vic-machine firewall configuration

[andrewtchin]

User Statement:

As a customer of VIC, I want the ESX firewall to be properly configured during the install process with minimal effort.

Details:
Parent/epic: #3643
Use firewall ruleset vSPC for each host (ComputeResource.Hosts())
https://github.com/vmware/govmomi/blob/master/object/host_firewall_system.go

Acceptance Criteria:

• Add a flag to vic-machine create that enables the firewall ruleset
• Warn that this opens all outbound TCP from the hosts
• Warn on delete that firewall rules will not be modified
• Add a flag to disable this ruleset for cases of delete
• Add integration test
• Documentation update for new options
• Documentation update for https://github.com/vmware/vic/blob/master/doc/user_doc/vic_installation/ts_firewall_error.md

[karthik-narayan]

This as an alternate option to VIBs makes a lot of sense.

Couple of questions/concerns:

• If this is pointed at a cluster, will it open up all outbound TCP on all hosts in that cluster?
• In either case, can we prompt the user to accept (y/n) before we make the change?

As I understand it, if we open all outbound TCP then it isn't great, but in environments where customers want to quickly test vSphere Integrated Containers, this will work pretty well and remove the initial barrier to getting up and running. Once we have the VIB option, this could be a good stop-gap solution in lab environments.

[andrewtchin]

We have concluded that this should have priority over the firewall VIB in #3801/#3927

[andrewtchin]

added doc info to #3991

[andrewtchin]

demo: https://asciinema.org/a/40izgi40z70lscfvfch75d2jf