Page MenuHomePhabricator
Create Task
Maniphest T245495

CloudVPS: IPv6 in codfw1dev
Closed, ResolvedPublic
Actions

Description

This ticket is to track the work to enable IPv6 in codfw1dev prior to doing in eqiad1.

  • IPv6 addressing -- T187929 T374712
  • edge networking (cloudsw, cloudgw, etc) -- T374713 T374716
  • virtual network support (neutron, subnets, ports, etc)
  • other openstack bits (horizon, keystone hooks, etc) -- T377339
  • security groups -- T374714
  • DNS AAAA and PTR records integration -- T374715

Details

SubjectRepoBranchLines +/-
Fix typos in updated prefix-list for cloud ranges eqiadoperations/homer/publicmaster+2 -2
Remove WMCS codfw prefix from CR aggregate conf and adjust outfilteroperations/homer/publicmaster+5 -3
Add orlonger to policy on announced v6 routes from cloudswoperations/homer/publicmaster+1 -1
Fix similar typo in the codfw policyoperations/homer/publicmaster+3 -3
Adjust cloudsw/cr bgp policies and include new IPv6 range for codfwoperations/homer/publicmaster+36 -27
Add elements for WMCS IPv6 range in codfw 2a02:ec80:a100::/48operations/homer/publicmaster+7 -3
Customize query in gerrit
TitleReferenceAuthorSource BranchDest Branch
codfw1dev: network: rename them to better reflect what they dorepos/cloud/cloud-vps/tofu-infra!157aborreroarturo-360-codfw1dev-network-rmain
Customize query in GitLab

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT53494 Use Beta cluster as a true canary for code deployments (epic)
 OpenNoneT87220 Minimize infrastructure differences between Beta Cluster and production
 StalledNoneT211677 Support IPv6 in beta
 OpenNoneT270694 CloudVPS: introduce tenant networks
 StalledaborreroT364725 Migrate Cloud VPS instances to VXLAN based networks
 OpenNoneT392509 Enable IPv6 for Toolforge services
 OpentaaviT392506 Enable IPv6 for tools.wmflabs.org / *.toolserver.org legacy redirector service
 StalledNoneT211575 Enable IPv6 on toolforge.org
 ResolvedNoneT209460 CloudVPS: network architecture
 ResolvedNoneT244727 CloudVPS: networking improvements
 OpenNoneT220306 Add IPv6 monitoring
 OpentaaviT379175 Enable IPv6 for the Cloud VPS web proxy
 OpenNoneT37947 Enable IPv6 on CloudVPS
 ResolvedaborreroT245495 CloudVPS: IPv6 in codfw1dev
 ResolvedaborreroT187929 Cloud IPv6 subnets
 ResolvedaborreroT374712 netbox: create IPv6 entries for Cloud VPS
 ResolvedaborreroT376462 dns: integrate PTR support for 2a02:ec80:a100::/48
 ResolvedaborreroT374715 openstack: work out IPv6 and designate integration
 ResolvedaborreroT377740 neutron: clarify why DNS extension is not enabled
 ResolvedaborreroT378192 openstack: wmf sink: extend it to support IPv6
 ResolvedaborreroT378995 openstack codfw1dev: API endpoints errors 2024-11-04
 ResolvedaborreroT374714 openstack: clarify IPv6 firewalling
 ResolvedaborreroT377339 horizon: enable IPv6 security group panels
 ResolvedaborreroT374716 cloudgw: add support and enable IPv6
 ResolvedcmooneyT374713 cloudsw: codfw: enable IPv6
 ResolvedaborreroT376879 keepalived: it doesn't support mixing IPv4 and IPv6 VIPs on the same VRRP instance
 ResolvedaborreroT375847 openstack: initial IPv6 support in neutron

Event Timeline

aborrero created this task.Feb 18 2020, 11:16 AM
JHedden awarded a token.Feb 18 2020, 2:10 PM
Krenair subscribed.Feb 18 2020, 8:56 PM
Paladox subscribed.Feb 19 2020, 4:29 PM
bd808 triaged this task as Medium priority.Feb 25 2020, 5:05 PM
bd808 moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.
aborrero mentioned this in T247633: New network request for CloudVPS CODFW instances transport .Mar 18 2020, 11:40 AM
aborrero added a project: netops.Mar 19 2020, 1:31 PM
Restricted Application added a project: SRE. · View Herald TranscriptMar 19 2020, 1:31 PM
aborrero added a subtask: T187929: Cloud IPv6 subnets.Mar 19 2020, 2:55 PM
ayounsi added a comment.EditedMar 19 2020, 5:31 PM

The steps I have in mind here are:
1/ Setup v6 on the transport network (most likely 2620:0:860:fe0a::/64)
2/ Assign a /48 for cloud codfw, see T187929 (Here we won't go into its subnetting)
3/ Advertise that /48 to the world either from codfw only or both eqiad/codfw(TBD, former is preferred)
3a/ Shrink esams advertisement from 2a02:ec80::/32 to 2a02:ec80:500::/48
4/ Setup a basic firewall filter (cloud-in6)
My suggestion is to initially only allow traffic to the internet and maybe some selected "private" hosts needed for the testing. This in order to minimize the workload of creating and managing that filter during and after the POC.

5/ Statically route the whole /48 to the neutron gateway VIP (go live)
This would stay like this for simplicity for now, but will most likely change down the road (if for example support network gets moved to that prefix but on a different network)

I assume that if the PoC is not successful, we would rollback the configuration and assignments will stay as reserved for future usage.
If successful, we would need to start managing the firewall filter (like we currently do with v4) does that mean the v4 exceptions will go away but be replaced by the v6 ones or both will stay live?
Is there anything else that will change on that aspect if we keep maintaining v6 on the long run?

ayounsi mentioned this in T187929: Cloud IPv6 subnets.Mar 19 2020, 6:02 PM
aborrero added a comment.Mar 19 2020, 6:13 PM

Mostly agree with everything, some inlined comments

In T245495#5984709, @ayounsi wrote:

The steps I have in mind here are:
1/ Setup v6 on the transport network (most likely 2620:0:860:fe0a::/64)

Is that range definitive? If no, could we pick one that would likely be used in the future too? Per my comment T187929#5984401 I suggest we use 2a02:ec80:1:0::/64.

2/ Assign a /48 for cloud codfw, see T187929 (Here we won't go into its subnetting)

OK. Same, I suggest we use 2a02:ec80:1:1::/64 (see T187929#5984401)

3/ Advertise that /48 to the world either from codfw only or both eqiad/codfw(TBD, former is preferred)
4/ Setup a basic firewall filter (cloud-in6)
My suggestion is to initially only allow traffic to the internet and maybe some selected "private" hosts needed for the testing. This in order to minimize the workload of creating and managing that filter during and after the POC.

I agree. I suggest we do this firewalling incrementally. Ideally we would implement some statefull firewalling and only allow connections started within the cloud, but I'm aware this is not possible using the prod core routers as upstream.
For the initial PoC, we only need 3 addresses allowed:

  • 2620:0:860:3:208:80:153:76 (cloudservices2002-dev.wikimedia.org)
  • 2620:0:860:2:208:80:153:59 (cloudcontrol2001-dev.wikimedia.org)
  • 2620:0:860:3:208:80:153:75 (cloudcontrol2003-dev.wikimedia.org)

i.e, connection to/from the the cloud to these physical hosts.

5/ Statically route the whole /48 to the neutron gateway VIP (go live)
This would stay like this for simplicity for now, but will most likely change down the road (if for example support network gets moved to that prefix but on a different network)

I assume that if the PoC is not successful, we would rollback the configuration and assignments will stay as reserved for future usage.

Ok, That's why I think it may be important to agree on the addressing plan first: T187929: Cloud IPv6 subnets

If successful, we would need to start managing the firewall filter (like we currently do with v4) does that mean the v4 exceptions will go away but be replaced by the v6 ones or both will stay live?

Initially both will stay alive. I'm not sure what would be our next step from the network point of view:

  • we get rid of our NAT dmz_cidr mechanism --> v4 firewall need adjustment in the prod core routers.
  • we introduce a pair of cloud upstream routers/firewalls between neutron and the prod core routers --> we can drop all the firewalling from the prod core routers.

Is there anything else that will change on that aspect if we keep maintaining v6 on the long run?

Other than what I commented already, I don't have any other concern as of right now. Things may change in the near future if we really start playing with the PoC and we start learning how this looks like for real.

aborrero mentioned this in T37947: Enable IPv6 on CloudVPS.Mar 30 2020, 5:28 PM
AfroThundr3007730 subscribed.Apr 16 2020, 7:03 PM
mdaniels5757 subscribed.Apr 20 2020, 4:23 PM
dcaro mentioned this in T271139: Some WMCS clusters apparently do not support IPv6.Jan 5 2021, 11:30 AM
dcaro subscribed.Jan 26 2021, 3:37 PM
taavi subscribed.Feb 7 2021, 9:35 PM
cmooney subscribed.Jun 11 2021, 1:30 PM
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
faidon changed the status of subtask T187929: Cloud IPv6 subnets from Open to Stalled.Aug 27 2021, 7:03 PM
nskaggs subscribed.Jul 21 2022, 7:57 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 7:17 PM
fnegri moved this task from Kanban to Soon! on the cloud-services-team board.
bd808 added a parent task: T37947: Enable IPv6 on CloudVPS.Feb 10 2023, 12:45 AM
Rail subscribed.Feb 11 2023, 6:57 PM
ayounsi moved this task from Backlog to Watching on the netops board.Oct 3 2023, 11:44 AM
aborrero changed the status of subtask T187929: Cloud IPv6 subnets from Stalled to Open.Apr 24 2024, 2:31 PM
aborrero mentioned this in T374713: cloudsw: codfw: enable IPv6.Sep 13 2024, 12:46 PM
aborrero added a subtask: T374715: openstack: work out IPv6 and designate integration.Sep 13 2024, 12:50 PM
aborrero renamed this task from CloudVPS: IPv6 early PoC to CloudVPS: IPv6 in codfw1dev.Sep 13 2024, 12:54 PM
aborrero updated the task description. (Show Details)
aborrero updated the task description. (Show Details)
aborrero removed a subtask: T374713: cloudsw: codfw: enable IPv6.Sep 13 2024, 12:56 PM
aborrero updated the task description. (Show Details)
aborrero updated the task description. (Show Details)
aborrero added a project: User-aborrero.
aborrero moved this task from Backlog to Next on the User-aborrero board.
aborrero closed subtask T187929: Cloud IPv6 subnets as Resolved.Sep 16 2024, 9:29 AM
aborrero changed the status of subtask T375847: openstack: initial IPv6 support in neutron from Open to In Progress.Sep 27 2024, 8:21 AM
taavi added a project: Cloud-VPS.Sep 28 2024, 11:32 AM
taavi moved this task from Unsorted to Network on the Cloud-VPS board.Sep 28 2024, 11:34 AM
aborrero updated the task description. (Show Details)Oct 3 2024, 12:38 PM
gerritbot added a comment.Oct 9 2024, 5:17 PM

Change #1078990 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/homer/public@master] Add elements for WMCS IPv6 range in codfw 2a02:ec80:a100::/48

https://gerrit.wikimedia.org/r/1078990

gerritbot added a project: Patch-For-Review.Oct 9 2024, 5:17 PM
gerritbot added a comment.Oct 10 2024, 9:27 AM

Change #1078990 merged by jenkins-bot:

[operations/homer/public@master] Add elements for WMCS IPv6 range in codfw 2a02:ec80:a100::/48

https://gerrit.wikimedia.org/r/1078990

Maintenance_bot removed a project: Patch-For-Review.Oct 10 2024, 9:30 AM
gerritbot added a comment.Oct 10 2024, 10:25 AM

Change #1079237 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/homer/public@master] Adjust cloudsw/cr bgp policies and include new IPv6 range for codfw

https://gerrit.wikimedia.org/r/1079237

gerritbot added a project: Patch-For-Review.Oct 10 2024, 10:25 AM
gerritbot added a comment.Oct 10 2024, 11:31 AM

Change #1079237 merged by jenkins-bot:

[operations/homer/public@master] Adjust cloudsw/cr bgp policies and include new IPv6 range for codfw

https://gerrit.wikimedia.org/r/1079237

gerritbot added a comment.Oct 10 2024, 11:42 AM

Change #1079252 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/homer/public@master] Fix typos in updated prefix-list for cloud ranges eqiad

https://gerrit.wikimedia.org/r/1079252

gerritbot added a comment.Oct 10 2024, 11:45 AM

Change #1079252 merged by jenkins-bot:

[operations/homer/public@master] Fix typos in updated prefix-list for cloud ranges eqiad

https://gerrit.wikimedia.org/r/1079252

gerritbot added a comment.Oct 10 2024, 11:50 AM

Change #1079254 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/homer/public@master] Fix similar typo in the codfw policy

https://gerrit.wikimedia.org/r/1079254

gerritbot added a comment.Oct 10 2024, 11:53 AM

Change #1079254 merged by jenkins-bot:

[operations/homer/public@master] Fix similar typo in the codfw policy

https://gerrit.wikimedia.org/r/1079254

Maintenance_bot removed a project: Patch-For-Review.Oct 10 2024, 12:32 PM
cmooney updated the task description. (Show Details)Oct 10 2024, 1:39 PM
cmooney updated the task description. (Show Details)Oct 10 2024, 1:42 PM
cmooney added a comment.Oct 10 2024, 1:53 PM

The edge (cloudsw/cr) networking is now complete, elements in the range are reachable externally.

cathal@officepc:~$ mtr -z -b -w -c 5 2a02:ec80:a100:fe03::1 
Start: 2024-10-10T14:35:25+0100
HOST: officepc                                                                   Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. AS5466   pool-ipv6-pd.agg1.srl.blp-srl.eir.ie (2001:bb6:8b70:9e00::1)        0.0%     5    0.4   0.4   0.3   0.5   0.1
  2. AS5466   agg1.srl.blp-srl.eircom.net (2001:bb0:6:a11d::1)                    0.0%     5    8.2   5.9   4.6   8.2   1.7
  3. AS5466   2001:bb0:6:a197::1                                                  0.0%     5    4.7   4.8   4.7   4.9   0.1
  4. AS1299   dln-b3-link.ip.twelve99.net (2001:2035:0:9eb::1)                    0.0%     5    4.7   4.7   4.4   4.8   0.1
  5. AS1299   ldn-bb2-v6.ip.twelve99.net (2001:2034:1:ca::1)                      0.0%     5   14.7  14.8  14.6  15.0   0.1
  6. AS1299   prs-bb2-v6.ip.twelve99.net (2001:2034:1:c1::1)                      0.0%     5   32.5  32.8  32.5  33.0   0.2
  7. AS1299   rest-bb1-v6.ip.twelve99.net (2001:2034:1:73::1)                    20.0%     5   98.2  98.1  97.9  98.2   0.1
  8. AS1299   atl-bb1-v6.ip.twelve99.net (2001:2034:1:a1::1)                      0.0%     5  115.0 114.6 114.2 115.0   0.3
  9. AS???    ???                                                                100.0     5    0.0   0.0   0.0   0.0   0.0
 10. AS???    ???                                                                100.0     5    0.0   0.0   0.0   0.0   0.0
 11. AS???    irb-1120.cloudsw1-b1-codfw.wikimedia.org (2a02:ec80:a100:fe03::1)   0.0%     5  132.7 132.8 132.7 133.0   0.2
cmooney@cloudgw2002-dev:~$ sudo tcpdump -i vlan2120 -l -p -nn host 2001:bb6:8b70:9e00::187
listening on vlan2120, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:51:35.790703 IP6 2001:bb6:8b70:9e00::187 > 2a02:ec80:a100:1::29c: ICMP6, echo request, id 6205, seq 97, length 64
13:51:36.814913 IP6 2001:bb6:8b70:9e00::187 > 2a02:ec80:a100:1::29c: ICMP6, echo request, id 6205, seq 98, length 64
gerritbot added a comment.Oct 10 2024, 1:54 PM

Change #1079288 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/homer/public@master] Add orlonger to policy on announced v6 routes from cloudsw

https://gerrit.wikimedia.org/r/1079288

gerritbot added a project: Patch-For-Review.Oct 10 2024, 1:54 PM
gerritbot added a comment.Oct 14 2024, 10:25 AM

Change #1079288 abandoned by Cathal Mooney:

[operations/homer/public@master] Add orlonger to policy on announced v6 routes from cloudsw

https://gerrit.wikimedia.org/r/1079288

Maintenance_bot removed a project: Patch-For-Review.Oct 14 2024, 10:30 AM
gerritbot added a comment.Oct 14 2024, 11:21 AM

Change #1079982 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/homer/public@master] Remove WMCS codfw prefix from CR aggregate conf and adjust outfilter

https://gerrit.wikimedia.org/r/1079982

gerritbot added a project: Patch-For-Review.Oct 14 2024, 11:21 AM
gerritbot added a comment.Oct 14 2024, 12:26 PM

Change #1079982 merged by jenkins-bot:

[operations/homer/public@master] Remove WMCS codfw prefix from CR aggregate conf and adjust outfilter

https://gerrit.wikimedia.org/r/1079982

Maintenance_bot removed a project: Patch-For-Review.Oct 14 2024, 12:31 PM
aborrero changed the status of subtask T374714: openstack: clarify IPv6 firewalling from Open to In Progress.Oct 14 2024, 3:34 PM
aborrero closed subtask T375847: openstack: initial IPv6 support in neutron as Resolved.Oct 15 2024, 11:20 AM
aborrero closed subtask T374716: cloudgw: add support and enable IPv6 as Resolved.Oct 16 2024, 2:48 PM
aborrero closed subtask T374714: openstack: clarify IPv6 firewalling as Resolved.Oct 16 2024, 3:00 PM
aborrero updated the task description. (Show Details)Oct 16 2024, 3:08 PM
aborrero changed the status of subtask T374715: openstack: work out IPv6 and designate integration from Open to In Progress.Oct 21 2024, 12:43 PM
aborrero changed the status of subtask T374715: openstack: work out IPv6 and designate integration from In Progress to Stalled.Oct 23 2024, 12:32 PM
aborrero updated the task description. (Show Details)Nov 15 2024, 12:45 PM
aborrero closed subtask T374715: openstack: work out IPv6 and designate integration as Resolved.
aborrero closed this task as Resolved.Nov 15 2024, 12:52 PM
aborrero claimed this task.
aborrero updated the task description. (Show Details)

I think we can consider IPv6 to be fully working on codfw1dev.

CodeReviewBot added a project: Patch-For-Review.Tue, Mar 25, 11:38 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/157

codfw1dev: network: rename them to better reflect what they do

CodeReviewBot added a comment.Tue, Mar 25, 12:18 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/157

codfw1dev: network: rename them to better reflect what they do

Maintenance_bot removed a project: Patch-For-Review.Tue, Mar 25, 12:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits