Now that eqiad1-r exists and instances can run there, we should figure out what neutron configuration would be required to allow LVS to operate within labs like it does in prod.
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T53494 Use Beta cluster as a true canary for code deployments (epic) | |||
Open | None | T87220 Minimize infrastructure differences between Beta Cluster and production | |||
Open | None | T196662 Set up LVS in beta like prod | |||
Resolved | aborrero | T207554 Determine process to set up LVS instances under neutron |
Event Timeline
In particular we should look at network restrictions around LVS instances and the backends. I assume LVS should be able to impersonate any host when sending to its backends, and the backends should be able to impersonate the LVS instance when talking to any host.
http://superuser.openstack.org/articles/managing-port-level-security-openstack/ looks relevant - port security and address pairs?
If we do disable port security somewhere we should consider what implications that has for other instances and whether extra restrictions are necessary.
I did a research and wrote my conclusions here: https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Neutron_LVS
I consider this task done. The docs mentioned in the previous comment are up-to-date and this is something one can do in CloudVPS today.