Page MenuHomePhabricator

Determine need and replacement for dmz_cidr configuration in nova-network
Closed, ResolvedPublic




This is responsible for 10.x instance IPs being visible outside of the labnet hosts.

Use cases I can think of that are beneficial or necessary:

  • NFS sessions for shared storage
  • Labsdb use auditing and potentially policing

Use cases I'm not sure if they are intentional or a side-effect:

  • All instance traffic to public addresses are sourced from 10.x instance IPs. This is potentially awkward and I'm fairly certain I have seen spam/bot mitigation effort difficulty in accounting for this one special case where an rfc1918 address is valid from outside of production.
  • 10.x address handling outside of the instance VLAN that is incidental to general 10/8 address allowances

My belief atm is this was intentional for labs-support use cases but that wouldn't necessarily explain the NAT exemption. Potentially moving to a 172.16/12 address space will highlight the difficulties being addressed here. I'm not sure yet if Neutron has a native direct equivalent.

Event Timeline

@ayounsi and I spoke about this for a few minutes today. General agreement that the allowance here are too broad and even if we wanted to keep them incomplete. But a better mid-term plan seems to be to reduce this to actual hosts that need to preserve source IP to function (NFS, etc), and to reduce hosts in that category (outside of the labnet boundary) to 0 long term.

Change 422474 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] openstack: neutron l3-agent custom iptables behavior

Change 422474 merged by Rush:
[operations/puppet@production] openstack: neutron l3-agent custom iptables behavior

chasemp claimed this task.

Seems to be working

Change 445452 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] openstack: profile::openstack::eqiad1::neutron::dmz_cidr

Change 445452 merged by Rush:
[operations/puppet@production] openstack: profile::openstack::eqiad1::neutron::dmz_cidr