Now that eqiad1-r exists and instances can run there, we should figure out what neutron configuration would be required to allow LVS to operate within labs like it does in prod.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T53494 Use Beta cluster as a true canary for code deployments (epic) | |||
| Open | None | T87220 Minimize infrastructure differences between Beta Cluster and production | |||
| Open | None | T196662 Set up LVS in beta like prod | |||
| Resolved | aborrero | T207554 Determine process to set up LVS instances under neutron |
Event Timeline
Comment Actions
In particular we should look at network restrictions around LVS instances and the backends. I assume LVS should be able to impersonate any host when sending to its backends, and the backends should be able to impersonate the LVS instance when talking to any host.
http://superuser.openstack.org/articles/managing-port-level-security-openstack/ looks relevant - port security and address pairs?
If we do disable port security somewhere we should consider what implications that has for other instances and whether extra restrictions are necessary.
Comment Actions
I did a research and wrote my conclusions here: https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Neutron_LVS
Comment Actions
I consider this task done. The docs mentioned in the previous comment are up-to-date and this is something one can do in CloudVPS today.