Page MenuHomePhabricator
Create Task
Maniphest T244851

Neutron: replace NAT customization with address scopes
Closed, DeclinedPublic
Actions

Description

We currently customize the Neutron python code to support our current ingress/egress NAT model, inherited from the old nova-network days.
With every openstack upgrade we need to forwardport the patches, which is error prone and is not a proper long term solution.
@JHedden suggested we should use address scopes instead, which seems to be the proper openstack neutron mechanism to handle this situation.

Things to take into account:

  • preserving the same routing_source_ip address
  • preserving a dmz_cidr-similar mechanism

Related docs:

Related Objects
Search...

Event Timeline

aborrero created this task.Feb 11 2020, 12:39 PM
Stashbot added a comment.Feb 11 2020, 12:40 PM

Mentioned in SAL (#wikimedia-cloud) [2020-02-11T12:40:00Z] <arturo> [codfw1dev] delete unknown subnet pool 'cloudinstancesb-v4-pool0': root@cloudcontrol2001-dev:~# openstack subnet pool delete d23a9b88-5c3d-4a53-ab88-053233a75365 (T244851)

Stashbot added a comment.Feb 11 2020, 12:40 PM

Mentioned in SAL (#wikimedia-cloud) [2020-02-11T12:40:44Z] <arturo> [codfw1dev] delete unknown address scope 'wmcs-v4-scope': root@cloudcontrol2001-dev:~# openstack address scope delete 078cfd71-117b-4aac-9197-6ebbbb7dd3de (T244851)

aborrero claimed this task.Feb 11 2020, 12:41 PM
aborrero triaged this task as Medium priority.
aborrero moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.
aborrero updated the task description. (Show Details)
Stashbot added a comment.Feb 11 2020, 1:46 PM

Mentioned in SAL (#wikimedia-cloud) [2020-02-11T13:46:48Z] <arturo> [codfw1dev] creating some neutron objects to investigate T244851 (subnets, subnet pools, address scopes, ...)

Stashbot added a comment.Feb 12 2020, 1:38 PM

Mentioned in SAL (#wikimedia-cloud) [2020-02-12T13:38:30Z] <arturo> [codfw1dev] add reference to subnetpool to the instance subnet MariaDB [neutron]> update subnets set subnetpool_id='d129650d-d4be-4fe1-b13e-6edb5565cb4a' where id = '7adfcebe-b3d0-4315-92fe-e8365cc80668'; (T244851)

aborrero added a comment.Feb 13 2020, 5:09 PM

The neutron router implements the address scope mechanism by looking at the input/output interface of packets. Since the networks we are interested in are external (truly physically external) to neutron, all packets circulate using the same output interface and thus the get applied the general NAT.
This would help us if neutron were implementing the address scope mechanism by evaluating source/destination address of packets, which is not the case.

See https://wikitech.wikimedia.org/wiki/Wikimedia_Cloud_Services_team/EnhancementProposals/Network_refresh#neutron_address_scopes for details

aborrero closed this task as Declined.Feb 13 2020, 5:17 PM
Stashbot added a comment.Feb 21 2020, 11:37 AM

Mentioned in SAL (#wikimedia-cloud) [2020-02-21T11:37:01Z] <arturo> [codfw1dev] cleanup unused neutron subnet pools from previous address scope tests (T244851)

Stashbot added a comment.Mar 13 2020, 12:39 PM

Mentioned in SAL (#wikimedia-cloud) [2020-03-13T12:39:49Z] <arturo> [codfw1dev] reintroduce address scopes for another round of testing T244851

aborrero closed subtask T247633: New network request for CloudVPS CODFW instances transport as Declined.Mar 18 2020, 11:40 AM
gerritbot added a comment.Oct 16 2020, 11:46 AM

Change 634490 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] cloudgw: add support for selecting NICs using hiera

https://gerrit.wikimedia.org/r/634490

gerritbot added a project: Patch-For-Review.Oct 16 2020, 11:46 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL