Page MenuHomePhabricator

Set up LVS in beta like prod
Open, Needs TriagePublic

Description

This currently doesn't work due to beta running on the labs network, which blocks the use of more interesting network routing used by LVS as a security feature.
I always assumed that was nova-network itself, but according to @chasemp: libvirt's native security group handling (that nova-network offloads to) prevents it.
However, when main labs runs on neutron instead of nova-network (neutron doesn't use libvirt's native handling of this stuff), we should be able to do http://superuser.openstack.org/articles/managing-port-level-security-openstack/ and open up the rules enough such that our backend hosts can impersonate the LVS host, and the LVS host can impersonate external traffic. (obviously haven't tested it but I believe those are the allowances that would need to be made).

Related Objects

StatusAssignedTask
OpenNone
OpenNone
OpenNone
ResolvedNone
Resolvedchasemp
ResolvedAndrew
OpenNone
DuplicateNone
Resolvedchasemp
Resolvedchasemp
Resolvedfaidon
OpenNone
Resolvedchasemp
Resolvedaborrero
Resolvedaborrero
Resolvedchasemp
Resolvedchasemp
Resolvedaborrero
ResolvedPapaul
Resolvedchasemp
Resolvedchasemp
Resolvedchasemp
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
Resolvedfaidon
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
ResolvedCmjohnson
Resolvedaborrero
ResolvedCmjohnson
Resolvedaborrero
ResolvedCmjohnson
Resolvedaborrero
ResolvedCmjohnson
ResolvedAndrew
Resolvedchasemp
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
ResolvedAndrew
Resolvedaborrero
InvalidAndrew
ResolvedAndrew
ResolvedNone
ResolvedAndrew
OpenNone
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
Duplicateherron
Resolvedherron
Resolvedbd808
Resolvedherron
OpenNone
OpenNone
ResolvedKrenair
Resolvedmmodell
Resolvedbd808
ResolvedKrenair
Resolved dduvall
ResolvedAndrew
Resolvedhashar
OpenNone
OpenNone

Event Timeline

Krenair created this task.Jun 7 2018, 5:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2018, 5:26 PM
Krenair updated the task description. (Show Details)Jun 8 2018, 8:35 PM

Change 316512 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] deployment-prep: Make LVS config compatible with new requirements

https://gerrit.wikimedia.org/r/316512

(patch is just an old thing from when I last tried LVS inside labs)

Vvjjkkii renamed this task from Set up LVS in beta like prod to hgbaaaaaaa.Jul 1 2018, 1:05 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: gerritbot, Aklapper.
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot renamed this task from hgbaaaaaaa to Set up LVS in beta like prod.
CommunityTechBot added subscribers: gerritbot, Aklapper.

Change 316512 merged by Tim Starling:
[operations/puppet@production] deployment-prep: Make LVS config compatible with new requirements

https://gerrit.wikimedia.org/r/316512

So the testlabs project has access to eqiad1-r (the new neutron region) and I have projectadmin there. I'm going to open a task to figure out what the process should be to disable port security somewhere.

GTirloni removed a subscriber: GTirloni.Mar 21 2019, 9:06 PM