Set up LVS in beta like prod
Open, Needs TriagePublic

Description

This currently doesn't work due to beta running on the labs network, which blocks the use of more interesting network routing used by LVS as a security feature.
I always assumed that was nova-network itself, but according to @chasemp: libvirt's native security group handling (that nova-network offloads to) prevents it.
However, when main labs runs on neutron instead of nova-network (neutron doesn't use libvirt's native handling of this stuff), we should be able to do http://superuser.openstack.org/articles/managing-port-level-security-openstack/ and open up the rules enough such that our backend hosts can impersonate the LVS host, and the LVS host can impersonate external traffic. (obviously haven't tested it but I believe those are the allowances that would need to be made).

Related Objects

Krenair created this task.Jun 7 2018, 5:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2018, 5:26 PM
Krenair updated the task description. (Show Details)Jun 8 2018, 8:35 PM

Change 316512 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] deployment-prep: Make LVS config compatible with new requirements

https://gerrit.wikimedia.org/r/316512

(patch is just an old thing from when I last tried LVS inside labs)

Vvjjkkii renamed this task from Set up LVS in beta like prod to hgbaaaaaaa.Jul 1 2018, 1:05 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: gerritbot, Aklapper.
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot renamed this task from hgbaaaaaaa to Set up LVS in beta like prod.
CommunityTechBot added subscribers: gerritbot, Aklapper.

Change 316512 merged by Tim Starling:
[operations/puppet@production] deployment-prep: Make LVS config compatible with new requirements

https://gerrit.wikimedia.org/r/316512