Page MenuHomePhabricator
Create Task
Maniphest T272587

cloud: current nova-fullstack mechanism requires cloudcontrol nodes to access individual VMs
Closed, ResolvedPublic
Actions

Description

As part of our effort to reduce Cloud NAT exceptions (see parent task and T272395), we discovered that the nova-fullstack mechanism access individual VMs using SSH.

For now we added an ACL exception to allow this, but that's not a long term solution (see T272486).

Some random ideas for a longer term solution:

  • allocate a floating IP and have nova-fullstack use it for SSH. This floating IP is reused for every test.
    • Perhaps we need a couple of floating IPs for flapping resilence...
    • This approach is expensive from the public IPv4 cost point of view
  • Rewrite nova-fullstack to don't do SSH tests
    • or do them using a mechanism other than direct SSH connection (perhaps console access?)
  • Use a CloudVPS bastion as jump host.
    • simple, direct and to the point.

Details

SubjectRepoBranchLines +/-
firewall: cloud-in4: drop cloudcontrol-novafullstack termoperations/homer/publicmaster+0 -23
nova-fullstack: remove test for puppet cert cleanupoperations/puppetproduction+0 -69
nova-fullstack: fix puppet cert cleanup check to use bastionoperations/puppetproduction+1 -0
Update the nova-fullstack monitoring to expect python3operations/puppetproduction+1 -1
nova_fullstack: one more python3 fixoperations/puppetproduction+1 -1
nova-fullstack test: fix the name of the new bastion-ip argoperations/puppetproduction+1 -1
nova-fullstack test: use a bastion proxy for ssh testsoperations/puppetproduction+33 -7
nova_fullstack_test.py: move to python3; fix pep8 violationsoperations/puppetproduction+8 -8
Customize query in gerrit

Related Objects
Search...

Event Timeline

aborrero triaged this task as Medium priority.Jan 21 2021, 12:10 PM
aborrero created this task.
aborrero removed a project: Epic.
aborrero moved this task from Inbox to Needs discussion on the cloud-services-team (Kanban) board.
aborrero updated the task description. (Show Details)
aborrero assigned this task to Andrew.Jan 27 2021, 4:23 PM
aborrero updated the task description. (Show Details)
aborrero updated the task description. (Show Details)
gerritbot added a comment.Jan 31 2021, 5:42 AM

Change 660613 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] nova-fullstack test: use a bastion proxy for ssh tests

https://gerrit.wikimedia.org/r/660613

gerritbot added a project: Patch-For-Review.Jan 31 2021, 5:42 AM
gerritbot added a comment.Jan 31 2021, 5:53 AM

Change 660615 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] nova_fullstack_test.py: move to python3; fix pep8 violations

https://gerrit.wikimedia.org/r/660615

gerritbot added a comment.Jan 31 2021, 6:08 AM

Change 660615 merged by Andrew Bogott:
[operations/puppet@production] nova_fullstack_test.py: move to python3; fix pep8 violations

https://gerrit.wikimedia.org/r/660615

gerritbot added a comment.Jan 31 2021, 6:09 AM

Change 660613 merged by Andrew Bogott:
[operations/puppet@production] nova-fullstack test: use a bastion proxy for ssh tests

https://gerrit.wikimedia.org/r/660613

Maintenance_bot removed a project: Patch-For-Review.Jan 31 2021, 6:10 AM
gerritbot added a comment.Jan 31 2021, 6:14 AM

Change 660617 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] nova-fullstack test: fix the name of the new bastion-ip arg

https://gerrit.wikimedia.org/r/660617

gerritbot added a project: Patch-For-Review.Jan 31 2021, 6:14 AM

Change 660617 merged by Andrew Bogott:
[operations/puppet@production] nova-fullstack test: fix the name of the new bastion-ip arg

https://gerrit.wikimedia.org/r/660617

gerritbot added a comment.Jan 31 2021, 6:18 AM

Change 660618 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] nova_fullstack: one more python3 fix

https://gerrit.wikimedia.org/r/660618

gerritbot added a comment.Jan 31 2021, 6:22 AM

Change 660618 merged by Andrew Bogott:
[operations/puppet@production] nova_fullstack: one more python3 fix

https://gerrit.wikimedia.org/r/660618

Andrew added a comment.Jan 31 2021, 6:26 AM

This test now uses a bastion on a public IP. We can now remove the ACL exception, assuming I didn't miss something.

Maintenance_bot removed a project: Patch-For-Review.Jan 31 2021, 7:10 AM
gerritbot added a comment.Jan 31 2021, 5:17 PM

Change 660639 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Update the nova-fullstack monitoring to expect python3

https://gerrit.wikimedia.org/r/660639

gerritbot added a project: Patch-For-Review.Jan 31 2021, 5:17 PM

Change 660639 merged by Andrew Bogott:
[operations/puppet@production] Update the nova-fullstack monitoring to expect python3

https://gerrit.wikimedia.org/r/660639

gerritbot added a comment.Jan 31 2021, 5:37 PM

Change 660641 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] nova-fullstack: fix puppet cert cleanup check to use bastion

https://gerrit.wikimedia.org/r/660641

gerritbot added a comment.Jan 31 2021, 5:57 PM

Change 660641 merged by Andrew Bogott:
[operations/puppet@production] nova-fullstack: fix puppet cert cleanup check to use bastion

https://gerrit.wikimedia.org/r/660641

Maintenance_bot removed a project: Patch-For-Review.Jan 31 2021, 6:10 PM
gerritbot added a comment.Jan 31 2021, 8:00 PM

Change 660643 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] nova-fullstack: remove test for puppet cert cleanup

https://gerrit.wikimedia.org/r/660643

gerritbot added a project: Patch-For-Review.Jan 31 2021, 8:00 PM
gerritbot added a comment.Jan 31 2021, 8:06 PM

Change 660643 merged by Andrew Bogott:
[operations/puppet@production] nova-fullstack: remove test for puppet cert cleanup

https://gerrit.wikimedia.org/r/660643

Andrew reassigned this task from Andrew to aborrero.Feb 1 2021, 2:56 AM

I'm handing this back to @arturo to change the ACL and see what breaks

aborrero moved this task from Needs discussion to Soon! on the cloud-services-team (Kanban) board.Feb 3 2021, 4:21 PM
gerritbot added a comment.Apr 20 2021, 9:33 AM

Change 681316 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/homer/public@master] firewall: cloud-in: drop nova-fullstack term

https://gerrit.wikimedia.org/r/681316

gerritbot added a comment.Apr 20 2021, 4:27 PM

Change 681316 merged by Arturo Borrero Gonzalez:

[operations/homer/public@master] firewall: cloud-in4: drop cloudcontrol-novafullstack term

https://gerrit.wikimedia.org/r/681316

aborrero mentioned this in rOHPU282a59d6bd5b: firewall: cloud-in4: drop cloudcontrol-novafullstack term.Apr 20 2021, 4:29 PM
Stashbot added a comment.Apr 20 2021, 4:32 PM

Mentioned in SAL (#wikimedia-operations) [2021-04-20T16:32:04Z] <arturo> merging change to core route firewall https://gerrit.wikimedia.org/r/c/operations/homer/public/+/681316 (T272587)

aborrero closed this task as Resolved.Apr 20 2021, 4:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL