You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bf...@apache.org on 2013/01/14 19:00:34 UTC
[29/51] git commit: Per my veto vote on the dev list,
reverting "SRX and f5 inline mode documentation: Reviewed-By: Jessica
Tomechak"
Per my veto vote on the dev list, reverting "SRX and f5 inline mode documentation: Reviewed-By: Jessica Tomechak"
This reverts commit 106730ccdde30450e96d080ed6c9791682fb7300.
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/2b3084bb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/2b3084bb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/2b3084bb
Branch: refs/heads/ui-quick-view-v2
Commit: 2b3084bba09f631d93c233238b80756b7395f938
Parents: 499c474
Author: Chip Childers <ch...@gmail.com>
Authored: Fri Jan 11 10:19:38 2013 -0500
Committer: Chip Childers <ch...@gmail.com>
Committed: Fri Jan 11 10:19:38 2013 -0500
----------------------------------------------------------------------
docs/en-US/external-guest-firewall-integration.xml | 53 +++--
docs/en-US/external-guest-lb-integration.xml | 4 +-
docs/en-US/hardware-firewall.xml | 9 +-
docs/en-US/images/add-netscaler.png | Bin 22777 -> 0 bytes
docs/en-US/images/parallel-inline-mode.png | Bin 145392 -> 0 bytes
docs/en-US/inline-config-lb-fw.xml | 173 ---------------
docs/en-US/lb-services.xml | 25 --
docs/en-US/management-server-lb.xml | 12 +-
docs/en-US/network-setup.xml | 12 +-
9 files changed, 48 insertions(+), 240 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2b3084bb/docs/en-US/external-guest-firewall-integration.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/external-guest-firewall-integration.xml b/docs/en-US/external-guest-firewall-integration.xml
index bd9ac60..0b34dca 100644
--- a/docs/en-US/external-guest-firewall-integration.xml
+++ b/docs/en-US/external-guest-firewall-integration.xml
@@ -21,16 +21,23 @@
<section id="external-guest-firewall-integration">
<title>External Guest Firewall Integration for Juniper SRX (Optional)</title>
<note>
- <para>Available only for guests using advanced networking, both shared and isolated.</para>
+ <para>Available only for guests using advanced networking.</para>
</note>
<para>&PRODUCT; provides for direct management of the Juniper SRX series of firewalls. This
- enables &PRODUCT; to establish staticNAT mappings from public IPs to guest VMs, and to use the
- Juniper device in place of the virtual router for firewall services. You can have only one
- Juniper SRX device per zone. This feature is optional. If Juniper integration is not
- provisioned, &PRODUCT; will use the virtual router for these services.</para>
+ enables &PRODUCT; to establish static NAT mappings from public IPs to guest VMs, and to use
+ the Juniper device in place of the virtual router for firewall services. You can have one or
+ more Juniper SRX per zone. This feature is optional. If Juniper integration is not provisioned,
+ &PRODUCT; will use the virtual router for these services.</para>
<para>The Juniper SRX can optionally be used in conjunction with an external load balancer.
- External Network elements can be deployed in a side-by-side or inline configuration. For more
- information, see <xref linkend="inline-config-lb-fw"/>.</para>
+ External Network elements can be deployed in a side-by-side or inline configuration.</para>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="./images/parallel-mode.png"/>
+ </imageobject>
+ <textobject>
+ <phrase>parallel-mode.png: adding a firewall and load balancer in parallel mode.</phrase>
+ </textobject>
+ </mediaobject>
<para>&PRODUCT; requires the Juniper to be configured as follows:</para>
<note>
<para>Supported SRX software version is 10.3 or higher.</para>
@@ -51,22 +58,22 @@
<para>Record the public and private interface names. If you used a VLAN for the public
interface, add a ".[VLAN TAG]" after the interface name. For example, if you are using
ge-0/0/3 for your public interface and VLAN tag 301, your public interface name would be
- "ge-0/0/3.301". Your private interface name should always be untagged because the &PRODUCT;
- software automatically creates tagged logical interfaces.</para>
+ "ge-0/0/3.301". Your private interface name should always be untagged because the
+ &PRODUCT; software automatically creates tagged logical interfaces.</para>
</listitem>
<listitem>
- <para>Create a public security zone and a private security zone. By default, these already
- exist and are called "untrust" and "trust" zones. Add the public interface to the public
- zone. &PRODUCT;automatically adds the private interface to private zone (trusted zone). Note
- down the security zone names.</para>
+ <para>Create a public security zone and a private security zone. By default, these will
+ already exist and will be called "untrust" and "trust". Add the public interface to the
+ public zone and the private interface to the private zone. Note down the security zone
+ names.</para>
</listitem>
<listitem>
<para>Make sure there is a security policy from the private zone to the public zone that
allows all traffic.</para>
</listitem>
<listitem>
- <para>Note the username and password of the account you want the &PRODUCT; software to log in
- to when it is programming rules.</para>
+ <para>Note the username and password of the account you want the &PRODUCT; software to log
+ in to when it is programming rules.</para>
</listitem>
<listitem>
<para>Make sure the "ssh" and "xnm-clear-text" system services are enabled.</para>
@@ -117,13 +124,13 @@ filter untrust {
<para>In the left navigation bar, click Infrastructure.</para>
</listitem>
<listitem>
- <para>In Zones, click View All.</para>
+ <para>In Zones, click View More.</para>
</listitem>
<listitem>
<para>Choose the zone you want to work with.</para>
</listitem>
<listitem>
- <para>Click the Physical Network tab.</para>
+ <para>Click the Network tab.</para>
</listitem>
<listitem>
<para>In the Network Service Providers node of the diagram, click Configure. (You might have
@@ -153,6 +160,10 @@ filter untrust {
ge-0/0/1. </para>
</listitem>
<listitem>
+ <para>Usage Interface: (Optional) Typically, the public interface is used to meter
+ traffic. If you want to use a different interface, specify its name here</para>
+ </listitem>
+ <listitem>
<para>Number of Retries: The number of times to attempt a command on the SRX before
failing. The default value is 2.</para>
</listitem>
@@ -169,12 +180,12 @@ filter untrust {
untrust.</para>
</listitem>
<listitem>
- <para>Capacity: The number of networks the device can handle.</para>
+ <para>Capacity: The number of networks the device can handle</para>
</listitem>
<listitem>
<para>Dedicated: When marked as dedicated, this device will be dedicated to a single
account. When Dedicated is checked, the value in the Capacity field has no significance
- implicitly, its value is 1.</para>
+ implicitly, its value is 1</para>
</listitem>
</itemizedlist>
</listitem>
@@ -183,8 +194,8 @@ filter untrust {
</listitem>
<listitem>
<para>Click Global Settings. Set the parameter external.network.stats.interval to indicate how
- often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you are
- not using the SRX to gather network usage statistics, set to 0.</para>
+ often you want &PRODUCT; to fetch network usage statistics from the Juniper SRX. If you
+ are not using the SRX to gather network usage statistics, set to 0.</para>
</listitem>
</orderedlist>
</section>
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2b3084bb/docs/en-US/external-guest-lb-integration.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/external-guest-lb-integration.xml b/docs/en-US/external-guest-lb-integration.xml
index acbb514..5760f95 100644
--- a/docs/en-US/external-guest-lb-integration.xml
+++ b/docs/en-US/external-guest-lb-integration.xml
@@ -20,12 +20,10 @@
-->
<section id="external-guest-lb-integration">
<title>External Guest Load Balancer Integration (Optional)</title>
- <note>
- <para>External load balancer devices are not supported in shared networks.</para>
- </note>
<para>&PRODUCT; can optionally use a Citrix NetScaler or BigIP F5 load balancer to provide load
balancing services to guests. If this is not enabled, &PRODUCT; will use the software load
balancer in the virtual router.</para>
+ <para>To install and enable an external load balancer for &PRODUCT; management:</para>
<orderedlist>
<listitem>
<para>Set up the appliance according to the vendor's directions.</para>
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2b3084bb/docs/en-US/hardware-firewall.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/hardware-firewall.xml b/docs/en-US/hardware-firewall.xml
index 28269cc..df0568a 100644
--- a/docs/en-US/hardware-firewall.xml
+++ b/docs/en-US/hardware-firewall.xml
@@ -22,11 +22,8 @@
<title>Hardware Firewall</title>
<para>All deployments should have a firewall protecting the management server; see Generic
Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will
- be the default gateway for the guest networks; see <xref
- linkend="external-guest-firewall-integration"/>.</para>
+ be the default gateway for the guest networks; see <xref linkend="external-guest-firewall-integration"/>.</para>
<xi:include href="generic-firewall-provisions.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
- <xi:include href="external-guest-firewall-integration.xml"
- xmlns:xi="http://www.w3.org/2001/XInclude"/>
- <xi:include href="lb-services.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
- <xi:include href="inline-config-lb-fw.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="external-guest-firewall-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</section>
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2b3084bb/docs/en-US/images/add-netscaler.png
----------------------------------------------------------------------
diff --git a/docs/en-US/images/add-netscaler.png b/docs/en-US/images/add-netscaler.png
deleted file mode 100644
index 53c1344..0000000
Binary files a/docs/en-US/images/add-netscaler.png and /dev/null differ
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2b3084bb/docs/en-US/images/parallel-inline-mode.png
----------------------------------------------------------------------
diff --git a/docs/en-US/images/parallel-inline-mode.png b/docs/en-US/images/parallel-inline-mode.png
deleted file mode 100644
index c0c1555..0000000
Binary files a/docs/en-US/images/parallel-inline-mode.png and /dev/null differ
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2b3084bb/docs/en-US/inline-config-lb-fw.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/inline-config-lb-fw.xml b/docs/en-US/inline-config-lb-fw.xml
deleted file mode 100644
index dada3ff..0000000
--- a/docs/en-US/inline-config-lb-fw.xml
+++ /dev/null
@@ -1,173 +0,0 @@
-<?xml version='1.0' encoding='utf-8' ?>
-<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
-%BOOK_ENTITIES;
-]>
-<!-- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<section id="inline-config-lb-fw">
- <title>Configuring Network Devices in Inline and Side by Side Modes</title>
- <para>The external network elements, such as load balancer and firewall devices, supported in
- &PRODUCT; can be deployed in either of the following modes: Side by Side and Inline. Inline mode
- was originally supported in &PRODUCT; 2.2.x versions, and is now added back in the 3.0.6
- release.</para>
- <para>In Inline mode, one firewall device is placed in front of a load balancing device. The
- firewall acts as the gateway for all incoming traffic, then redirect the load balancing traffic
- to the load balancer behind it. The load balancer in this case will not have the direct access
- to the public network. Deploying network devices in Inline mode ensures that the resources are
- protected.</para>
- <mediaobject>
- <imageobject>
- <imagedata fileref="./images/parallel-inline-mode.png"/>
- </imageobject>
- <textobject>
- <phrase>parallel-inline-mode.png: external networks in different deployment modes</phrase>
- </textobject>
- </mediaobject>
- <para>In Side by Side mode, a firewall device is deployed in parallel with the load balancer
- device. So the traffic to the load balancer public IP is not routed through the firewall, and
- therefore, is exposed to the public network. </para>
- <mediaobject>
- <imageobject>
- <imagedata fileref="./images/parallel-mode.png"/>
- </imageobject>
- <textobject>
- <phrase>parallel-mode.png: adding a firewall and load balancer in side by side mode</phrase>
- </textobject>
- </mediaobject>
- <para>The following table gives you an overview of the supported services and devices for inline
- and side by side mode.</para>
- <informaltable>
- <tgroup cols="4" align="left" colsep="1" rowsep="1">
- <colspec colwidth="1.08*" colname="c1" colnum="1"/>
- <colspec colwidth="1.2*" colname="c2" colnum="2"/>
- <colspec colnum="3" colname="c3" colwidth="1.0*"/>
- <colspec colnum="4" colname="c4" colwidth="5.15*"/>
- <thead>
- <row>
- <entry><para>Mode</para></entry>
- <entry><para>Firewall</para></entry>
- <entry><para>Load Balancer</para></entry>
- <entry><para>Supported</para></entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry><para>Side by Side</para></entry>
- <entry><para>Virtual Router</para></entry>
- <entry><para>F5</para></entry>
- <entry><para>Yes</para></entry>
- </row>
- <row>
- <entry><para>Side by Side</para></entry>
- <entry><para>Virtual Router</para></entry>
- <entry><para>Virtual Router</para></entry>
- <entry><para>Yes</para></entry>
- </row>
- <row>
- <entry><para>Side by Side</para></entry>
- <entry><para>Virtual Router</para></entry>
- <entry><para>NetScaler</para></entry>
- <entry><para>Yes</para></entry>
- </row>
- <row>
- <entry><para>Side by Side</para></entry>
- <entry><para>Juniper SRX</para></entry>
- <entry><para>F5</para></entry>
- <entry><para>Yes</para></entry>
- </row>
- <row>
- <entry><para>Side by Side</para></entry>
- <entry><para>Juniper SRX</para></entry>
- <entry><para>NetScaler</para></entry>
- <entry><para>Yes</para></entry>
- </row>
- <row>
- <entry><para>Inline</para></entry>
- <entry><para>Virtual Router</para></entry>
- <entry><para>F5</para></entry>
- <entry><para>No</para></entry>
- </row>
- <row>
- <entry><para>Inline</para></entry>
- <entry><para>Virtual Router</para></entry>
- <entry><para>NetScaler</para></entry>
- <entry><para>No</para></entry>
- </row>
- <row>
- <entry><para>Inline</para></entry>
- <entry><para>Juniper SRX</para></entry>
- <entry><para>F5</para></entry>
- <entry><para>Yes</para></entry>
- </row>
- <row>
- <entry><para>Inline</para></entry>
- <entry><para>Juniper SRX</para></entry>
- <entry><para>NetScaler</para></entry>
- <entry><para>No</para></entry>
- </row>
- <row>
- <entry><para>Inline</para></entry>
- <entry><para>Juniper SRX</para></entry>
- <entry><para>Virtual Router</para></entry>
- <entry><para>No</para></entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
- <para>To configure SRX and F5 in Inline mode:</para>
- <orderedlist>
- <listitem>
- <para>Configure F5 Big IP and Juniper SRX.</para>
- <para>See the respective product documentation for more information.</para>
- </listitem>
- <listitem>
- <para>Add SRX and F5 to the same zone in &PRODUCT;.</para>
- <note>
- <para>Ensure that you select per zone sourceNAT when creating the network offering. When
- adding F5 BigIP, do not make it a dedicated device.</para>
- </note>
- </listitem>
- <listitem>
- <para>Enable both the devices.</para>
- </listitem>
- <listitem>
- <para>Create a network offering:</para>
- <para>Use SRX as provider for Firewall, Port Forwarding, SourceNAT, and StaticNat. Select F5
- BigIP as the service provider for Load Balancing. Use Virtual Router as the service provider
- for DNS, DHCP, user data.</para>
- </listitem>
- <listitem>
- <para>Select Inline mode.</para>
- <para>For more information, see <phrase condition="admin"><xref
- linkend="creating-network-offerings"/>.</phrase>
- <phrase condition="install">Creating Network Offerings in the Administration Guide.</phrase>
- </para>
- </listitem>
- <listitem>
- <para>Start a new VM with this new network offering.</para>
- </listitem>
- <listitem>
- <para>Add firewall and load balancing rules. For more information, see <phrase
- condition="admin"><xref linkend="add-load-balancer-rule"/></phrase>
- <phrase condition="install">Adding a Load Balancer Rule</phrase> and <phrase
- condition="admin"><xref linkend="firewall-rules"/>.</phrase>
- <phrase condition="install">IP Forwarding and Firewalling in the Administration
- Guide.</phrase>
- </para>
- </listitem>
- </orderedlist>
-</section>
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2b3084bb/docs/en-US/lb-services.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/lb-services.xml b/docs/en-US/lb-services.xml
deleted file mode 100644
index 3bb79db..0000000
--- a/docs/en-US/lb-services.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version='1.0' encoding='utf-8' ?>
-<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
-%BOOK_ENTITIES;
-]>
-<!-- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<section id="lb-services">
- <title>Load Balancing Services</title>
- <xi:include href="external-guest-lb-integration.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
- <xi:include href="management-server-lb.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
-</section>
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2b3084bb/docs/en-US/management-server-lb.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/management-server-lb.xml b/docs/en-US/management-server-lb.xml
index f427578..85a8622 100644
--- a/docs/en-US/management-server-lb.xml
+++ b/docs/en-US/management-server-lb.xml
@@ -19,12 +19,12 @@
under the License.
-->
<section id="management-server-lb">
- <title>Management Server Load Balancing</title>
- <para>&PRODUCT; can use a load balancer to provide a virtual IP for multiple Management Servers.
- The administrator is responsible for creating the load balancer rules for the Management
- Servers. The application requires persistence or stickiness across multiple sessions. The
- following chart lists the ports that should be load balanced and whether or not persistence is
- required.</para>
+ <title>Setting Zone VLAN and Running VM Maximums</title>
+ <para>&PRODUCT; can use a load balancer to provide a virtual IP for multiple Management
+ Servers. The administrator is responsible for creating the load balancer rules for the
+ Management Servers. The application requires persistence or stickiness across multiple sessions.
+ The following chart lists the ports that should be load balanced and whether or not persistence
+ is required.</para>
<para>Even if persistence is not required, enabling it is permitted.</para>
<informaltable>
<tgroup cols="4" align="left" colsep="1" rowsep="1">
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/2b3084bb/docs/en-US/network-setup.xml
----------------------------------------------------------------------
diff --git a/docs/en-US/network-setup.xml b/docs/en-US/network-setup.xml
index 192c8e2..ceee190 100644
--- a/docs/en-US/network-setup.xml
+++ b/docs/en-US/network-setup.xml
@@ -20,16 +20,16 @@
-->
<chapter id="network-setup">
<title>Network Setup</title>
- <para>Achieving the correct networking setup is crucial to a successful &PRODUCT; installation.
- This section contains information to help you make decisions and follow the right procedures to
- get your network set up correctly.</para>
+ <para>Achieving the correct networking setup is crucial to a successful &PRODUCT;
+ installation. This section contains information to help you make decisions and follow the right
+ procedures to get your network set up correctly.</para>
<xi:include href="basic-adv-networking.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="vlan-allocation-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="hardware-config-eg.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="layer2-switch.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="hardware-firewall.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="management-server-lb.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="topology-req.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
- <xi:include href="guest-nw-usage-with-traffic-sentinel.xml"
- xmlns:xi="http://www.w3.org/2001/XInclude"/>
+ <xi:include href="guest-nw-usage-with-traffic-sentinel.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="set-zone-vlan-run-vm-max.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
-</chapter>
+ </chapter>