Update of the doc.
Added support of vCenter 6.0 Added description of SG engine Change-Id: I1c76cc3c05e338f0b0c17be2c272ea14a1176664
This commit is contained in:
parent
4aef0ecb4e
commit
c8efe027f0
|
@ -72,7 +72,7 @@ The plugin has the following requirements for software:
|
|||
================ ===========
|
||||
**Requirement** **Version**
|
||||
Fuel 7.0
|
||||
vCenter 5.5
|
||||
vCenter 5.5/6.0
|
||||
================ ===========
|
||||
|
||||
Limitations
|
||||
|
@ -83,7 +83,7 @@ Limitations
|
|||
|
||||
- Only VLANs are supported for tenant network separation.
|
||||
|
||||
- Only vSphere 5.5 is supported.
|
||||
- Only vSphere 5.5 & 6.0 are supported.
|
||||
|
||||
|
||||
Installing the VMware DVS plugin
|
||||
|
@ -185,6 +185,8 @@ Configuring VMware DVS plugin
|
|||
|
||||
.. image:: pics/settings.png
|
||||
|
||||
VMware DVS ML2 plugin does not support DVR feature. Keep Neutron DVR checkbox on Neutron Advanced Configuration tab at unchecked state.
|
||||
|
||||
#. Fill in the VMware configuration fields on the *VMware* tab:
|
||||
|
||||
.. image:: pics/vmware.png
|
||||
|
@ -218,3 +220,38 @@ User Guide
|
|||
where VMware is the name of the instance located on the vCenter.
|
||||
|
||||
#. You can use Neutron for such instance brand the same way as for KVM-located instances.
|
||||
|
||||
#. DVS Security groups functionality differs from KVM implementatin. VMWare DVS does not
|
||||
support stateful firewall properties and ICMP types. DVS Plugin realises emulation logic
|
||||
to support the similar behavior. It installs reverse traffic rule for each SG rule.
|
||||
VMWare DVS plugin state emulation logic uses ephemeral port range filter to rise security
|
||||
of reverse rules implementation.
|
||||
|
||||
Just add only those rules if you want to correctly launch EC2 compatible image with
|
||||
matadata request and DNS access:
|
||||
|
||||
Implement Custom TCP Ergess rule to 169.254.169.254/32 CIDR port 80
|
||||
Implement Custom UDP Egress rule to '<DNS server IP or 0.0.0.0/0>' CIDR port 53
|
||||
|
||||
DVS plugin will install four rules:
|
||||
|
||||
TCP Egress from any IP ports 32768-65535 to metadata IP port 80
|
||||
TCP Ingress from metadata IP port 80 to any IP ports 32768-65535
|
||||
UDP Egress from any IP ports 32768-65535 to DNS IP port 53
|
||||
UDP Ingress from DNS IP port 53 to any IP ports 32768-65535
|
||||
|
||||
32768-65535 is the useful ethemetal port range for most Linux kernels and Windows hosts.
|
||||
|
||||
Common egress TCP rule looks like this:
|
||||
|
||||
TCP Egress to any ports 0.0.0.0/0 CIDR
|
||||
|
||||
It works like:
|
||||
|
||||
TCP Egress from any IP ports 32768-65535 to any IP any port
|
||||
TCP Ingress from any IP any port to any IP ports 32768-65535
|
||||
|
||||
and private ports of your VM like http or ssh will be closed.
|
||||
|
||||
DVS plugin support only symmectric ICMP interaction. If your host can ping destination host,
|
||||
it means the destination host can ping your host by reverse rules.
|
||||
|
|
Loading…
Reference in New Issue