Update of the doc.

Added support of vCenter 6.0 Added description of SG engine Change-Id: I1c76cc3c05e338f0b0c17be2c272ea14a1176664
2015-10-26 10:00:10 +00:00 · 2015-10-26 10:00:10 +00:00 · c8efe027f0
parent 4aef0ecb4e
commit c8efe027f0
1 changed files with 39 additions and 2 deletions
--- a/docs/install_guide/vmware_dvs_install_guide.rst
+++ b/docs/install_guide/vmware_dvs_install_guide.rst
@ -72,7 +72,7 @@ The plugin has the following requirements for software:
 ================  ===========
 **Requirement**   **Version**
 Fuel             7.0
- vCenter          5.5
+ vCenter          5.5/6.0
 ================  ===========

 Limitations
@ -83,7 +83,7 @@ Limitations

 -  Only VLANs are supported for tenant network separation.

-  Only vSphere 5.5 is supported.
+-  Only vSphere 5.5 & 6.0 are supported.


 Installing the VMware DVS plugin
@ -185,6 +185,8 @@ Configuring VMware DVS plugin

   .. image:: pics/settings.png

+   VMware DVS ML2 plugin does not support DVR feature. Keep Neutron DVR checkbox on Neutron Advanced Configuration tab at unchecked state.
+
 #. Fill in the VMware configuration fields on the *VMware* tab:

   .. image:: pics/vmware.png
@ -218,3 +220,38 @@ User Guide
   where VMware is the name of the instance located on the vCenter.

 #. You can use Neutron for such instance brand the same way as for KVM-located instances.
+
+#. DVS Security groups functionality differs from KVM implementatin. VMWare DVS does not
+   support stateful firewall properties and ICMP types. DVS Plugin realises emulation logic
+   to support the similar behavior. It installs reverse traffic rule for each SG rule.
+   VMWare DVS plugin state emulation logic uses ephemeral port range filter to rise security
+   of reverse rules implementation.
+
+   Just add only those rules if you want to correctly launch EC2 compatible image with
+   matadata request and DNS access:
+
+   Implement Custom TCP Ergess rule to 169.254.169.254/32 CIDR port 80
+   Implement Custom UDP Egress rule to '<DNS server IP or 0.0.0.0/0>' CIDR port 53
+
+   DVS plugin will install four rules:
+
+   TCP Egress from any IP ports 32768-65535 to metadata IP port 80
+   TCP Ingress from metadata IP port 80 to any IP ports 32768-65535
+   UDP Egress from any IP ports 32768-65535 to DNS IP port 53
+   UDP Ingress from DNS IP port 53 to any IP ports 32768-65535
+
+   32768-65535 is the useful ethemetal port range for most Linux kernels and Windows hosts.
+
+   Common egress TCP rule looks like this:
+
+   TCP Egress to any ports 0.0.0.0/0 CIDR
+
+   It works like:
+
+   TCP Egress from any IP ports 32768-65535 to any IP any port
+   TCP Ingress from any IP any port to any IP ports 32768-65535
+
+   and private ports of your VM like http or ssh will be closed.
+
+   DVS plugin support only symmectric ICMP interaction. If your host can ping destination host,
+   it means the destination host can ping your host by reverse rules.