top of page
  • Rajeshkumar M

NSX-T configuration with SaltStack VMware module

Updated: Jan 28, 2023

I would like to share how I tested the SaltStack VMware module for NSX-T desired state configuration and issues. First installed python on my Linux machine then installed salt stack with bootstrap script.

curl -o bootstrap-salt.sh -L https://bootstrap.saltproject.io
chmod +x bootstrap-salt.sh
./bootstrap-salt.sh

I would like to run serverless salt so I updated the minion config file and replaced the file_client value form remote to local.

/etc/salt/minion
file_client: local

and installed VMware salt module using pip

pip3 install saltext.vmware

I configured pillar for my nsx-t host and credentials. My pillar with top.sls and default.sls files are placed under /srv/pillar folder.


/srv/pillar/top.sls


   
base:
  '*':
    - default


/srv/pillar/default.sls

 nsxthost: nsx01.domain.local
 username: admin
 password: mypassword
 existingT0displayname: Mgmt-T0

I have created my salt top file and state files are placed under /srv/salt.


/srv/salt/top.sls


 base:
  '*':
    - nsxt-infra

The Slat state file to create and manage desired sate for my NSX-T configuration. I have state file created to have a T1 created and attached with existing T0 , also two segments created and attached with T1, configured route distribution on my T1.

The credential information are getting passed from my pillar to variables. I will modify the file to include other NSX-T configuration may be later.


/srv/salt/nsxt-infra.sls


{% set hostname = salt['pillar.get']('nsxthost',) %}
{% set username = salt['pillar.get']('username',) %}
{% set password = salt['pillar.get']('password',) %}
{% set existingT0displayname = salt['pillar.get']('existingT0displayname',) %}
NSXT-Gateway:
  nsxt_policy_tier1.present:
   - name: Gateway-T1
     hostname: {{hostname}}
     username: {{username}}
     password: {{password}}
     display_name: Gateway-T1
     tier0_display_name: {{existingT0displayname}}
     route_advertisement_types:
      - TIER1_IPSEC_LOCAL_ENDPOINT
      - TIER1_STATIC_ROUTES
      - TIER1_CONNECTED
     cert: none
     verify_ssl: False
NSXT-App-Segment:
  nsxt_policy_segment.present:
   - name: App-Segment
     hostname: {{hostname}}
     username: {{username}}
     password: {{password}}
     display_name: App-Segment
     cert: none
     verify_ssl: False
     transport_zone_display_name: sfo-m01-tz-overlay01
     enforcementpoint_id: default
     site_id: default
     tier1_display_name: Gateway-T1
     subnets:
       - gateway_address: 10.10.200.253/24
         network: 10.10.200.0/24
NSXT-Web-Segment:
  nsxt_policy_segment.present:
   - name: Web-Segment
     hostname: {{hostname}}
     username: {{username}}
     password: {{password}}
     display_name: Web-Segment
     cert: none
     verify_ssl: False
     transport_zone_display_name: sfo-m01-tz-overlay01
     enforcementpoint_id: default
     site_id: default
     tier1_display_name: Gateway-T1
     subnets:
       - gateway_address: 10.10.100.253/24
         network: 10.10.100.0/24



I did apply my state file

salt-call state.apply

Fig 1

Fig 1, state applied and three changes are done.


Please note you may get bellow error.


Fig 2

Fig 2, issue with nsxt_policy_segemnt state and i was able to fix this issue. I did troubleshoot the issue and found the import statement on state nsxt_policy_segment.py file is not correct.


Fig 3

Fig 3, I replaced nsxt with vmware in import statement on the /usr/local/lib/python3.6/site-packages/saltext/vmware/states/nsxt_policy_segment.py file then it’s working. Also created an issue ticket as well.


/usr/local/lib/python3.6/site-packages/saltext/vmware/states/nsxt_policy_segment.py

Actual import statement 
from saltext.nsxt.modules import nsxt_policy_segment

replaced statement 

from saltext.vmware.modules import nsxt_policy_segment

one more issue also noticed when I apply my salt state if the segment is already in desired state then throwing error but if I make changes it’s working, as long as my changes are reflecting I’m ok with this now but I may update this article if I get any update on this issues.

Fig 4

Fig 4, Issue with nsxt_policy_segment when the segment already in desired state.


158 views0 comments

Recent Posts

See All

vSphere Tags to NSX-T Tags

I created a simple powercli script to copy the vSphere Tags to NSX-T, it helped me to copy the NSX-T tags on the recovery VM's in non-federated/local NSX-T managers. Since SRM retain the vSphere TAG's

vIDM Locl user password reset without email link

When resetting config admin or any local user password in VMware identity manager will trigger an email link, if in case the smtp is not working/configured we can use API call to reset the password. Y

Comments


bottom of page