{"id":19096552,"url":"https://github.com/sapcc/networking-nsx-t","last_synced_at":"2025-04-30T14:14:09.924Z","repository":{"id":35824434,"uuid":"151719441","full_name":"sapcc/networking-nsx-t","owner":"sapcc","description":"Openstack VSphere NSX-T driver with Hierarchical Port binding and Security Groups","archived":false,"fork":false,"pushed_at":"2024-08-27T13:11:35.000Z","size":1406,"stargazers_count":13,"open_issues_count":6,"forks_count":5,"subscribers_count":41,"default_branch":"stable/yoga-m3","last_synced_at":"2024-08-27T14:35:32.755Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sapcc.png","metadata":{"files":{"readme":"README.rst","changelog":"ChangeLog","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-10-05T12:45:42.000Z","updated_at":"2024-06-04T13:16:15.000Z","dependencies_parsed_at":"2024-01-22T17:41:03.327Z","dependency_job_id":"2f4588f4-8f31-44f8-987a-aa806c274670","html_url":"https://github.com/sapcc/networking-nsx-t","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fnetworking-nsx-t","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fnetworking-nsx-t/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fnetworking-nsx-t/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fnetworking-nsx-t/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sapcc","download_url":"https://codeload.github.com/sapcc/networking-nsx-t/tar.gz/refs/heads/stable/yoga-m3","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223783425,"owners_count":17201900,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T03:37:04.348Z","updated_at":"2024-11-09T03:37:05.048Z","avatar_url":"https://github.com/sapcc.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"networking-nsxv3\n================\n\nOpenstack L2 network components for VMware NSX-T (NSXv3)\n\nThis project allowes an OpenStack region to implement complex L2 network topology distributed accross many VMware NSX-T managers, where at the same time all these managers will share the same security context.\n\n\nNSX-T ML2 Mechanism Dirver\n--------------------------\n\nNSX-T ML2 Mechanism Dirver is an extension to the Modular Layer 2 (ml2) plugin framework. This driver enables OpenStack Neutron to simultaneously utilize NSX-T network technology in combination with other technologies to reach the goal of Hierarchical Port Binding.\n\n\nNSX-T L2 Agent\n--------------\n\nNSX-T L2 Agent implements OpenStack network related events into VMware NSX-T constructions.\n- OpenStack network segments are mapped to NSX-T Logical Switches (VLAN backed)\n- OpenStack ports are mapped NSX-T Logical Ports\n- OpenStack port security is mapped to NSX-T IP Discovery and SpoofGuard Switching Profiles (applied per port)\n- OpenStack QoS Profiles are mapped to NSX-T QoS Switching Profiles\n- OpenStack Security Groups are mapped to NSX-T Firewall Sections, NS Groups and IP Sets\n- OpenStack Security Groups Rules are mapped to NSX-T Firewall Section Rules\n- OpenStack Security Groups Members are mapped to NSX-T IP Sets\n- OpenStack Security Groups Membership is mapped to NSX-T NS Groups Membership Tags\n\nNSX-T ML2 Selective Logging\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nControl over the debug log of NSX-T DWF Rules\n\nUse\n::\n\n    openstack network log create \\\n        --target \u003cport name/id\u003e \\\n        --resource \u003csecurity group name / id\u003e \\\n        --resource-type security_group \\\n        \u003cname\u003e\n    openstack network log set \u003cname\u003e [--enable | --disable]\n    openstack network log delete \u003cname\u003e\n\nConfiguration:\n    - logging_url - Redis Cache url, defaults to unix:///var/run/redis/socket/redis.sock\n    - logging_expire - Redis key expiration time in days, defaults to 1 day\n\nFlow:\n    - On log create event or log enable event\n        - all rules for the resource security group will be updated to start logging\n        - every rule will use the OpenStack Rule ID as log label\n        - Redis cache will be updated (with default time out of 24h).\n            Redis entry format:\n              - key   (string) - \"SG_\u003csecurity group ID\u003e\" (string)\n              - value (string) - \"\u003cproject ID\u003e\"           (string)\n\n    - On log delete event or log disable event\n        - all rules for the resource security group will be updated to stop logging\n        - Redis cache will be updated (with default time out of 24h)\n\nInstallation\n------------\n\nInstall dependencies\n^^^^^^^^^^^^^^^^^^^^\n\n::\n\n    # Install NSX-T 2.3 SDK (download SDK from VMware web site)\n    sudo pip install vapi_runtime-2.9.0-py2.py3-none-any.whl\n    sudo pip install vapi_common-2.9.0-py2.py3-none-any.whl\n    sudo pip install vapi_common_client-2.9.0-py2.py3-none-any.whl\n    sudo pip install nsx_python_sdk-2.3.0.0.0.10085514-py2.py3-none-any.whl\n\n\nInstall on devstack\n^^^^^^^^^^^^^^^^^^^\n\nclone repo into /opt/stack\n::\n\n    cd ./networking-nsx-t\n    python setup.py install\n\n\nModify::\n\n    /etc/neutron/neutron.conf as described in /opt/stack/networking-nsx-t/etc/neutron/neutron.conf\n    /etc/neutron/plugins/ml2/ml2_conf.ini as described in /opt/stack/networking-nsx-t/etc/neutron/plugins/ml2/ml2_conf.ini\n\nFor Full list of the agent configuration options check::\n\n    /opt/stack/networking-nsx-t/networking_nsxv3/common/config.py\n\nrestart neutron server with NSX-T ml2 config::\n\n  /usr/local/bin/neutron-server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini\n\n\nStart DVS agent::\n \n  /usr/local/bin/neutron-nsxv3-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini\n\n\nPlayground\n-------------------\n\n\nQoS Policy\n^^^^^^^^^^^^^^^^^^^\n::\n\n    openstack network qos policy create \u003cqos_name\u003e\n    openstack network qos rule create --type bandwidth-limit --max-kbps 64000 --max-burst-kbits 0 --ingress \u003cqos_name\u003e\n    openstack network qos rule set --max-kbps 64000 --max-burst-kbits 0 --ingress \u003cqos_name\u003e \u003cid\u003e\n    openstack network qos rule set --max-kbps 32000 --max-burst-kbits 0 --egress \u003cqos_name\u003e \u003cid\u003e\n    openstack network qos rule create --type dscp-marking --dscp-mark 26 \u003cqos_name\u003e\n    openstack network qos rule delete\n    openstack network qos policy delete \u003cqos_name\u003e\n\nSecurity Groups\n^^^^^^^^^^^^^^^^^^^\n::\n\n    openstack security group create \u003csg_name\u003e\n    openstack security group rule create --ingress --protocol tcp --remote-ip 192.168.253.253 --dst-port 8281 \u003csg_name\u003e\n    openstack security group rule create --ingress --protocol tcp --remote-group \u003cremote_sg_name\u003e --dst-port 443 \u003csg_name\u003e\n    openstack security group rule create --egress  --protocol udp --remote-ip 192.168.253.253 --dst-port 8080 \u003csg_name\u003e\n    openstack security group rule create --egress  --protocol udp --remote-group \u003cremote_sg_name\u003e --dst-port 9443 \u003csg_name\u003e\n    openstack security group rule create           --protocol icmp\n    openstack security group rule delete \u003csg_rule_name\u003e\n    openstack security group delete \u003csg_name\u003e\n\nPort Binding (Standard)\n^^^^^^^^^^^^^^^^^^^^^^^\n::\n\n    openstack port create --network \u003cnetwork_name\u003e \\\n        --allowed-address \"ip-address=192.168.253.10,mac-address=fa:16:3e:5f:7d:0b\" \\\n        --allowed-address \"ip-address=192.168.253.10,mac-address=ff:16:3e:5f:7d:0b\" \\\n        --qos-policy \u003cqos_policy_id\u003e \\\n        --security-group \u003csg_id\u003e \\ \n        \u003cport_name\u003e\n    openstack server create --image \u003cimage_name\u003e --flavor \"1\" --nic \"port-id=\u003cport_id\u003e\" \u003cserver-name\u003e\n\nPort Binding (Trunk)\n^^^^^^^^^^^^^^^^^^^^\n::\n\n    openstack port create --network \u003cnetwork_native\u003e \u003ctrunk_parent_port_name\u003e\n    openstack port create --network \u003cnetwork_sub_1\u003e \\\n        --allowed-address \"ip-address=192.168.253.10,mac-address=fa:16:3e:5f:7d:0b\" \\\n        --allowed-address \"ip-address=192.168.253.10,mac-address=ff:16:3e:5f:7d:0b\" \\\n        --qos-policy \u003cqos_policy_id\u003e \\\n        --security-group \u003csg_id\u003e \\ \n        \u003ctrunk_subport_name_1\u003e\n    openstack port create --network \u003cnetwrok_sub_2\u003e \\\n        \u003ctrunk_subport_name_2\u003e\n\n::\n\n    openstack network trunk create \\\n    --parent-port \u003ctrunk_parent_port_id\u003e \\\n    --subport port=\u003ctrunk_subport_id_1\u003e,segmentation-type=vlan,segmentation-id=100  \\\n    --subport port=\u003ctrunk_subport_id_2\u003e,segmentation-type=vlan,segmentation-id=200 \n    openstack server create --image \u003cimage_name\u003e --flavor \"1\" --nic \"port-id=\u003ctrunk-parent-port-id\u003e\" \u003cserver-name\u003e\n\nCLI\n^^^\nNeutron ML2 NSX-T Agent command line interface\n\n::\n\n    # Synchronize OpenStack resource Types with ids\n    /usr/local/bin/neutron-nsxv3-agent-cli -h\n        usage: neutron-nsxv3-agent-cli-sync COMMAND\n                        update - Force synchronization between Neutron and NSX-T objects\n                        export - Export Neutron and NSX-T inventories\n                        load - Loads NSX-T Inventory and syncs Neutron inventory on top\n                        clean - Clean up NSX-T objects\n                    \n        Neutron ML2 NSX-T Agent command line interface\n\n        positional arguments:\n        command     Subcommand update|export|load|clean\n\n        optional arguments:\n        -h, --help  show this help message and exit\n\n\n    # Example for synchronization of members for two security groups\n    /usr/local/bin/neutron-nsxv3-agent-cli update \\\n        --config-file /etc/neutron/neutron.conf \\\n        --config-file /etc/neutron/plugins/ml2/ml2_conf.ini \\\n        --type security_group_members \\\n        --ids 5af2f34b-cb81-4a9d-bcb4-30f72fca91cd,b0cd1ce8-9fe0-44f6-8b5c-be455e778756\n    \n    # Clean up NSX-T Manager objects both Policy and Management\n    /usr/local/bin/neutron-nsxv3-agent-cli clean --config-file ml2.ini --config-file neutron.conf\n\n    # Export NSX-T and Neutron inventories into a local file structure under \"inventory\" folder\n    /usr/local/bin/neutron-nsxv3-agent-cli export --config-file ml2.ini --config-file neutron.conf\n\n    # Load NSX-T Manager from the local file inventory.\n    # Synchronize NSX-T Manager objects state based on the local file Neutron inventory\n    /usr/local/bin/neutron-nsxv3-agent-cli load --config-file ml2.ini --config-file neutron.conf\n\n\nNSX-T ML2 Prometheus Exporter\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nThe agent exports the following metrics.\n\n::\n\n    # HELP nsxv3_agent_active_queue_size Active synchronization queue size\n    # TYPE nsxv3_agent_active_queue_size gauge\n    nsxv3_agent_active_queue_size{nsxv3_manager_hostname=\"nsxm-l-01a.corp.local\"} 4.0\n    # HELP nsxv3_agent_passive_queue_size Passive synchronization queue size\n    # TYPE nsxv3_agent_passive_queue_size gauge\n    nsxv3_agent_passive_queue_size{nsxv3_manager_hostname=\"nsxm-l-01a.corp.local\"} 72.0\n\n\nPending Tasks\n-------------\n\n- Finalize migration to Policy API (applicable for NSX-T version \u003e= 3.2.0)\n    - Change implementation of Logical Switces, Ports and Policies from Management to Policy API\n    - Promote Logical Switces, Ports and Policies to Segments by keeping the same system IDs\n- Merge Security Group Logging from `feature branch \u003chttps://github.com/sapcc/networking-nsx-t/pull/57/commits/cb6061f0aedbb3e08a036f231f60ae6be179e53f\u003e`_.\n- Finalize the list of `supported ICMP Rules \u003chttps://github.com/sapcc/networking-nsx-t/blob/df5858dfd7fd6fe748e05489fee0d11ed789ea2e/networking_nsxv3/plugins/ml2/drivers/nsxv3/agent/constants_nsx.py#L146\u003e`_ by NSX-T .\n- Add unit and functional tests for port trunking functionality\n- Optimize the speed and number of Neutron DB queries\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsapcc%2Fnetworking-nsx-t","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsapcc%2Fnetworking-nsx-t","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsapcc%2Fnetworking-nsx-t/lists"}