Page MenuHomePhabricator

Neutron: replace NAT customization with address scopes
Closed, DeclinedPublic


We currently customize the Neutron python code to support our current ingress/egress NAT model, inherited from the old nova-network days.
With every openstack upgrade we need to forwardport the patches, which is error prone and is not a proper long term solution.
@JHedden suggested we should use address scopes instead, which seems to be the proper openstack neutron mechanism to handle this situation.

Things to take into account:

  • preserving the same routing_source_ip address
  • preserving a dmz_cidr-similar mechanism

Related docs:

Event Timeline

Mentioned in SAL (#wikimedia-cloud) [2020-02-11T12:40:00Z] <arturo> [codfw1dev] delete unknown subnet pool 'cloudinstancesb-v4-pool0': root@cloudcontrol2001-dev:~# openstack subnet pool delete d23a9b88-5c3d-4a53-ab88-053233a75365 (T244851)

Mentioned in SAL (#wikimedia-cloud) [2020-02-11T12:40:44Z] <arturo> [codfw1dev] delete unknown address scope 'wmcs-v4-scope': root@cloudcontrol2001-dev:~# openstack address scope delete 078cfd71-117b-4aac-9197-6ebbbb7dd3de (T244851)

aborrero triaged this task as Medium priority.
aborrero moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.
aborrero updated the task description. (Show Details)

Mentioned in SAL (#wikimedia-cloud) [2020-02-11T13:46:48Z] <arturo> [codfw1dev] creating some neutron objects to investigate T244851 (subnets, subnet pools, address scopes, ...)

Mentioned in SAL (#wikimedia-cloud) [2020-02-12T13:38:30Z] <arturo> [codfw1dev] add reference to subnetpool to the instance subnet MariaDB [neutron]> update subnets set subnetpool_id='d129650d-d4be-4fe1-b13e-6edb5565cb4a' where id = '7adfcebe-b3d0-4315-92fe-e8365cc80668'; (T244851)

The neutron router implements the address scope mechanism by looking at the input/output interface of packets. Since the networks we are interested in are external (truly physically external) to neutron, all packets circulate using the same output interface and thus the get applied the general NAT.
This would help us if neutron were implementing the address scope mechanism by evaluating source/destination address of packets, which is not the case.

See for details

Mentioned in SAL (#wikimedia-cloud) [2020-02-21T11:37:01Z] <arturo> [codfw1dev] cleanup unused neutron subnet pools from previous address scope tests (T244851)

Mentioned in SAL (#wikimedia-cloud) [2020-03-13T12:39:49Z] <arturo> [codfw1dev] reintroduce address scopes for another round of testing T244851

Change 634490 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] cloudgw: add support for selecting NICs using hiera