我正在字符串中创建控制DVS端口上防火墙规则的脚本。这是我的脚本(我试图只发布相关的部分,但即使它足够大):
#!/usr/bin/evn python
import sys
import pprint
from oslo.vmware import api as vmware_api
from oslo.vmware import vim_util
vcenter_host = 'vcenter-hostname.tld'
vcenter_login = 'login'
vcenter_password = 'password'
vcenter_retry_count = 4
vcenter_retry_interval = 2
def main():
vcenter = _make_connect()
dvs = _lookup_dvs(vcenter, 'dvSwitch')
port = _lookup_dvs_port(vcenter, dvs, '4853')
spec_factory = vcenter.vim.client.factory
port_spec = spec_factory.create('ns0:DVPortConfigSpec')
port_spec.operation = 'edit'
port_spec.key = port.key
port_spec.configVersion = port.config.configVersion
port_spec.setting = port_setting = spec_factory.create('ns0:DVPortSetting')
port_setting.filterPolicy = filter_policy = spec_factory.create(
'ns0:DvsFilterPolicy')
filter_policy.filterConfig.append(spec_factory.create(
'ns0:DvsTrafficFilterConfig'))
filter_policy.inherited = False
filter_config = filter_policy.filterConfig[0]
filter_config.agentName = "custom-dvs-firewall-agent"
filter_config.inherited = False
filter_config.trafficRuleset = traffic_ruleset = spec_factory.create(
'ns0:DvsTrafficRuleset')
traffic_ruleset.enabled = True
traffic_ruleset.rules.append(spec_factory.create('ns0:DvsTrafficRule'))
rule = traffic_ruleset.rules[0]
rule.description = "Port rule 0"
rule.sequence = 10
rule.direction = "incomingPackets"
rule.action = spec_factory.create('ns0:DvsDropNetworkRuleAction')
rule.qualifier.append(spec_factory.create('ns0:DvsIpNetworkRuleQualifier'))
match = rule.qualifier[0]
match.protocol = proto = spec_factory.create('ns0:IntExpression')
proto.value = 6
proto.negate = False
match.destinationIpPort = port = spec_factory.create('ns0:DvsSingleIpPort')
port.portNumber = 50001
port.negate = False
# import pdb; pdb.set_trace()
task = vcenter.invoke_api(
vcenter.vim,
'ReconfigureDVPort_Task',
dvs, port=[port_spec]
)
result = vcenter.wait_for_task(task)
pprint.pprint(result)
def _make_connect():
return vmware_api.VMwareAPISession(
vcenter_host,
vcenter_login,
vcenter_password,
vcenter_retry_count,
vcenter_retry_interval)
def _lookup_dvs(vcenter, name):
network_folder = _lookup_net_folder(vcenter)
networks = vcenter.invoke_api(
vim_util, 'get_object_property', vcenter.vim,
network_folder, 'childEntity').ManagedObjectReference
for dvs in _filter_objects_by_type(
networks, 'VmwareDistributedVirtualSwitch'):
dvs_name = vcenter.invoke_api(
vim_util, 'get_object_property',
vcenter.vim, dvs, 'name')
if dvs_name != name:
continue
break
else:
raise RuntimeError('DVS name=="{}" not found'.format(name))
return dvs
def _lookup_dvs_port(vcenter, dvs, port_key):
spec_factory = vcenter.vim.client.factory
criteria = spec_factory.create(
'ns0:DistributedVirtualSwitchPortCriteria')
criteria.portKey = port_key
try:
port = vcenter.invoke_api(
vcenter.vim, 'FetchDVPorts', dvs, criteria=criteria)[0]
except IndexError:
raise RuntimeError('DVS port key=="{}" not found'.format(port_key))
return port
def _lookup_net_folder(vcenter):
dc = _lookup_datacenter(vcenter)
return vcenter.invoke_api(
vim_util, 'get_object_property', vcenter.vim,
dc, 'networkFolder')
def _lookup_datacenter(vcenter):
return vcenter.invoke_api(
vim_util, 'get_objects', vcenter.vim,
'Datacenter', 100, ['name']).objects[0].obj
def _filter_objects_by_type(sequence, value):
return (obj for obj in sequence
if obj._type == value)
if __name__ == '__main__':
sys.exit(main())
结果:
Traceback (most recent call last):
File "_dev_/dvs-port-filterPolicy.py", line 137, in <module>
sys.exit(main())
File "_dev_/dvs-port-filterPolicy.py", line 70, in main
result = vcenter.wait_for_task(task)
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/oslo_vmware/api.py", line 380, in wait_for_task
return evt.wait()
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/eventlet/event.py", line 121, in wait
return hubs.get_hub().switch()
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 294, in switch
return self.greenlet.switch()
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/oslo_vmware/common/loopingcall.py", line 76, in _inner
self.f(*self.args, **self.kw)
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/oslo_vmware/api.py", line 397, in _poll_task
'info')
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/oslo_vmware/api.py", line 341, in invoke_api
return _invoke_api(module, method, *args, **kwargs)
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/oslo_vmware/api.py", line 122, in func
return evt.wait()
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/eventlet/event.py", line 121, in wait
return hubs.get_hub().switch()
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 294, in switch
return self.greenlet.switch()
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/oslo_vmware/common/loopingcall.py", line 123, in _inner
idle = self.f(*self.args, **self.kw)
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/oslo_vmware/api.py", line 95, in _func
result = f(*args, **kwargs)
File "/home/dbogun/.venv/cisco0-neutron/lib/python2.7/site-packages/oslo_vmware/api.py", line 324, in _invoke_api
raise clazz(six.text_type(excep), excep.details)
oslo_vmware.exceptions.VMwareDriverException: The object has already been deleted or has not been completely created
Cause: Server raised fault: 'The object has already been deleted or has not been completely created'
Faults: [ManagedObjectNotFound]
Details: {'obj': 'task-5189'}
PortGroup配置的trafficFilterOverrideAllowed选项必须设置为True。或者您得到"oslo_vmware.exceptions.VMwareDriverException:指定的参数不正确。\nfilterPolicy"。什么是完全不可用的,并且完全没有给出真正问题的信息。
能指出我对这项任务理解上的错误吗?或者可能有人有类似剧本的例子?
PS:vCenter v5.5
您必须设置:
filter_config.agentName = "dvfilter-generic-vmware"
我不知道为什么,但只有使用这个代理名称,dvs才能应用ACL规则。