x/vmware-nsx
Code Issues Proposed changes
5e9d41ac17
vmware-nsx/devstack/lib/vmware_nsx_v3
Adit Sarfaty 5dac3f4a4c NSX|v3: DHCP Relay support 
Support DHCP relay by configuring the relay service per
network availability zone, or globally.
When a router interface port is created, the relay service
will be added to it.
DHCP traffic on the subnet will go through the DHCP server
configured in the dhcp relay service on the NSX, if it is
connected to the router.

Also add admin utility to update exsiting router ports when the
dhcp relay configuration changes.

A future patch will take care of firewall rules allowint the dhcp traffic.

Change-Id: I626b3377e71c269600a47b3bd805eed9d58bad82
2017-09-12 11:49:26 +03:00

294 lines
12 KiB
Bash
Raw Blame History

#!/bin/bash
# Copyright 2015 VMware, Inc.
#
# All Rights Reserved
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# Neutron VMware NSX plugin
# -------------------------
# Settings previously defined in devstack:lib/neutron-legacy
NEUTRON_CONF_DIR=/etc/neutron
export NEUTRON_TEST_CONFIG_FILE=${NEUTRON_TEST_CONFIG_FILE:-"$NEUTRON_CONF_DIR/debug.ini"}
Q_DHCP_CONF_FILE=$NEUTRON_CONF_DIR/dhcp_agent.ini
# The interface which has connectivity to the NSX Gateway uplink
NSX_GATEWAY_NETWORK_INTERFACE=${NSX_GATEWAY_NETWORK_INTERFACE:-}
# Override default 'True' in devstack:lib/neutron_plugins/services/l3
Q_USE_PROVIDERNET_FOR_PUBLIC=False
# Native support from platform
NATIVE_DHCP_METADATA=${NATIVE_DHCP_METADATA:-True}
NATIVE_METADATA_ROUTE=${NATIVE_METADATA_ROUTE:-169.254.169.254/31}
METADATA_PROXY_SHARED_SECRET=${METADATA_PROXY_SHARED_SECRET:-}
# Save trace setting
NSX_XTRACE=$(set +o | grep xtrace)
set +o xtrace
# File to store client certificate and PK
CLIENT_CERT_FILE=${DEST}/data/neutron/client.pem
source $TOP_DIR/lib/neutron_plugins/ovs_base
function _version { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; }
function _ovsdb_connection {
managers=(${NSX_MANAGER//,/ })
NSX_MGR_IP=${managers[0]}
NSX_VER=$(curl -1 -s -k -u "$NSX_USER:$NSX_PASSWORD" -H 'Accept: application/json' https://$NSX_MGR_IP/api/v1/node | python -c 'import sys, json; print json.load(sys.stdin)["node_version"][:5]')
if [ $(_version $NSX_VER) -ge $(_version 1.1.0) ]; then
echo "unix:/var/run/vmware/nsx-agent/nsxagent_ovsdb.sock"
else
echo "tcp:127.0.0.1:6632"
fi
}
function setup_integration_bridge {
die_if_not_set $LINENO NSX_MANAGER "NSX_MANAGER has not been set!"
die_if_not_set $LINENO NSX_USER "NSX_USER has not been set!"
die_if_not_set $LINENO NSX_PASSWORD "NSX_PASSWORD has not been set!"
# Ensure that the OVS params are set for the OVS utils
iniset $NEUTRON_CONF DEFAULT ovs_integration_bridge $OVS_BRIDGE
iniset $NEUTRON_CONF OVS ovsdb_connection $(_ovsdb_connection)
iniset $NEUTRON_CONF OVS ovsdb_interface vsctl
_neutron_ovs_base_setup_bridge $OVS_BRIDGE
sudo ovs-vsctl set bridge $OVS_BRIDGE external_ids:bridge-id=nsx-managed
sudo ovs-vsctl set-manager $(_ovsdb_connection)
}
function is_neutron_ovs_base_plugin {
# This allows the deployer to decide whether devstack should install OVS.
# By default, we install OVS, to change this behavior add "OVS_BASE=1" to your localrc file.
# Note: Any KVM compute must have OVS installed on it.
return ${OVS_BASE:-0}
}
function neutron_plugin_create_nova_conf {
if [[ "$VIRT_DRIVER" != 'vsphere' ]]; then
# if n-cpu or octavia is enabled, then setup integration bridge
if is_service_enabled n-cpu || is_service_enabled octavia ; then
setup_integration_bridge
if is_service_enabled n-cpu ; then
iniset $NOVA_CONF neutron ovs_bridge $OVS_BRIDGE
fi
fi
fi
# if n-api is enabled, then setup the metadata_proxy_shared_secret
if is_service_enabled n-api; then
iniset $NOVA_CONF neutron service_metadata_proxy True
if [[ "$NATIVE_DHCP_METADATA" == "True" ]]; then
iniset $NOVA_CONF neutron metadata_proxy_shared_secret $METADATA_PROXY_SHARED_SECRET
if [[ "$METADATA_PROXY_USE_HTTPS" == "True" ]]; then
iniset $NOVA_CONF DEFAULT enabled_ssl_apis metadata
if [[ "$METADATA_PROXY_CERT_FILE" != "" ]]; then
iniset $NOVA_CONF wsgi ssl_cert_file $METADATA_PROXY_CERT_FILE
fi
if [[ "$METADATA_PROXY_PRIV_KEY_FILE" != "" ]]; then
iniset $NOVA_CONF wsgi ssl_key_file $METADATA_PROXY_PRIV_KEY_FILE
fi
fi
fi
fi
}
function neutron_plugin_install_agent_packages {
# VMware NSX Plugin does not run q-agt, but it currently needs dhcp and metadata agents
_neutron_ovs_base_install_agent_packages
}
function neutron_plugin_configure_common {
Q_PLUGIN_CONF_PATH=etc/neutron/plugins/vmware
Q_PLUGIN_CONF_FILENAME=nsx.ini
Q_PLUGIN_SRC_CONF_PATH=vmware-nsx/etc
VMWARE_NSX_DIR=vmware-nsx
# Uses oslo config generator to generate sample configuration file
(cd $DEST/$VMWARE_NSX_DIR && exec ./tools/generate_config_file_samples.sh)
mkdir -p /$Q_PLUGIN_CONF_PATH
cp $DEST/$Q_PLUGIN_SRC_CONF_PATH/nsx.ini.sample /$Q_PLUGIN_CONF_PATH/$Q_PLUGIN_CONF_FILENAME
sudo install -d -o $STACK_USER $NEUTRON_CONF_DIR/policy.d
cp -vr $DEST/$Q_PLUGIN_SRC_CONF_PATH/policy.d $NEUTRON_CONF_DIR/policy.d
Q_PLUGIN_CLASS="vmware_nsxv3"
}
function neutron_plugin_configure_debug_command {
sudo ovs-vsctl --no-wait -- --may-exist add-br $PUBLIC_BRIDGE
iniset $NEUTRON_TEST_CONFIG_FILE DEFAULT external_network_bridge "$PUBLIC_BRIDGE"
}
function neutron_plugin_configure_dhcp_agent {
setup_integration_bridge
iniset $Q_DHCP_CONF_FILE DEFAULT enable_isolated_metadata True
iniset $Q_DHCP_CONF_FILE DEFAULT enable_metadata_network True
iniset $Q_DHCP_CONF_FILE DEFAULT ovs_use_veth True
iniset $Q_DHCP_CONF_FILE DEFAULT ovs_integration_bridge $OVS_BRIDGE
iniset $Q_DHCP_CONF_FILE OVS ovsdb_connection $(_ovsdb_connection)
iniset $Q_DHCP_CONF_FILE OVS ovsdb_interface vsctl
}
function neutron_plugin_configure_l3_agent {
# VMware NSX plugin does not run L3 agent
die $LINENO "q-l3 should not be executed with VMware NSX plugin!"
}
function neutron_plugin_configure_plugin_agent {
# VMware NSX plugin does not run L2 agent
die $LINENO "q-agt must not be executed with VMware NSX plugin!"
}
function _nsxv3_ini_set {
if [[ -z $1 || -z $2 ]]; then
if [[ $3 != "" ]]; then
die $LINENO $3
fi
fi
if [[ $2 != "" ]]; then
iniset /$Q_PLUGIN_CONF_FILE nsx_v3 $1 $2
fi
}
function neutron_plugin_configure_service {
_nsxv3_ini_set default_overlay_tz $DEFAULT_OVERLAY_TZ_UUID "The VMware NSX plugin won't work without a default transport zone."
_nsxv3_ini_set default_vlan_tz $DEFAULT_VLAN_TZ_UUID
if [[ "$DEFAULT_TIER0_ROUTER_UUID" != "" ]]; then
_nsxv3_ini_set default_tier0_router $DEFAULT_TIER0_ROUTER_UUID
Q_L3_ENABLED=True
Q_L3_ROUTER_PER_TENANT=True
fi
# NSX_MANAGER must be a comma separated string
if [[ "$NSX_MANAGERS" != "" ]]; then
_nsxv3_ini_set nsx_api_managers $NSX_MANAGERS
elif [[ "$NSX_MANAGER" != "" ]]; then
_nsxv3_ini_set nsx_api_managers $NSX_MANAGER
else
die $LINENO "The VMware NSX plugin needs at least one NSX manager."
fi
if [[ "$NSX_L2GW_DRIVER" != "" ]]; then
iniset /$Q_PLUGIN_CONF_FILE DEFAULT nsx_l2gw_driver $NSX_L2GW_DRIVER
fi
iniset /$Q_PLUGIN_CONF_FILE DEFAULT nsx_extension_drivers vmware_nsxv3_dns
_nsxv3_ini_set nsx_api_user $NSX_USER
_nsxv3_ini_set nsx_api_password $NSX_PASSWORD
_nsxv3_ini_set retries $NSX_RETRIES
_nsxv3_ini_set insecure $NSX_INSECURE
_nsxv3_ini_set ca_file $NSX_CA_FILE
_nsxv3_ini_set default_bridge_cluster $DEFAULT_BRIDGE_CLUSTER_UUID
_nsxv3_ini_set native_dhcp_metadata $NATIVE_DHCP_METADATA
if [[ "$NATIVE_DHCP_METADATA" == "True" ]]; then
_nsxv3_ini_set native_metadata_route $NATIVE_METADATA_ROUTE
_nsxv3_ini_set dhcp_profile $DHCP_PROFILE_UUID
_nsxv3_ini_set metadata_proxy $METADATA_PROXY_UUID
_nsxv3_ini_set dhcp_relay_service $DHCP_RELAY_SERVICE
iniset $NEUTRON_CONF DEFAULT dhcp_agent_notification False
fi
if [[ "$NSX_USE_CLIENT_CERT_AUTH" == "True" ]]; then
_nsxv3_ini_set nsx_use_client_auth "True"
_nsxv3_ini_set nsx_client_cert_file "$CLIENT_CERT_FILE"
_nsxv3_ini_set nsx_client_cert_storage "nsx-db"
_nsxv3_ini_set nsx_client_cert_pk_password "openstack"
fi
}
function neutron_plugin_setup_interface_driver {
local conf_file=$1
iniset $conf_file DEFAULT interface_driver neutron.agent.linux.interface.OVSInterfaceDriver
}
function neutron_plugin_check_adv_test_requirements {
is_service_enabled q-dhcp && return 0
}
function init_vmware_nsx_v3 {
if (is_service_enabled q-svc || is_service_enabled neutron-api) && [[ "$NATIVE_DHCP_METADATA" == "True" ]]; then
if ! is_set DHCP_PROFILE_UUID; then
die $LINENO "DHCP profile needs to be configured!"
fi
if ! is_set METADATA_PROXY_UUID; then
die $LINENO "Metadata proxy needs to be configured!"
fi
if is_service_enabled q-dhcp q-meta; then
die $LINENO "Native support does not require DHCP and Metadata agents!"
fi
fi
# Generate client certificate
if [[ "$NSX_USE_CLIENT_CERT_AUTH" == "True" ]]; then
nsxadmin -o generate -r certificate
fi
if ! is_set NSX_GATEWAY_NETWORK_INTERFACE; then
echo "NSX_GATEWAY_NETWORK_INTERFACE not set not configuring routes"
return
fi
if ! is_set NSX_GATEWAY_NETWORK_CIDR; then
NSX_GATEWAY_NETWORK_CIDR=$PUBLIC_NETWORK_GATEWAY/${FLOATING_RANGE#*/}
echo "The IP address to set on $PUBLIC_BRIDGE was not specified. "
echo "Defaulting to $NSX_GATEWAY_NETWORK_CIDR"
fi
# Make sure the interface is up, but not configured
sudo ip link set $NSX_GATEWAY_NETWORK_INTERFACE up
# Save and then flush the IP addresses on the interface
addresses=$(ip addr show dev $NSX_GATEWAY_NETWORK_INTERFACE | grep inet | awk {'print $2'})
sudo ip addr flush $NSX_GATEWAY_NETWORK_INTERFACE
# Use the PUBLIC Bridge to route traffic to the NSX gateway
# NOTE(armando-migliaccio): if running in a nested environment this will work
# only with mac learning enabled, portsecurity and security profiles disabled
# The public bridge might not exist for the NSX plugin if Q_USE_DEBUG_COMMAND is off
# Try to create it anyway
sudo ovs-vsctl --may-exist add-br $PUBLIC_BRIDGE
sudo ovs-vsctl --may-exist add-port $PUBLIC_BRIDGE $NSX_GATEWAY_NETWORK_INTERFACE
# Flush all existing addresses on public bridge
sudo ip addr flush dev $PUBLIC_BRIDGE
nsx_gw_net_if_mac=$(ip link show $NSX_GATEWAY_NETWORK_INTERFACE | awk '/ether/ {print $2}')
sudo ip link set address $nsx_gw_net_if_mac dev $PUBLIC_BRIDGE
for address in $addresses; do
sudo ip addr add dev $PUBLIC_BRIDGE $address
done
sudo ip addr add dev $PUBLIC_BRIDGE $NSX_GATEWAY_NETWORK_CIDR
sudo ip link set $PUBLIC_BRIDGE up
}
function stop_vmware_nsx_v3 {
# Clean client certificate if exists
nsxadmin -o clean -r certificate
if ! is_set NSX_GATEWAY_NETWORK_INTERFACE; then
echo "NSX_GATEWAY_NETWORK_INTERFACE was not configured."
return
fi
if ! is_set NSX_GATEWAY_NETWORK_CIDR; then
NSX_GATEWAY_NETWORK_CIDR=$PUBLIC_NETWORK_GATEWAY/${FLOATING_RANGE#*/}
echo "The IP address expected on $PUBLIC_BRIDGE was not specified. "
echo "Defaulting to "$NSX_GATEWAY_NETWORK_CIDR
fi
sudo ip addr del $NSX_GATEWAY_NETWORK_CIDR dev $PUBLIC_BRIDGE
# Save and then flush remaining addresses on the interface
addresses=$(ip addr show dev $PUBLIC_BRIDGE | grep inet | awk {'print $2'})
sudo ip addr flush $PUBLIC_BRIDGE
# Try to detach physical interface from PUBLIC_BRIDGE
sudo ovs-vsctl del-port $NSX_GATEWAY_NETWORK_INTERFACE
# Restore addresses on NSX_GATEWAY_NETWORK_INTERFACE
for address in $addresses; do
sudo ip addr add dev $NSX_GATEWAY_NETWORK_INTERFACE $address
done
}
# Restore xtrace
$NSX_XTRACE
View Git Blame Copy Permalink