Page MenuHomePhabricator
Create Task
Maniphest T196662

Set up LVS in beta like prod
Open, Needs TriagePublic
Actions

Description

This currently doesn't work due to beta running on the labs network, which blocks the use of more interesting network routing used by LVS as a security feature.
I always assumed that was nova-network itself, but according to @chasemp: libvirt's native security group handling (that nova-network offloads to) prevents it.
However, when main labs runs on neutron instead of nova-network (neutron doesn't use libvirt's native handling of this stuff), we should be able to do http://superuser.openstack.org/articles/managing-port-level-security-openstack/ and open up the rules enough such that our backend hosts can impersonate the LVS host, and the LVS host can impersonate external traffic. (obviously haven't tested it but I believe those are the allowances that would need to be made).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
deployment-prep: Make LVS config compatible with new requirementsoperations/puppetproduction+37 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT53494 Use Beta cluster as a true canary for code deployments (epic)
 DeclinedNoneT87220 Minimize infrastructure differences between Beta Cluster and production
 OpenNoneT196662 Set up LVS in beta like prod
 ResolvedNoneT167293 Nova-network to Neutron migration
 Resolved chasempT153099 Initial OpenStack Neutron PoC deployment in Labtest
 ResolvedAndrewT165211 Disable keystone admin_token usage
Restricted Task
 DeclinedNoneT167294 use a service role project for openstack components
 DuplicateNoneT167295 Discontinue use of admin_token for keystone
 Resolved chasempT167356 Undo trunking to virts for a sane flat networking model
 Resolved chasempT167357 Determine need and replacement for dmz_cidr configuration in nova-network
 ResolvedfaidonT122406 Consider renumbering Labs to separate address spaces
 Resolved chasempT167518 update queue_server.pp for user/pass setup or one-time setup instructions
 Resolved aborreroT168580 Neutron implementation of routing_source_ip definition
 Resolved aborreroT195786 cloudvps: labtestn: neutron issue with vxlan and l2population
 Resolved chasempT167559 Create a detailed migration plan for implementing Neutron as our OpenStack SDN layer
 Resolved chasempT171494 Refactor OpenStack Puppet to account for Neutron
 Resolved aborreroT181523 labtest puppetmaster is not working for clients
 ResolvedPapaulT183167 Connect labtestvirt2003 eth1 and eth2 interface(s) to switch fabric
Restricted Task
 Resolved chasempT186142 labtestservices* cron spam related to designate
 Resolved chasempT187552 connect eth2 for labtestneutron2001 and 2002
 Resolved chasempT187954 Cloud VPS upgrade to Openstack Mitaka release
 Resolved aborreroT188266 labtestn to Mitaka on Jessie
 Resolved aborreroT188392 package prometheus-rabbitmq-exporter for Debian jessie
 Resolved aborreroT189682 reimage labtestmetal2001 with virt compatible partman as Jessie
 ResolvedAndrewT191790 Figure out how to migrate an instance from a nova-network region to a neutron region
 ResolvedAndrewT191791 Make same glance images available to multiple regions
 ResolvedAndrewT202532 After migrating a VM to eqiad1, transfer DNS to point to the new VM
 ResolvedAndrewT202533 During eqiad1 migration, transfer dynamic proxies to point to the post-migrate VM
 ResolvedfaidonT193496 Allocate public v4 IPs for Neutron setup in eqiad
 Resolved aborreroT193657 integrate nova.conf missing settings into neutron setup
 Resolved aborreroT196633 cloudvps: eqiad1 deployment
 Resolved aborreroT199521 labnet1003: reimage+rename to cloudnet1003
 Resolved CmjohnsonT199524 Relabel labnet1003.eqiad.wmnet as cloudnet1003.eqiad.wmnet
 Resolved aborreroT199781 labcontrol1004.wikimedia.org: reimage and rename to cloudcontrol1004.wikimedia.org
 Resolved CmjohnsonT199782 Relabel labcontrol1004.wikimedia.org as cloudcontrol1004.wikimedia.org
 Resolved aborreroT199906 labnet1004: reimage+rename to cloudnet1004
 Resolved CmjohnsonT199921 Relabel labnet1004.eqiad.wmnet as cloudnet1004.eqiad.wmnet
 Resolved aborreroT200068 labcontrol1003: reimage+rename to cloudcontrol1003
 Resolved CmjohnsonT200080 Relabel labcontrol1003.wikimedia.org as cloudcontrol1003.wikimedia.org
 ResolvedAndrewT197162 real-time service concerns with neutron migration
 Resolved chasempT197169 10G ports seem not to work on new HP hardware
 Resolved aborreroT198863 Reallocate labvirt from main to eqiad1
 Resolved aborreroT199107 labvirt1021: reallocate from eqiad1 as cloudvirt1021
 Resolved aborreroT199202 labvirt1022: reallocate from eqiad1 as cloudvirt1022
 ResolvedAndrewT199374 Delegate public IP range for Eqiad1-r OpenStack deployment to designate (neutron)
Restricted Task
 ResolvedAndrewT199578 Designate (DNS) integration with Neutron
Unknown Object (Task)
 ResolvedAndrewT201341 rack/setup/install cloudservices1004.wikimedia.org
Restricted Task
 ResolvedAndrewT201423 Make labpuppetmaster aware of VMs in eqiad1
 Resolved aborreroT201504 cloudvps: main/eqiad1 keystone merge
 Resolved aborreroT201674 m5-master: setup for new keystone daemon
 Resolved aborreroT210595 cloudvps: keystone extra services
 Resolved aborreroT202115 cloudvps: eqiad1: review floating IP mechanisms
Restricted Task
Restricted Task
 Resolved aborreroT202261 cloudvps: eqiad1: move neutron db to m5-master
 Resolved aborreroT202549 cloudvps: eqiad1: move nova db to m5-master
 Resolved aborreroT202636 Allow routing between eqiad and eqiad1 regions
 Resolved aborreroT202886 cloudvps: eqiad1: create DNS PTR records for cloud addresses
 ResolvedAndrewT203031 eqiad1 private IPs lacking PTRs in DNS
 Resolved aborreroT203177 cloudvps: metrics and analytics
InvalidAndrewT204349 Migrated VMs (possibly all VMs) don't appear in the project overview page on Horizon
 ResolvedAndrewT204745 cloudvps: migrate projects from main to eqiad1
 ResolvedNoneT207677 Migrate 'Quarry' project to eqiad1
 ResolvedAndrewT209632 Move 'video' project to eqiad1-r
 DeclinedNoneT209938 CloudVPS: diamond report some metrics with the host IP address instead of host name
 ResolvedAndrewT213085 Delete eqiad region bastion hosts
 ResolvedAndrewT213087 Stray user files on old eqiad bastions
 ResolvedAndrewT213540 Migrate nova proxies to eqiad1
 DuplicateherronT205158 Mail relays needed for VMs in eqiad1
 ResolvedherronT41785 Create a Cloud VPS SMTP smarthost
 Resolved bd808T174618 Request creation of project-smtp VPS project
 ResolvedherronT206261 Routing RFC1918 private IP addresses to/from WMCS floating IPs
 Resolved JHeddenT205524 cloudvps: neutron: agents failed to communicate with server
 ResolvedKrenairT208101 Migrate deployment-prep to eqiad1
 Resolved mmodellT208262 Ensure there are no hard-coded IPs in use for beta
 Resolved bd808T210030 RedisBagOStuff is broken on beta
 ResolvedKrenairT210214 deployment-cache-text04 decomissioning
 ResolveddduvallT210301 Status of deployment-redis0[56]?
 ResolvedAndrewT208244 ntp broken in new region
 ResolvedhasharT208803 Migrate the Integration cloud project to eqiad1-r
 Duplicate aborreroT222411 Decommission former cloud IPs and vlans
 Resolved aborreroT207554 Determine process to set up LVS instances under neutron
 OpenNoneT278007 Configure etcd/confd/conftool in beta/deployment-prep like production
 OpenNoneT299054 Make varnish-frontend-restart work on Beta Cluster

Event Timeline

Krenair created this task.Jun 7 2018, 5:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2018, 5:26 PM
Krenair added a subtask: T167293: Nova-network to Neutron migration.Jun 7 2018, 6:00 PM
mmodell awarded a token.Jun 7 2018, 11:36 PM
Krenair updated the task description. (Show Details)Jun 8 2018, 8:35 PM
gerritbot subscribed.Jun 9 2018, 10:34 PM

Change 316512 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] deployment-prep: Make LVS config compatible with new requirements

https://gerrit.wikimedia.org/r/316512

gerritbot added a project: Patch-For-Review.Jun 9 2018, 10:34 PM
Krenair added a comment.Jun 9 2018, 10:35 PM

(patch is just an old thing from when I last tried LVS inside labs)

Vvjjkkii renamed this task from Set up LVS in beta like prod to hgbaaaaaaa.Jul 1 2018, 1:05 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: gerritbot, Aklapper.
CommunityTechBot renamed this task from hgbaaaaaaa to Set up LVS in beta like prod.Jul 2 2018, 3:10 PM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
CommunityTechBot added subscribers: gerritbot, Aklapper.
gerritbot added a comment.Aug 24 2018, 12:04 AM

Change 316512 merged by Tim Starling:
[operations/puppet@production] deployment-prep: Make LVS config compatible with new requirements

https://gerrit.wikimedia.org/r/316512

Krenair added a comment.Oct 20 2018, 4:44 PM

So the testlabs project has access to eqiad1-r (the new neutron region) and I have projectadmin there. I'm going to open a task to figure out what the process should be to disable port security somewhere.

GTirloni subscribed.Mar 21 2019, 8:34 PM

https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Neutron_LVS

GTirloni unsubscribed.Mar 21 2019, 9:06 PM
Andrew closed subtask T167293: Nova-network to Neutron migration as Resolved.May 20 2019, 4:40 PM
Maintenance_bot removed a project: Patch-For-Review.May 22 2019, 2:47 PM
aborrero changed the status of subtask T207554: Determine process to set up LVS instances under neutron from Open to Stalled.Nov 22 2019, 10:21 AM
aborrero closed subtask T207554: Determine process to set up LVS instances under neutron as Resolved.Jun 22 2020, 11:24 AM
Krinkle mentioned this in T167467: Create nova service account for openstack.Mar 18 2021, 6:48 PM
taavi mentioned this in T278007: Configure etcd/confd/conftool in beta/deployment-prep like production.Mar 20 2021, 1:13 PM
taavi added a subtask: T278007: Configure etcd/confd/conftool in beta/deployment-prep like production.
taavi mentioned this in T276650: Re-consider setting up a Kubernetes cluster on the Beta cluster.Mar 20 2021, 4:20 PM
taavi mentioned this in T255670: horizon: enable neutron port management.Mar 20 2021, 6:10 PM
RhinosF1 subscribed.Mar 22 2021, 5:56 PM
Zabe subscribed.Sep 19 2022, 10:54 PM
TheresNoTime removed a subscriber: RhinosF1.Dec 15 2022, 11:36 PM
Dzahn unsubscribed.Jan 24 2023, 7:50 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits