top of page
  • Rajeshkumar M

NSX-T configuration with SaltStack VMware module

Updated: Jan 28, 2023

I would like to share how I tested the SaltStack VMware module for NSX-T desired state configuration and issues. First installed python on my Linux machine then installed salt stack with bootstrap script.

curl -o bootstrap-salt.sh -L https://bootstrap.saltproject.io
chmod +x bootstrap-salt.sh
./bootstrap-salt.sh

I would like to run serverless salt so I updated the minion config file and replaced the file_client value form remote to local.

/etc/salt/minion
file_client: local

and installed VMware salt module using pip

pip3 install saltext.vmware

I configured pillar for my nsx-t host and credentials. My pillar with top.sls and default.sls files are placed under /srv/pillar folder.


/srv/pillar/top.sls


   
base:
  '*':
    - default


/srv/pillar/default.sls

 nsxthost: nsx01.domain.local
 username: admin
 password: mypassword
 existingT0displayname: Mgmt-T0

I have created my salt top file and state files are placed under /srv/salt.


/srv/salt/top.sls


 base:
  '*':
    - nsxt-infra

The Slat state file to create and manage desired sate for my NSX-T configuration. I have state file created to have a T1 created and attached with existing T0 , also two segments created and attached with T1, configured route distribution on my T1.

The credential information are getting passed from my pillar to variables. I will modify the file to include other NSX-T configuration may be later.


/srv/salt/nsxt-infra.sls


{% set hostname = salt['pillar.get']('nsxthost',) %}
{% set username = salt['pillar.get']('username',) %}
{% set password = salt['pillar.get']('password',) %}
{% set existingT0displayname = salt['pillar.get']('existingT0displayname',) %}
NSXT-Gateway:
  nsxt_policy_tier1.present:
   - name: Gateway-T1
     hostname: {{hostname}}
     username: {{username}}
     password: {{password}}
     display_name: Gateway-T1
     tier0_display_name: {{existingT0displayname}}
     route_advertisement_types:
      - TIER1_IPSEC_LOCAL_ENDPOINT
      - TIER1_STATIC_ROUTES
      - TIER1_CONNECTED
     cert: none
     verify_ssl: False
NSXT-App-Segment:
  nsxt_policy_segment.present:
   - name: App-Segment
     hostname: {{hostname}}
     username: {{username}}
     password: {{password}}
     display_name: App-Segment
     cert: none
     verify_ssl: False
     transport_zone_display_name: sfo-m01-tz-overlay01
     enforcementpoint_id: default
     site_id: default
     tier1_display_name: Gateway-T1
     subnets:
       - gateway_address: 10.10.200.253/24
         network: 10.10.200.0/24
NSXT-Web-Segment:
  nsxt_policy_segment.present:
   - name: Web-Segment
     hostname: {{hostname}}
     username: {{username}}
     password: {{password}}
     display_name: Web-Segment
     cert: none
     verify_ssl: False
     transport_zone_display_name: sfo-m01-tz-overlay01
     enforcementpoint_id: default
     site_id: default
     tier1_display_name: Gateway-T1
     subnets:
       - gateway_address: 10.10.100.253/24
         network: 10.10.100.0/24



I did apply my state file

salt-call state.apply

Fig 1

Fig 1, state applied and three changes are done.


Please note you may get bellow error.


Fig 2

Fig 2, issue with nsxt_policy_segemnt state and i was able to fix this issue. I did troubleshoot the issue and found the import statement on state nsxt_policy_segment.py file is not correct.


Fig 3

Fig 3, I replaced nsxt with vmware in import statement on the /usr/local/lib/python3.6/site-packages/saltext/vmware/states/nsxt_policy_segment.py file then it’s working. Also created an issue ticket as well.


/usr/local/lib/python3.6/site-packages/saltext/vmware/states/nsxt_policy_segment.py

Actual import statement 
from saltext.nsxt.modules import nsxt_policy_segment

replaced statement 

from saltext.vmware.modules import nsxt_policy_segment

one more issue also noticed when I apply my salt state if the segment is already in desired state then throwing error but if I make changes it’s working, as long as my changes are reflecting I’m ok with this now but I may update this article if I get any update on this issues.

Fig 4

Fig 4, Issue with nsxt_policy_segment when the segment already in desired state.


159 views0 comments

Recent Posts

See All

vSphere Tags to NSX-T Tags

I created a simple powercli script to copy the vSphere Tags to NSX-T, it helped me to copy the NSX-T tags on the recovery VM's in non-federated/local NSX-T managers. Since SRM retain the vSphere TAG's

Comentarios


bottom of page