- Rajeshkumar M
NSX-T configuration with SaltStack VMware module
Updated: Jan 28
I would like to share how I tested the SaltStack VMware module for NSX-T desired state configuration and issues. First installed python on my Linux machine then installed salt stack with bootstrap script.
curl -o bootstrap-salt.sh -L https://bootstrap.saltproject.io
chmod +x bootstrap-salt.sh
./bootstrap-salt.shI would like to run serverless salt so I updated the minion config file and replaced the file_client value form remote to local.
/etc/salt/minion
file_client: localand installed VMware salt module using pip
pip3 install saltext.vmwareI configured pillar for my nsx-t host and credentials. My pillar with top.sls and default.sls files are placed under /srv/pillar folder.
/srv/pillar/top.sls
base:
'*':
- default/srv/pillar/default.sls
nsxthost: nsx01.domain.local
username: admin
password: mypassword
existingT0displayname: Mgmt-T0
I have created my salt top file and state files are placed under /srv/salt.
/srv/salt/top.sls
base:
'*':
- nsxt-infraThe Slat state file to create and manage desired sate for my NSX-T configuration. I have state file created to have a T1 created and attached with existing T0 , also two segments created and attached with T1, configured route distribution on my T1.
The credential information are getting passed from my pillar to variables. I will modify the file to include other NSX-T configuration may be later.
/srv/salt/nsxt-infra.sls
{% set hostname = salt['pillar.get']('nsxthost',) %}
{% set username = salt['pillar.get']('username',) %}
{% set password = salt['pillar.get']('password',) %}
{% set existingT0displayname = salt['pillar.get']('existingT0displayname',) %}
NSXT-Gateway:
nsxt_policy_tier1.present:
- name: Gateway-T1
hostname: {{hostname}}
username: {{username}}
password: {{password}}
display_name: Gateway-T1
tier0_display_name: {{existingT0displayname}}
route_advertisement_types:
- TIER1_IPSEC_LOCAL_ENDPOINT
- TIER1_STATIC_ROUTES
- TIER1_CONNECTED
cert: none
verify_ssl: False
NSXT-App-Segment:
nsxt_policy_segment.present:
- name: App-Segment
hostname: {{hostname}}
username: {{username}}
password: {{password}}
display_name: App-Segment
cert: none
verify_ssl: False
transport_zone_display_name: sfo-m01-tz-overlay01
enforcementpoint_id: default
site_id: default
tier1_display_name: Gateway-T1
subnets:
- gateway_address: 10.10.200.253/24
network: 10.10.200.0/24
NSXT-Web-Segment:
nsxt_policy_segment.present:
- name: Web-Segment
hostname: {{hostname}}
username: {{username}}
password: {{password}}
display_name: Web-Segment
cert: none
verify_ssl: False
transport_zone_display_name: sfo-m01-tz-overlay01
enforcementpoint_id: default
site_id: default
tier1_display_name: Gateway-T1
subnets:
- gateway_address: 10.10.100.253/24
network: 10.10.100.0/24I did apply my state file
salt-call state.apply
Fig 1
Fig 1, state applied and three changes are done.
Please note you may get bellow error.
Fig 2
Fig 2, issue with nsxt_policy_segemnt state and i was able to fix this issue. I did troubleshoot the issue and found the import statement on state nsxt_policy_segment.py file is not correct.
Fig 3
Fig 3, I replaced nsxt with vmware in import statement on the /usr/local/lib/python3.6/site-packages/saltext/vmware/states/nsxt_policy_segment.py file then it’s working. Also created an issue ticket as well.
/usr/local/lib/python3.6/site-packages/saltext/vmware/states/nsxt_policy_segment.py
Actual import statement
from saltext.nsxt.modules import nsxt_policy_segment
replaced statement
from saltext.vmware.modules import nsxt_policy_segmentone more issue also noticed when I apply my salt state if the segment is already in desired state then throwing error but if I make changes it’s working, as long as my changes are reflecting I’m ok with this now but I may update this article if I get any update on this issues.
Fig 4
Fig 4, Issue with nsxt_policy_segment when the segment already in desired state.