vmware-nsx/vmware_nsx/api_replay/client.py
Adit Sarfaty 5b85d2fb51 NSX|V3+P migration: Fix different issues
1. Skip illegal allowed-address-pairs
2. Ignore internal nsxv ports
3. Get port ip carefully

Change-Id: I4f166c0cdc668671a66659e0528de87d7343c2ab
2019-07-17 07:38:37 +00:00

699 lines
32 KiB
Python

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import logging
import six
from keystoneauth1 import identity
from keystoneauth1 import session
from neutronclient.common import exceptions as n_exc
from neutronclient.v2_0 import client
from oslo_utils import excutils
from vmware_nsx.api_replay import utils
from vmware_nsx.common import nsxv_constants
logging.basicConfig(level=logging.INFO)
LOG = logging.getLogger(__name__)
# For internal testing only
use_old_keystone_on_dest = False
class ApiReplayClient(utils.PrepareObjectForMigration):
def __init__(self,
source_os_username, source_os_user_domain_id,
source_os_tenant_name, source_os_tenant_domain_id,
source_os_password, source_os_auth_url,
dest_os_username, dest_os_user_domain_id,
dest_os_tenant_name, dest_os_tenant_domain_id,
dest_os_password, dest_os_auth_url, dest_plugin,
use_old_keystone, logfile):
if logfile:
f_handler = logging.FileHandler(logfile)
f_formatter = logging.Formatter(
'%(asctime)s %(levelname)s %(message)s')
f_handler.setFormatter(f_formatter)
LOG.addHandler(f_handler)
# connect to both clients
if use_old_keystone:
# Since we are not sure what keystone version will be used on the
# source setup, we add an option to use the v2 client
self.source_neutron = client.Client(
username=source_os_username,
tenant_name=source_os_tenant_name,
password=source_os_password,
auth_url=source_os_auth_url)
else:
self.source_neutron = self.connect_to_client(
username=source_os_username,
user_domain_id=source_os_user_domain_id,
tenant_name=source_os_tenant_name,
tenant_domain_id=source_os_tenant_domain_id,
password=source_os_password,
auth_url=source_os_auth_url)
if use_old_keystone_on_dest:
self.dest_neutron = client.Client(
username=dest_os_username,
tenant_name=dest_os_tenant_name,
password=dest_os_password,
auth_url=dest_os_auth_url)
else:
self.dest_neutron = self.connect_to_client(
username=dest_os_username,
user_domain_id=dest_os_user_domain_id,
tenant_name=dest_os_tenant_name,
tenant_domain_id=dest_os_tenant_domain_id,
password=dest_os_password,
auth_url=dest_os_auth_url)
self.dest_plugin = dest_plugin
LOG.info("Starting NSX migration to %s.", self.dest_plugin)
# Migrate all the objects
self.migrate_security_groups()
self.migrate_qos_policies()
routers_routes, routers_gw_info = self.migrate_routers()
self.migrate_networks_subnets_ports(routers_gw_info)
self.migrate_floatingips()
self.migrate_routers_routes(routers_routes)
self.migrate_fwaas()
LOG.info("NSX migration is Done.")
def connect_to_client(self, username, user_domain_id,
tenant_name, tenant_domain_id,
password, auth_url):
auth = identity.Password(username=username,
user_domain_id=user_domain_id,
password=password,
project_name=tenant_name,
project_domain_id=tenant_domain_id,
auth_url=auth_url)
sess = session.Session(auth=auth)
neutron = client.Client(session=sess)
return neutron
def find_subnet_by_id(self, subnet_id, subnets):
for subnet in subnets:
if subnet['id'] == subnet_id:
return subnet
def get_ports_on_network(self, network_id, ports):
"""Returns all the ports on a given network_id."""
ports_on_network = []
for port in ports:
if port['network_id'] == network_id:
ports_on_network.append(port)
return ports_on_network
def have_id(self, id, groups):
"""If the sg_id is in groups return true else false."""
for group in groups:
if id == group['id']:
return group
return False
def migrate_qos_rule(self, dest_policy, source_rule):
"""Add the QoS rule from the source to the QoS policy
If there is already a rule of that type, skip it since
the QoS policy can have only one rule of each type
"""
#TODO(asarfaty) also take rule direction into account once
#ingress support is upstream
rule_type = source_rule.get('type')
dest_rules = dest_policy.get('rules')
if dest_rules:
for dest_rule in dest_rules:
if dest_rule['type'] == rule_type:
return
pol_id = dest_policy['id']
body = self.prepare_qos_rule(source_rule)
try:
if rule_type == 'bandwidth_limit':
rule = self.dest_neutron.create_bandwidth_limit_rule(
pol_id, body={'bandwidth_limit_rule': body})
elif rule_type == 'dscp_marking':
rule = self.dest_neutron.create_dscp_marking_rule(
pol_id, body={'dscp_marking_rule': body})
else:
LOG.info("QoS rule type %(rule)s is not supported for policy "
"%(pol)s",
{'rule': rule_type, 'pol': pol_id})
LOG.info("created QoS policy %s rule %s", pol_id, rule)
except Exception as e:
LOG.error("Failed to create QoS rule for policy %(pol)s: %(e)s",
{'pol': pol_id, 'e': e})
def migrate_qos_policies(self):
"""Migrates QoS policies from source to dest neutron."""
# first fetch the QoS policies from both the
# source and destination neutron server
try:
dest_qos_pols = self.dest_neutron.list_qos_policies()['policies']
except n_exc.NotFound:
# QoS disabled on dest
LOG.info("QoS is disabled on destination: ignoring QoS policies")
self.dest_qos_support = False
return
self.dest_qos_support = True
try:
source_qos_pols = self.source_neutron.list_qos_policies()[
'policies']
except n_exc.NotFound:
# QoS disabled on source
return
for pol in source_qos_pols:
dest_pol = self.have_id(pol['id'], dest_qos_pols)
# If the policy already exists on the dest_neutron
if dest_pol:
# make sure all the QoS policy rules are there and
# create them if not
for qos_rule in pol['rules']:
self.migrate_qos_rule(dest_pol, qos_rule)
# dest server doesn't have the group so we create it here.
else:
qos_rules = pol.pop('rules')
try:
body = self.prepare_qos_policy(pol)
new_pol = self.dest_neutron.create_qos_policy(
body={'policy': body})
except Exception as e:
LOG.error("Failed to create QoS policy %(pol)s: %(e)s",
{'pol': pol['id'], 'e': e})
continue
else:
LOG.info("Created QoS policy %s", new_pol)
for qos_rule in qos_rules:
self.migrate_qos_rule(new_pol['policy'], qos_rule)
def migrate_security_groups(self):
"""Migrates security groups from source to dest neutron."""
# first fetch the security groups from both the
# source and dest neutron server
source_sec_groups = self.source_neutron.list_security_groups()
dest_sec_groups = self.dest_neutron.list_security_groups()
source_sec_groups = source_sec_groups['security_groups']
dest_sec_groups = dest_sec_groups['security_groups']
total_num = len(source_sec_groups)
LOG.info("Migrating %s security groups", total_num)
for count, sg in enumerate(source_sec_groups, 1):
dest_sec_group = self.have_id(sg['id'], dest_sec_groups)
# If the security group already exists on the dest_neutron
if dest_sec_group:
# make sure all the security group rules are there and
# create them if not
for sg_rule in sg['security_group_rules']:
if(self.have_id(sg_rule['id'],
dest_sec_group['security_group_rules'])
is False):
try:
body = self.prepare_security_group_rule(sg_rule)
self.dest_neutron.create_security_group_rule(
{'security_group_rule': body})
except n_exc.Conflict:
# NOTE(arosen): when you create a default
# security group it is automatically populated
# with some rules. When we go to create the rules
# that already exist because of a match an error
# is raised here but that's okay.
pass
# dest server doesn't have the group so we create it here.
else:
sg_rules = sg.pop('security_group_rules')
try:
body = self.prepare_security_group(sg)
new_sg = self.dest_neutron.create_security_group(
{'security_group': body})
LOG.info("Created security-group %(count)s/%(total)s: "
"%(sg)s",
{'count': count, 'total': total_num,
'sg': new_sg})
except Exception as e:
LOG.error("Failed to create security group (%(sg)s): "
"%(e)s",
{'sg': sg, 'e': e})
# Note - policy security groups will have no rules, and will
# be created on the destination with the default rules only
for sg_rule in sg_rules:
try:
body = self.prepare_security_group_rule(sg_rule)
rule = self.dest_neutron.create_security_group_rule(
{'security_group_rule': body})
LOG.debug("created security group rule %s", rule['id'])
except Exception:
# NOTE(arosen): when you create a default
# security group it is automatically populated
# with some rules. When we go to create the rules
# that already exist because of a match an error
# is raised here but that's okay.
pass
def get_dest_availablity_zones(self, resource):
azs = self.dest_neutron.list_availability_zones()['availability_zones']
az_names = [az['name'] for az in azs if az['resource'] == resource]
return az_names
def migrate_routers(self):
"""Migrates routers from source to dest neutron.
Also return a dictionary of the routes that should be added to
each router. Static routes must be added later, after the router
ports are set.
And return a dictionary of external gateway info per router
"""
try:
source_routers = self.source_neutron.list_routers()['routers']
except Exception:
# L3 might be disabled in the source
source_routers = []
dest_routers = self.dest_neutron.list_routers()['routers']
dest_azs = self.get_dest_availablity_zones('router')
update_routes = {}
gw_info = {}
total_num = len(source_routers)
LOG.info("Migrating %s routers", total_num)
for count, router in enumerate(source_routers, 1):
if router.get('routes'):
update_routes[router['id']] = router['routes']
if router.get('external_gateway_info'):
gw_info[router['id']] = router['external_gateway_info']
# Ignore internal NSXV objects
if router['project_id'] == nsxv_constants.INTERNAL_TENANT_ID:
LOG.info("Skip router %s: Internal NSX-V router",
router['id'])
continue
dest_router = self.have_id(router['id'], dest_routers)
if dest_router is False:
body = self.prepare_router(router, dest_azs=dest_azs)
try:
new_router = (self.dest_neutron.create_router(
{'router': body}))
LOG.info("created router %(count)s/%(total)s: %(rtr)s",
{'count': count, 'total': total_num,
'rtr': new_router})
except Exception as e:
LOG.error("Failed to create router %(rtr)s: %(e)s",
{'rtr': router, 'e': e})
return update_routes, gw_info
def migrate_routers_routes(self, routers_routes):
"""Add static routes to the created routers."""
total_num = len(routers_routes)
LOG.info("Migrating %s routers routes", total_num)
for count, (router_id, routes) in enumerate(
six.iteritems(routers_routes), 1):
try:
self.dest_neutron.update_router(router_id,
{'router': {'routes': routes}})
LOG.info("Added routes to router %(rtr)s %(count)s/%(total)s:",
{'count': count, 'total': total_num,
'rtr': router_id})
except Exception as e:
LOG.error("Failed to add routes %(routes)s to router "
"%(rtr)s: %(e)s",
{'routes': routes, 'rtr': router_id, 'e': e})
def migrate_subnetpools(self):
subnetpools_map = {}
try:
source_subnetpools = self.source_neutron.list_subnetpools()[
'subnetpools']
except Exception:
# pools not supported on source
return subnetpools_map
dest_subnetpools = self.dest_neutron.list_subnetpools()[
'subnetpools']
for pool in source_subnetpools:
# a default subnetpool (per ip-version) should be unique.
# so do not create one if already exists
if pool['is_default']:
for dpool in dest_subnetpools:
if (dpool['is_default'] and
dpool['ip_version'] == pool['ip_version']):
subnetpools_map[pool['id']] = dpool['id']
break
else:
old_id = pool['id']
body = self.prepare_subnetpool(pool)
if 'default_quota' in body and body['default_quota'] is None:
del body['default_quota']
try:
new_id = self.dest_neutron.create_subnetpool(
{'subnetpool': body})['subnetpool']['id']
subnetpools_map[old_id] = new_id
# refresh the list of existing subnetpools
dest_subnetpools = self.dest_neutron.list_subnetpools()[
'subnetpools']
except Exception as e:
LOG.error("Failed to create subnetpool %(pool)s: %(e)s",
{'pool': pool, 'e': e})
return subnetpools_map
def migrate_networks_subnets_ports(self, routers_gw_info):
"""Migrates networks/ports/router-uplinks from src to dest neutron."""
source_ports = self.source_neutron.list_ports()['ports']
source_subnets = self.source_neutron.list_subnets()['subnets']
source_networks = self.source_neutron.list_networks()['networks']
dest_networks = self.dest_neutron.list_networks()['networks']
dest_ports = self.dest_neutron.list_ports()['ports']
remove_qos = False
if not self.dest_qos_support:
remove_qos = True
# Find out if the destination already has a default public network
dest_default_public_net = False
for dest_net in dest_networks:
if dest_net.get('is_default') and dest_net.get('router:external'):
dest_default_public_net = True
subnetpools_map = self.migrate_subnetpools()
dest_azs = self.get_dest_availablity_zones('network')
total_num = len(source_networks)
LOG.info("Migrating %(nets)s networks, %(subnets)s subnets and "
"%(ports)s ports",
{'nets': total_num, 'subnets': len(source_subnets),
'ports': len(source_ports)})
for count, network in enumerate(source_networks, 1):
external_net = network.get('router:external')
body = self.prepare_network(
network, remove_qos=remove_qos,
dest_default_public_net=dest_default_public_net,
dest_azs=dest_azs)
# only create network if the dest server doesn't have it
if self.have_id(network['id'], dest_networks):
LOG.info("Skip network %s: Already exists on the destination",
network['id'])
continue
# Ignore internal NSXV objects
if network['project_id'] == nsxv_constants.INTERNAL_TENANT_ID:
LOG.info("Skip network %s: Internal NSX-V network",
network['id'])
continue
try:
created_net = self.dest_neutron.create_network(
{'network': body})['network']
LOG.info("Created network %(count)s/%(total)s: %(net)s",
{'count': count, 'total': total_num,
'net': created_net})
except Exception as e:
# Print the network and exception to help debugging
with excutils.save_and_reraise_exception():
LOG.error("Failed to create network %s", body)
LOG.error("Source network: %s", network)
raise e
subnets_map = {}
dhcp_subnets = []
count_dhcp_subnet = 0
for subnet_id in network['subnets']:
subnet = self.find_subnet_by_id(subnet_id, source_subnets)
body = self.prepare_subnet(subnet)
# specify the network_id that we just created above
body['network_id'] = network['id']
# translate the old subnetpool id to the new one
if body.get('subnetpool_id'):
body['subnetpool_id'] = subnetpools_map.get(
body['subnetpool_id'])
# Handle DHCP enabled subnets
enable_dhcp = False
if body['enable_dhcp']:
count_dhcp_subnet = count_dhcp_subnet + 1
# disable dhcp on subnet: we will enable it after creating
# all the ports to avoid ip collisions
body['enable_dhcp'] = False
if count_dhcp_subnet > 1:
# Do not allow dhcp on the subnet if there is already
# another subnet with DHCP as the v3 plugins supports
# only one
LOG.warning("Disabling DHCP for subnet on net %s: "
"The plugin doesn't support multiple "
"subnets with DHCP", network['id'])
enable_dhcp = False
elif external_net:
# Do not allow dhcp on the external subnet
LOG.warning("Disabling DHCP for subnet on net %s: "
"The plugin doesn't support dhcp on "
"external networks", network['id'])
enable_dhcp = False
else:
enable_dhcp = True
try:
created_subnet = self.dest_neutron.create_subnet(
{'subnet': body})['subnet']
LOG.info("Created subnet: %s", created_subnet['id'])
subnets_map[subnet_id] = created_subnet['id']
if enable_dhcp:
dhcp_subnets.append(created_subnet)
except n_exc.BadRequest as e:
LOG.error("Failed to create subnet: %(subnet)s: %(e)s",
{'subnet': subnet, 'e': e})
# NOTE(arosen): this occurs here if you run the script
# multiple times as we don't currently
# preserve the subnet_id. Also, 409 would be a better
# response code for this in neutron :(
# create the ports on the network
ports = self.get_ports_on_network(network['id'], source_ports)
for port in ports:
# Ignore internal NSXV objects
if port['project_id'] == nsxv_constants.INTERNAL_TENANT_ID:
LOG.info("Skip router %s: Internal NSX-V port",
port['id'])
continue
body = self.prepare_port(port, remove_qos=remove_qos)
# specify the network_id that we just created above
port['network_id'] = network['id']
subnet_id = None
if port.get('fixed_ips'):
old_subnet_id = port['fixed_ips'][0]['subnet_id']
subnet_id = subnets_map.get(old_subnet_id)
# remove the old subnet id field from fixed_ips dict
for fixed_ips in body['fixed_ips']:
del fixed_ips['subnet_id']
# only create port if the dest server doesn't have it
if self.have_id(port['id'], dest_ports) is False:
if port['device_owner'] == 'network:router_gateway':
router_id = port['device_id']
enable_snat = True
if router_id in routers_gw_info:
# keep the original snat status of the router
enable_snat = routers_gw_info[router_id].get(
'enable_snat', True)
rtr_body = {
"external_gateway_info":
{"network_id": port['network_id'],
"enable_snat": enable_snat,
# keep the original GW IP
"external_fixed_ips": port.get('fixed_ips')}}
try:
self.dest_neutron.update_router(
router_id, {'router': rtr_body})
LOG.info("Uplinked router %(rtr)s to external "
"network %(net)s",
{'rtr': router_id,
'net': port['network_id']})
except Exception as e:
LOG.error("Failed to add router gateway with port "
"(%(port)s): %(e)s",
{'port': port, 'e': e})
continue
# Let the neutron dhcp-agent recreate this on its own
if port['device_owner'] == 'network:dhcp':
continue
# ignore these as we create them ourselves later
if port['device_owner'] == 'network:floatingip':
continue
if (port['device_owner'] == 'network:router_interface' and
subnet_id):
try:
# uplink router_interface ports by creating the
# port, and attaching it to the router
router_id = port['device_id']
del body['device_owner']
del body['device_id']
created_port = self.dest_neutron.create_port(
{'port': body})['port']
LOG.info("Created interface port %(port)s (subnet "
"%(subnet)s, ip %(ip)s, mac %(mac)s)",
{'port': created_port['id'],
'subnet': subnet_id,
'ip': created_port['fixed_ips'][0][
'ip_address'],
'mac': created_port['mac_address']})
self.dest_neutron.add_interface_router(
router_id,
{'port_id': created_port['id']})
LOG.info("Uplinked router %(rtr)s to network "
"%(net)s",
{'rtr': router_id, 'net': network['id']})
except Exception as e:
# NOTE(arosen): this occurs here if you run the
# script multiple times as we don't track this.
# Note(asarfaty): also if the same network in
# source is attached to 2 routers, which the v3
# plugins does not support.
LOG.error("Failed to add router interface port"
"(%(port)s): %(e)s",
{'port': port, 'e': e})
continue
try:
created_port = self.dest_neutron.create_port(
{'port': body})['port']
except Exception as e:
# NOTE(arosen): this occurs here if you run the
# script multiple times as we don't track this.
LOG.error("Failed to create port (%(port)s) : %(e)s",
{'port': port, 'e': e})
else:
ip_addr = None
if created_port.get('fixed_ips'):
ip_addr = created_port['fixed_ips'][0].get(
'ip_address')
LOG.info("Created port %(port)s (subnet "
"%(subnet)s, ip %(ip)s, mac %(mac)s)",
{'port': created_port['id'],
'subnet': subnet_id,
'ip': ip_addr,
'mac': created_port['mac_address']})
# Enable dhcp on the relevant subnets:
for subnet in dhcp_subnets:
try:
self.dest_neutron.update_subnet(subnet['id'],
{'subnet': {'enable_dhcp': True}})
except Exception as e:
LOG.error("Failed to enable DHCP on subnet %(subnet)s: "
"%(e)s",
{'subnet': subnet['id'], 'e': e})
def migrate_floatingips(self):
"""Migrates floatingips from source to dest neutron."""
try:
source_fips = self.source_neutron.list_floatingips()['floatingips']
except Exception:
# L3 might be disabled in the source
source_fips = []
total_num = len(source_fips)
for count, source_fip in enumerate(source_fips, 1):
body = self.prepare_floatingip(source_fip)
try:
fip = self.dest_neutron.create_floatingip({'floatingip': body})
LOG.info("Created floatingip %(count)s/%(total)s : %(fip)s",
{'count': count, 'total': total_num, 'fip': fip})
except Exception as e:
LOG.error("Failed to create floating ip (%(fip)s) : %(e)s",
{'fip': source_fip, 'e': e})
def _migrate_fwaas_resource(self, resource_type, source_objects,
dest_objects, prepare_method, create_method):
total_num = len(source_objects)
for count, source_obj in enumerate(source_objects, 1):
# Check if the object already exists
if self.have_id(source_obj['id'], dest_objects):
LOG.info("Skipping %s %s as it already exists on the "
"destination server", resource_type, source_obj['id'])
continue
body = prepare_method(source_obj)
try:
new_obj = create_method({resource_type: body})
LOG.info("Created %(resource)s %(count)s/%(total)s : %(obj)s",
{'resource': resource_type, 'count': count,
'total': total_num, 'obj': new_obj})
except Exception as e:
LOG.error("Failed to create %(resource)s (%(obj)s) : %(e)s",
{'resource': resource_type, 'obj': source_obj,
'e': e})
def migrate_fwaas(self):
"""Migrates FWaaS V2 objects from source to dest neutron."""
try:
source_rules = self.source_neutron.\
list_fwaas_firewall_rules()['firewall_rules']
source_polices = self.source_neutron.\
list_fwaas_firewall_policies()['firewall_policies']
source_groups = self.source_neutron.\
list_fwaas_firewall_groups()['firewall_groups']
except Exception as e:
# FWaaS might be disabled in the source
LOG.info("FWaaS V2 was not found on the source server: %s", e)
return
try:
dest_rules = self.dest_neutron.\
list_fwaas_firewall_rules()['firewall_rules']
dest_polices = self.dest_neutron.\
list_fwaas_firewall_policies()['firewall_policies']
dest_groups = self.dest_neutron.\
list_fwaas_firewall_groups()['firewall_groups']
except Exception as e:
# FWaaS might be disabled in the destination
LOG.warning("Skipping FWaaS V2 migration. FWaaS V2 was not found "
"on the destination server: %s", e)
return
# Migrate all FWaaS objects:
self._migrate_fwaas_resource(
'firewall_rule', source_rules, dest_rules,
self.prepare_fwaas_rule,
self.dest_neutron.create_fwaas_firewall_rule)
self._migrate_fwaas_resource(
'firewall_policy', source_polices, dest_polices,
self.prepare_fwaas_policy,
self.dest_neutron.create_fwaas_firewall_policy)
self._migrate_fwaas_resource(
'firewall_group', source_groups, dest_groups,
self.prepare_fwaas_group,
self.dest_neutron.create_fwaas_firewall_group)
LOG.info("FWaaS V2 migration done")