hieradata/codfw/profile/openstack/labtest/nova.yaml --- profile::openstack::labtest::nova::dmz_cidr hieradata/codfw/profile/openstack/labtestn/neutron.yaml --- profile::openstack::labtestn::neutron::dmz_cidr hieradata/eqiad/profile/openstack/eqiad1/neutron.yaml --- profile::openstack::eqiad1::neutron::dmz_cidr hieradata/eqiad/profile/openstack/main/nova.yaml --- profile::openstack::main::nova::dmz_cidr
These setting contains a list of destination ranges which will not have the normal labs NAT rules applied. I.e. ranges in this list will see internal IPs
This does not cover everything in https://wikitech.wikimedia.org/wiki/IP_and_AS_allocations, leading to this:
krenair@bastion-01:~$ curl -skI https://text-lb.{esams,eqiad,ulsfo,codfw,eqsin}.wikimedia.org/wiki/Main_Page -H 'Host: en.wikipedia.org' | grep X-Client-IP X-Client-IP: 208.80.155.129 X-Client-IP: 10.68.17.232 X-Client-IP: 208.80.155.129 X-Client-IP: 10.68.17.232 X-Client-IP: 208.80.155.129
The current dmz_cidr configuration for eqiad1 is (profile::openstack::eqiad1::neutron::dmz_cidr hiera key in hieradata/eqiad/profile/openstack/eqiad1/neutron.yaml).
Checklist to check if we are done with each setting.
- 172.16.0.0/21:91.198.174.0/24 (stuff in esams DC)
- 172.16.0.0/21:198.35.26.0/23 (stuff in uslfo DC)
- 172.16.0.0/21:10.0.0.0/8 (all private addresses in eqiad DC)
- 172.16.0.0/21:208.80.152.0/22 (stuff in codfw DC)
- 172.16.0.0/21:103.102.166.0/24 (stuff in eqsin DC)
- 172.16.0.0/21:172.16.0.0/21 (just added in T206261: Routing RFC1918 private IP addresses to/from WMCS floating IPs)