Bug 1490806 - [DOCS] Clearer requirements for VMWare and Egress router
Summary: [DOCS] Clearer requirements for VMWare and Egress router
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.6.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: brice
QA Contact: Meng Bo
Vikram Goyal
URL:
Whiteboard: 3.7-release-plan
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-12 09:31 UTC by Javier Ramirez
Modified: 2020-12-14 09:59 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-03 00:58:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Javier Ramirez 2017-09-12 09:31:04 UTC 
Document URL: 
https://docs.openshift.com/container-platform/3.6/admin_guide/managing_pods.html#admin-guide-limit-pod-access-egress-router-pods

Section Number and Name: 
Limiting Pod Access with an Egress Router - > Important Deployment Considerations -> VMWare

Describe the issue: 
The doc says:
"If you are using VMware vSphere, follow VMware’s Securing Virtual Switch Ports and Forged Transmissions guidance."

But it is not clear what need to be done.

Suggestions for improvement: 

Clear statement on what needs to be enabled on VMWare side, where and why.

Additional information: 

Looks like also promiscuous mode needs to be enabled:

Egress router (MacVLAN) does not work on VMWare  - https://access.redhat.com/solutions/3003011
Bug 1437568 - Egress routing doesn't work Vmware platform if promiscuous mode setting is not enabled in dvswitch
Comment 1 Ben Bennett 2017-09-20 11:06:55 UTC 
You also need to enable promiscuous mode if you are using ipfailover.
Comment 2 brice 2017-09-21 05:20:59 UTC 
PR submitted for this BZ:

https://github.com/openshift/openshift-docs/pull/5317

However, I'm not sure if there's enough information. It's one thing to list what's needed, but I can't find how to do it.

Javier, is there any more information? The solution in the initial comment doesn't seem too answer any questions, and what's in the PR is all I could find. Thanks.
Comment 3 Javier Ramirez 2017-09-21 10:40:13 UTC 
(In reply to brice from comment #2)
> PR submitted for this BZ:
> 
> https://github.com/openshift/openshift-docs/pull/5317
> 
> However, I'm not sure if there's enough information. It's one thing to list
> what's needed, but I can't find how to do it.
> 
> Javier, is there any more information? The solution in the initial comment
> doesn't seem too answer any questions, and what's in the PR is all I could
> find. Thanks.

Thanks , I think it is enough.
Comment 4 brice 2017-09-26 23:23:46 UTC 
Thanks, Javier. I'll put this on to QA.

For QA;
Can I ask if more information is needed to enable MAC Address Changes, Forged Transits, and Promiscuous Mode Operation? Thanks.
Comment 5 Meng Bo 2017-09-27 02:53:27 UTC 
Hi Brice,

We did not test the egress router on VMWare since the platform has not been fully supported yet, and only some storage related features were tested there.

As the egress router is relying on the macvlan, so I think it will work if all the configurations which the macvlan requires are set.
Comment 6 brice 2017-09-27 22:49:56 UTC 
Ok. Thanks. I'll move to completed.
Comment 7 openshift-github-bot 2017-09-28 03:41:56 UTC 
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/250fdd4c758ed7def6d3b7e35d2dfd5a5a76d67e
Merge pull request #5317 from bfallonf/vmware_1490806

Bug 1490806 Changed vmware vsphere info to be more accurate
Comment 8 brice 2017-10-03 00:58:24 UTC 
Link to released docs:

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.6/html-single/cluster_administration/#admin-guide-limit-pod-access-egress-router
Note You need to log in before you can comment on or make changes to this bug.