Page MenuHomePhabricator
Create Task
Maniphest T167357

Determine need and replacement for dmz_cidr configuration in nova-network
Closed, ResolvedPublic
Actions

Description

nova.conf

dmz_cidr=208.80.155.0/22,10.0.0.0/8

This is responsible for 10.x instance IPs being visible outside of the labnet hosts.

Use cases I can think of that are beneficial or necessary:

  • NFS sessions for shared storage
  • Labsdb use auditing and potentially policing

Use cases I'm not sure if they are intentional or a side-effect:

  • All instance traffic to 208.80.155.0/22 public addresses are sourced from 10.x instance IPs. This is potentially awkward and I'm fairly certain I have seen spam/bot mitigation effort difficulty in accounting for this one special case where an rfc1918 address is valid from outside of production.
  • 10.x address handling outside of the instance VLAN that is incidental to general 10/8 address allowances

My belief atm is this was intentional for labs-support use cases but that wouldn't necessarily explain the 208.80.155.0/22 NAT exemption. Potentially moving to a 172.16/12 address space will highlight the difficulties being addressed here. I'm not sure yet if Neutron has a native direct equivalent.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+1 -1openstack: profile::openstack::eqiad1::neutron::dmz_cidr
operations/puppetproduction+2 K -6openstack: neutron l3-agent custom iptables behavior
Customize query in gerrit

Related Objects
Search...

Event Timeline

chasemp created this task.Jun 7 2017, 9:32 PM
bd808 moved this task from Triage to OpenStack on the Cloud-Services board.Jun 17 2017, 8:01 PM
Krenair mentioned this in T174596: dmz_cidr only includes some wikimedia public IP ranges, leading to some very strange behaviour.Aug 30 2017, 6:19 PM
chasemp added a subscriber: ayounsi.Aug 30 2017, 7:50 PM

@ayounsi and I spoke about this for a few minutes today. General agreement that the allowance here are too broad and even if we wanted to keep them incomplete. But a better mid-term plan seems to be to reduce this to actual hosts that need to preserve source IP to function (NFS, etc), and to reduce hosts in that category (outside of the labnet boundary) to 0 long term.

gerritbot added a subscriber: gerritbot.Mar 28 2018, 7:29 PM

Change 422474 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] openstack: neutron l3-agent custom iptables behavior

https://gerrit.wikimedia.org/r/422474

gerritbot added a project: Patch-For-Review.Mar 28 2018, 7:29 PM
gerritbot added a comment.Mar 28 2018, 7:49 PM

Change 422474 merged by Rush:
[operations/puppet@production] openstack: neutron l3-agent custom iptables behavior

https://gerrit.wikimedia.org/r/422474

chasemp closed this task as Resolved.Apr 27 2018, 6:30 PM
chasemp claimed this task.

Seems to be working

chasemp mentioned this in T168580: Neutron implementation of routing_source_ip definition.May 14 2018, 8:18 PM
gerritbot added a comment.Jul 12 2018, 7:22 PM

Change 445452 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] openstack: profile::openstack::eqiad1::neutron::dmz_cidr

https://gerrit.wikimedia.org/r/445452

gerritbot added a comment.Jul 12 2018, 8:04 PM

Change 445452 merged by Rush:
[operations/puppet@production] openstack: profile::openstack::eqiad1::neutron::dmz_cidr

https://gerrit.wikimedia.org/r/445452

Andrew mentioned this in T233665: Forward our neutron-l3-agent routing hacks to Openstack Newton.Sep 23 2019, 9:19 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 23 2019, 10:10 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL