNC',
help=_("Minimum number of resources to be retrieved from NSX "
"in a single status synchronization request. The actual "
"size of the chunk will increase if the number of "
"resources is such that using the minimum chunk size "
"will cause the interval between two requests to be "
"less than min_sync_req_delay")),
cfg.BoolOpt('always_read_status', default=False,
deprecated_group='NVP_SYNC',
help=_("Enable this option to allow punctual state "
"synchronization on show operations. In this way, show "
"operations will always fetch the operational status "
"of the resource from the NSX backend, and this might "
"have a considerable impact on overall performance."))
]
connection_opts = [
cfg.StrOpt('nsx_user',
default='admin',
deprecated_name='nvp_user',
help=_('User name for NSX controllers in this cluster')),
cfg.StrOpt('nsx_password',
default='admin',
deprecated_name='nvp_password',
secret=True,
help=_('Password for NSX controllers in this cluster')),
cfg.IntOpt('http_timeout',
default=75,
help=_('Time before aborting a request on an '
'unresponsive controller (Seconds)')),
cfg.IntOpt('retries',
default=2,
help=_('Maximum number of times a particular request '
'should be retried')),
cfg.IntOpt('redirects',
default=2,
help=_('Maximum number of times a redirect response '
'should be followed')),
cfg.ListOpt('nsx_controllers',
deprecated_name='nvp_controllers',
help=_('Comma-separated list of NSX controller '
'endpoints (<ip>:<port>). When port is omitted, '
'443 is assumed. This option MUST be specified. '
'e.g.: aa.bb.cc.dd, ee.ff.gg.hh.ee:80')),
cfg.IntOpt('conn_idle_timeout',
default=900,
help=_('Reconnect connection to nsx if not used within this '
'amount of time.')),
]
cluster_opts = [
cfg.StrOpt('default_tz_uuid',
help=_("This is uuid of the default NSX Transport zone that "
"will be used for creating tunneled isolated "
"\"Neutron\" networks. It needs to be created in NSX "
"before starting Neutron with the nsx plugin.")),
cfg.StrOpt('default_l3_gw_service_uuid',
help=_("(Optional) UUID of the NSX L3 Gateway "
"service which will be used for implementing routers "
"and floating IPs")),
cfg.StrOpt('default_l2_gw_service_uuid',
help=_("(Optional) UUID of the NSX L2 Gateway service "
"which will be used by default for network gateways")),
cfg.StrOpt('default_service_cluster_uuid',
help=_("(Optional) UUID of the Service Cluster which will "
"be used by logical services like dhcp and metadata")),
cfg.StrOpt('nsx_default_interface_name', default='breth0',
deprecated_name='default_interface_name',
help=_("Name of the interface on a L2 Gateway transport node "
"which should be used by default when setting up a "
"network connection")),
]
nsx_common_opts = [
cfg.StrOpt('nsx_l2gw_driver',
help=_("Specify the class path for the Layer 2 gateway "
"backend driver(i.e. NSXv3/NSX-V). This field will be "
"used when a L2 Gateway service plugin is configured.")),
cfg.StrOpt('locking_coordinator_url',
deprecated_group='nsxv',
help=_("(Optional) URL for distributed locking coordination "
"resource for lock manager. This value is passed as a "
"parameter to tooz coordinator. By default, value is "
"None and oslo_concurrency is used for single-node "
"lock management.")),
]
nsx_v3_opts = [
cfg.StrOpt('nsx_api_user',
deprecated_name='nsx_user',
default='admin',
help=_('User name for the NSX manager')),
cfg.StrOpt('nsx_api_password',
deprecated_name='nsx_password',
default='default',
secret=True,
help=_('Password for the NSX manager')),
cfg.ListOpt('nsx_api_managers',
deprecated_name='nsx_manager',
help=_("IP address of one or more NSX managers separated "
"by commas. The IP address should be of the form:\n"
"[<scheme>://]<ip_adress>[:<port>]\nIf scheme is not "
"provided https is used. If port is not provided port "
"80 is used for http and port 443 for https.")),
cfg.StrOpt('default_overlay_tz',
deprecated_name='default_overlay_tz_uuid',
help=_("This is the name or UUID of the default NSX overlay "
"transport zone that will be used for creating "
"tunneled isolated Neutron networks. It needs to be "
"created in NSX before starting Neutron with the NSX "
"plugin.")),
cfg.StrOpt('default_vlan_tz',
deprecated_name='default_vlan_tz_uuid',
help=_("(Optional) Only required when creating VLAN or flat "
"provider networks. Name or UUID of default NSX VLAN "
"transport zone that will be used for bridging between "
"Neutron networks, if no physical network has been "
"specified")),
cfg.StrOpt('default_bridge_cluster',
deprecated_name='default_bridge_cluster_uuid',
help=_("(Optional) Name or UUID of the default NSX bridge "
"cluster that will be used to perform L2 gateway "
"bridging between VXLAN and VLAN networks. If default "
"bridge cluster UUID is not specified, admin will have "
"to manually create a L2 gateway corresponding to a "
"NSX Bridge Cluster using L2 gateway APIs. This field "
"must be specified on one of the active neutron "
"servers only.")),
cfg.IntOpt('retries',
default=10,
help=_('Maximum number of times to retry API requests upon '
'stale revision errors.')),
cfg.StrOpt('ca_file',
help=_('Specify a CA bundle file to use in verifying the NSX '
'Manager server certificate. This option is ignored if '
'"insecure" is set to True. If "insecure" is set to '
'False and ca_file is unset, the system root CAs will '
'be used to verify the server certificate.')),
cfg.BoolOpt('insecure',
default=True,
help=_('If true, the NSX Manager server certificate is not '
'verified. If false the CA bundle specified via '
'"ca_file" will be used or if unsest the default '
'system root CAs will be used.')),
cfg.IntOpt('http_timeout',
default=10,
help=_('The time in seconds before aborting a HTTP connection '
'to a NSX manager.')),
cfg.IntOpt('http_read_timeout',
default=180,
help=_('The time in seconds before aborting a HTTP read '
'response from a NSX manager.')),
cfg.IntOpt('http_retries',
default=3,
help=_('Maximum number of times to retry a HTTP connection.')),
cfg.IntOpt('concurrent_connections', default=10,
help=_("Maximum concurrent connections to each NSX "
"manager.")),
cfg.IntOpt('conn_idle_timeout',
default=10,
help=_("The amount of time in seconds to wait before ensuring "
"connectivity to the NSX manager if no manager "
"connection has been used.")),
cfg.IntOpt('redirects',
default=2,
help=_('Number of times a HTTP redirect should be followed.')),
cfg.StrOpt('default_tier0_router',
deprecated_name='default_tier0_router_uuid',
help=_("Name or UUID of the default tier0 router that will be "
"used for connecting to tier1 logical routers and "
"configuring external networks")),
cfg.IntOpt('number_of_nested_groups',
default=8,
help=_("(Optional) The number of nested groups which are used "
"by the plugin, each Neutron security-groups is added "
"to one nested group, and each nested group can contain "
"as maximum as 500 security-groups, therefore, the "
"maximum number of security groups that can be created "
"is 500 * number_of_nested_groups. The default is 8 "
"nested groups, which allows a maximum of 4k "
"security-groups, to allow creation of more "
"security-groups, modify this figure.")),
cfg.StrOpt('metadata_mode',
default=MetadataModes.DIRECT,
help=_("If set to access_network this enables a dedicated "
"connection to the metadata proxy for metadata server "
"access via Neutron router. If set to dhcp_host_route "
"this enables host route injection via the dhcp agent. "
"This option is only useful if running on a host that "
"does not support namespaces otherwise access_network "
"should be used.")),
cfg.BoolOpt('metadata_on_demand',
default=False,
help=_("If true, an internal metadata network will be created "
"for a router only when the router is attached to a "
"DHCP-disabled subnet.")),
cfg.BoolOpt('log_security_groups_blocked_traffic',
default=False,
help=_("(Optional) Indicates whether distributed-firewall "
"rule for security-groups blocked traffic is logged.")),
cfg.BoolOpt('log_security_groups_allowed_traffic',
default=False,
help=_("(Optional) Indicates whether distributed-firewall "
"security-groups rules are logged.")),
]
DEFAULT_STATUS_CHECK_INTERVAL = 2000
DEFAULT_MINIMUM_POOLED_EDGES = 1
DEFAULT_MAXIMUM_POOLED_EDGES = 3
DEFAULT_MAXIMUM_TUNNELS_PER_VNIC = 20
nsxv_opts = [
cfg.StrOpt('user',
default='admin',
deprecated_group="vcns",
help=_('User name for NSXv manager')),
cfg.StrOpt('password',
default='default',
deprecated_group="vcns",
secret=True,
help=_('Password for NSXv manager')),
cfg.StrOpt('manager_uri',
deprecated_group="vcns",
help=_('URL for NSXv manager')),
cfg.StrOpt('ca_file',
help=_('Specify a CA bundle file to use in verifying the NSXv '
'server certificate.')),
cfg.BoolOpt('insecure',
default=True,
help=_('If true, the NSXv server certificate is not verified. '
'If false, then the default CA truststore is used for '
'verification. This option is ignored if "ca_file" is '
'set.')),
cfg.ListOpt('cluster_moid',
default=[],
help=_('(Required) Parameter listing the IDs of the clusters '
'which are used by OpenStack.')),
cfg.StrOpt('datacenter_moid',
deprecated_group="vcns",
help=_('Required parameter identifying the ID of datacenter '
'to deploy NSX Edges')),
cfg.StrOpt('deployment_container_id',
deprecated_group="vcns",
help=_('Optional parameter identifying the ID of datastore to '
'deploy NSX Edges')),
cfg.StrOpt('resource_pool_id',
deprecated_group="vcns",
help=_('Optional parameter identifying the ID of resource to '
'deploy NSX Edges')),
cfg.StrOpt('datastore_id',
deprecated_group="vcns",
help=_('Optional parameter identifying the ID of datastore to '
'deploy NSX Edges')),
cfg.StrOpt('external_network',
deprecated_group="vcns",
help=_('(Required) Network ID for physical network '
'connectivity')),
cfg.IntOpt('task_status_check_interval',
default=DEFAULT_STATUS_CHECK_INTERVAL,
deprecated_group="vcns",
help=_("(Optional) Asynchronous task status check interval. "
"Default is 2000 (millisecond)")),
cfg.StrOpt('vdn_scope_id',
help=_('(Optional) Network scope ID for VXLAN virtual wires')),
cfg.StrOpt('dvs_id',
help=_('(Optional) DVS MoRef ID for DVS connected to '
'Management / Edge cluster')),
cfg.IntOpt('maximum_tunnels_per_vnic',
default=DEFAULT_MAXIMUM_TUNNELS_PER_VNIC,
min=1, max=110,
help=_('(Optional) Maximum number of sub interfaces supported '
'per vnic in edge.')),
cfg.ListOpt('backup_edge_pool',
default=['service:compact:4:10',
'vdr:compact:4:10'],
help=_("Defines edge pool's management range with the format: "
"<edge_type>:[edge_size]:<min_edges>:<max_edges>."
"edge_type: service,vdr. "
"edge_size: compact, large, xlarge, quadlarge "
"and default is compact. By default, edge pool manager "
"would manage service edge with compact size "
"and distributed edge with compact size as following: "
"service:compact:4:10,vdr:compact:"
"4:10")),
cfg.IntOpt('retries',
default=20,
help=_('Maximum number of API retries on endpoint.')),
cfg.StrOpt('mgt_net_moid',
help=_('(Optional) Portgroup MoRef ID for metadata proxy '
'management network')),
cfg.ListOpt('mgt_net_proxy_ips',
help=_('(Optional) Comma separated list of management network '
'IP addresses for metadata proxy.')),
cfg.StrOpt('mgt_net_proxy_netmask',
help=_("(Optional) Management network netmask for metadata "
"proxy.")),
cfg.StrOpt('mgt_net_default_gateway',
help=_("(Optional) Management network default gateway for "
"metadata proxy.")),
cfg.ListOpt('nova_metadata_ips',
help=_("(Optional) IP addresses used by Nova metadata "
"service.")),
cfg.PortOpt('nova_metadata_port',
default=8775,
help=_("(Optional) TCP Port used by Nova metadata server.")),
cfg.StrOpt('metadata_shared_secret',
secret=True,
help=_("(Optional) Shared secret to sign metadata requests.")),
cfg.BoolOpt('metadata_insecure',
default=True,
help=_("(Optional) If True, the end to end connection for "
"metadata service is not verified. If False, the "
"default CA truststore is used for verification.")),
cfg.StrOpt('metadata_nova_client_cert',
help=_('(Optional) Client certificate to use when metadata '
'connection is to be verified. If not provided, '
'a self signed certificate will be used.')),
cfg.StrOpt('metadata_nova_client_priv_key',
help=_("(Optional) Private key of client certificate.")),
cfg.BoolOpt('spoofguard_enabled',
default=True,
help=_("(Optional) If True then plugin will use NSXV "
"spoofguard component for port-security feature.")),
cfg.ListOpt('tenant_router_types',
default=['shared', 'distributed', 'exclusive'],
help=_("Ordered list of router_types to allocate as tenant "
"routers. It limits the router types that the Nsxv "
"can support for tenants:\ndistributed: router is "
"supported by distributed edge at the backend.\n"
"shared: multiple routers share the same service "
"edge at the backend.\nexclusive: router exclusively "
"occupies one service edge at the backend.\nNsxv would "
"select the first available router type from "
"tenant_router_types list if router-type is not "
"specified. If the tenant defines the router type with "
"'--distributed','--router_type exclusive' or "
"'--router_type shared', Nsxv would verify that the "
"router type is in tenant_router_types. Admin supports "
"all these three router types.")),
cfg.StrOpt('edge_appliance_user',
secret=True,
help=_("(Optional) Username to configure for Edge appliance "
"login.")),
cfg.StrOpt('edge_appliance_password',
secret=True,
help=_("(Optional) Password to configure for Edge appliance "
"login.")),
cfg.IntOpt('dhcp_lease_time',
default=86400,
help=_("(Optional) DHCP default lease time.")),
cfg.BoolOpt('metadata_initializer',
default=True,
help=_("If True, the server instance will attempt to "
"initialize the metadata infrastructure")),
cfg.ListOpt('metadata_service_allowed_ports',
help=_('List of tcp ports, to be allowed access to the '
'metadata proxy, in addition to the default '
'80,443,8775 tcp ports')),
cfg.BoolOpt('edge_ha',
default=False,
help=_("(Optional) Enable HA for NSX Edges.")),
cfg.StrOpt('exclusive_router_appliance_size',
default="compact",
choices=routersize.VALID_EDGE_SIZES,
help=_("(Optional) Edge appliance size to be used for creating "
"exclusive router. Valid values: "
"['compact', 'large', 'xlarge', 'quadlarge']. This "
"exclusive_router_appliance_size will be picked up if "
"--router-size parameter is not specified while doing "
"neutron router-create")),
cfg.ListOpt('nameservers',
default=[],
help=_('List of nameservers to configure for the DHCP binding '
'entries. These will be used if there are no '
'nameservers defined on the subnet.')),
cfg.BoolOpt('use_dvs_features',
default=False,
help=_('If True, dvs features will be supported which '
'involves configuring the dvs backing nsx_v directly. '
'If False, only features exposed via nsx_v will be '
'supported')),
cfg.BoolOpt('log_security_groups_blocked_traffic',
default=False,
help=_("(Optional) Indicates whether distributed-firewall "
"rule for security-groups blocked traffic is logged.")),
cfg.BoolOpt('log_security_groups_allowed_traffic',
default=False,
help=_("(Optional) Indicates whether distributed-firewall "
"security-groups allowed traffic is logged.")),
cfg.BoolOpt('dhcp_force_metadata', default=True,
help=_("(Optional) In some cases the Neutron router is not "
"present to provide the metadata IP but the DHCP "
"server can be used to provide this info. Setting this "
"value will force the DHCP server to append specific "
"host routes to the DHCP request. If this option is "
"set, then the metadata service will be activated for "
"all the dhcp enabled networks.\nNote: this option can "
"only be supported at NSX manager version 6.2.3 or "
"higher.")),
]
# Register the configuration options
cfg.CONF.register_opts(connection_opts)
cfg.CONF.register_opts(cluster_opts)
cfg.CONF.register_opts(nsx_common_opts)
cfg.CONF.register_opts(nsx_v3_opts, group="nsx_v3")
cfg.CONF.register_opts(nsxv_opts, group="nsxv")
cfg.CONF.register_opts(base_opts, group="NSX")
cfg.CONF.register_opts(sync_opts, group="NSX_SYNC")
def validate_nsxv_config_options():
if (cfg.CONF.nsxv.manager_uri is None or
cfg.CONF.nsxv.user is None or
cfg.CONF.nsxv.password is None):
error = _("manager_uri, user, and password must be configured!")
raise nsx_exc.NsxPluginException(err_msg=error)
if cfg.CONF.nsxv.dvs_id is None:
LOG.warning(_LW("dvs_id must be configured to support VLANs!"))
if cfg.CONF.nsxv.vdn_scope_id is None:
LOG.warning(_LW("vdn_scope_id must be configured to support VXLANs!"))
if cfg.CONF.nsxv.use_dvs_features and not dvs_utils.dvs_is_enabled():
error = _("dvs host/vcenter credentials must be defined to use "
"dvs features")
raise nsx_exc.NsxPluginException(err_msg=error)