Investigate the compatibility of containerVM with NSX

[amandafeng001]

User Statement:

As a VIC User I want to be able to use NSX to achieve network micro-segmentation and provide the same as what docker network supports.

In order to achieve this, we need to investigate the compatibility of our containerVMs with NSX: can we use NSX security groups and policies with current VIC implementation.

Details:
Our goals are:

1. container VMs in the same container network can talk to each other
2. container VMs in different container networks cannot talk to each other by default
3. one container VM can be added to different container networks

Our first investigation shows:

• Security Tag seems to be the best way to achieve our goals. But NSX cannot identify container VMs created by VCH.
• Using IP Sets can achieve goal 1 and 2, but it may not work for goal 3.
  (for details please refer to https://github.com/amandafeng001/vic/blob/NSX-integration/doc/design/networking/Investigation-on-NSX-integration.md).

Acceptance Criteria:
An investigation document which answers the following questions:

1. why NSX security policy cannot work if security group membership is identified by security tag?
2. how much changes are needed (or is it possible) in current VIC implementation to make NSX able to identify container VMs?
3. Is there any other way to achieve our goals with NSX?

[mhagen-vmware]

Please assign a priority to this.

[amandafeng001]

NSX Security Tag is supported on our containerVMs now. The comparison of using Security Tag versus vNIC to associate membership to NSX Security Group is this PR: #4071