Set up LVS in beta like prod
Open, Needs TriagePublic


This currently doesn't work due to beta running on the labs network, which blocks the use of more interesting network routing used by LVS as a security feature.
I always assumed that was nova-network itself, but according to @chasemp: libvirt's native security group handling (that nova-network offloads to) prevents it.
However, when main labs runs on neutron instead of nova-network (neutron doesn't use libvirt's native handling of this stuff), we should be able to do and open up the rules enough such that our backend hosts can impersonate the LVS host, and the LVS host can impersonate external traffic. (obviously haven't tested it but I believe those are the allowances that would need to be made).

Krenair created this task.Jun 7 2018, 5:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2018, 5:26 PM
Krenair updated the task description. (Show Details)Jun 8 2018, 8:35 PM

Change 316512 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] deployment-prep: Make LVS config compatible with new requirements

(patch is just an old thing from when I last tried LVS inside labs)

Vvjjkkii renamed this task from Set up LVS in beta like prod to hgbaaaaaaa.Jul 1 2018, 1:05 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: gerritbot, Aklapper.
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot renamed this task from hgbaaaaaaa to Set up LVS in beta like prod.
CommunityTechBot added subscribers: gerritbot, Aklapper.

Change 316512 merged by Tim Starling:
[operations/puppet@production] deployment-prep: Make LVS config compatible with new requirements

So the testlabs project has access to eqiad1-r (the new neutron region) and I have projectadmin there. I'm going to open a task to figure out what the process should be to disable port security somewhere.