Bug 1490806

Summary: [DOCS] Clearer requirements for VMWare and Egress router
Product: OpenShift Container Platform Reporter: Javier Ramirez <javier.ramirez>
Component: DocumentationAssignee: brice <bfallonf>
Status: CLOSED CURRENTRELEASE QA Contact: Meng Bo <bmeng>
Severity: high Docs Contact: Vikram Goyal <vigoyal>
Priority: high    
Version: 3.6.1CC: aos-bugs, bbennett, bmeng, javier.ramirez, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: 3.7-release-plan
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-03 00:58:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Javier Ramirez 2017-09-12 09:31:04 UTC 
Document URL: 
https://docs.openshift.com/container-platform/3.6/admin_guide/managing_pods.html#admin-guide-limit-pod-access-egress-router-pods

Section Number and Name: 
Limiting Pod Access with an Egress Router - > Important Deployment Considerations -> VMWare

Describe the issue: 
The doc says:
"If you are using VMware vSphere, follow VMware’s Securing Virtual Switch Ports and Forged Transmissions guidance."

But it is not clear what need to be done.

Suggestions for improvement: 

Clear statement on what needs to be enabled on VMWare side, where and why.

Additional information: 

Looks like also promiscuous mode needs to be enabled:

Egress router (MacVLAN) does not work on VMWare  - https://access.redhat.com/solutions/3003011
Bug 1437568 - Egress routing doesn't work Vmware platform if promiscuous mode setting is not enabled in dvswitch
Comment 1 Ben Bennett 2017-09-20 11:06:55 UTC 
You also need to enable promiscuous mode if you are using ipfailover.
Comment 2 brice 2017-09-21 05:20:59 UTC 
PR submitted for this BZ:

https://github.com/openshift/openshift-docs/pull/5317

However, I'm not sure if there's enough information. It's one thing to list what's needed, but I can't find how to do it.

Javier, is there any more information? The solution in the initial comment doesn't seem too answer any questions, and what's in the PR is all I could find. Thanks.
Comment 3 Javier Ramirez 2017-09-21 10:40:13 UTC 
(In reply to brice from comment #2)
> PR submitted for this BZ:
> 
> https://github.com/openshift/openshift-docs/pull/5317
> 
> However, I'm not sure if there's enough information. It's one thing to list
> what's needed, but I can't find how to do it.
> 
> Javier, is there any more information? The solution in the initial comment
> doesn't seem too answer any questions, and what's in the PR is all I could
> find. Thanks.

Thanks , I think it is enough.
Comment 4 brice 2017-09-26 23:23:46 UTC 
Thanks, Javier. I'll put this on to QA.

For QA;
Can I ask if more information is needed to enable MAC Address Changes, Forged Transits, and Promiscuous Mode Operation? Thanks.
Comment 5 Meng Bo 2017-09-27 02:53:27 UTC 
Hi Brice,

We did not test the egress router on VMWare since the platform has not been fully supported yet, and only some storage related features were tested there.

As the egress router is relying on the macvlan, so I think it will work if all the configurations which the macvlan requires are set.
Comment 6 brice 2017-09-27 22:49:56 UTC 
Ok. Thanks. I'll move to completed.
Comment 7 openshift-github-bot 2017-09-28 03:41:56 UTC 
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/250fdd4c758ed7def6d3b7e35d2dfd5a5a76d67e
Merge pull request #5317 from bfallonf/vmware_1490806

Bug 1490806 Changed vmware vsphere info to be more accurate
Comment 8 brice 2017-10-03 00:58:24 UTC 
Link to released docs:

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.6/html-single/cluster_administration/#admin-guide-limit-pod-access-egress-router