Page MenuHomePhabricator
Create Task
Maniphest T273865

Investigate Capirca
Closed, ResolvedPublic
Actions

Description

As we only operates 1 network vendor, we currently have 2 types of network ACLs:

  1. SRX security policies, zone to zone stateful rules on the payment firewall as well as the management routers
  2. Firewall filters, stateless rules applied to L3 interfaces on all routers (core, payment, management)
  • Both types have a distinct syntax
  • Security policies are managed either by a homemade tool written by the fundraising-tech team, or manually for the management routers
  • Firewall filters are centrally managed (in Homer) but manually written
  • Any SRE (and fr-tech) can (and does) write new ACLs, push to the devices are done either by the SREs (after netops review) or by Netops directly

This raises the following problems:

  • Multiple tools and processes, higher learning curve and turnaround time on change requests:
  • Syntax typos
    • Not always caught until being pushed to prod (and rejected by the device linter)
  • Entities typos
    • Wrong IP or wrong prefix length
  • Stale rules
  • Lack of consistency
    • IPs defined in prefix-lists or directly in the rules
    • Discrepancies between v4 and v6 rules

The natural next step now that Homer automates most network configuration, is to provide a standardized and automated way of managing ACLs, leveraging Netbox, the source of truth.
Looking at the landscape of existing open-source tools, one stands out.

Capirca is an actively maintained open source tool made by Google.

It consists of different moving parts:

  • Definition files
    • Services: port/protocol, port-ranges/protocol, nestable sets of services
    • Network: IP, prefixes, nestable sets of IP/prefixes
  • Policy files
    • ACL rules using the previously defined services and networks in a custom format
  • Capirca library
    • Takes the above files as input and generates ACLs in a format compatible with a given platform (Junos, SRX, iptables, etc)

An example (high level) usage could be:

  1. Define the services (ports/protocols) once for the whole infrastructure
  2. Populate the network definition file partially from Netbox
    • At least devices IPs, create groups per hosts prefixes (all bast, all cp, etc)
    • Potentially network prefixes as well
  3. Manually define network for the remaining usecases
  4. Convert existing policies to their Capirca format
    • Cleaning them up in the process
    • Most likely manually
  5. In Homer, for each device (or device roles) define which policies to apply
  6. When running Homer, ACLs will be added to the pushed config and diffs

This would solve all the problems listed above, either directly or thanks to the audit required to convert them.

  • Multiple tools and processes
    • Consolidated to a single tool, potentially 2 processes if used by frack and required for PCI compliance
  • Syntax typos
    • Caught by Capirca locally during the execution
  • Entities typos
    • Less risk as defined only once, and potentially coming from Netbox
  • Stale rules
    • Will be removed automatically when a host/IP is removed
  • Lack of consistency
    • A “network” set can consist of v4 and v6 IPs helping with consistency, defined from Netbox would ensure consistency

In addition it would bring the following advantages (not all currently needed):

  • Multi-platform support, might make things easier if if move away from Junos
  • Shadow check (a policy rule making the following one useless)
  • Optimization (eg. 2 contiguous /32s are merged in a /31)
  • Specific flow testing (“can IPx reach IPy through that ACL?”)

On the other hand, there are some possible limitations:

  • Network prefixes don’t have names in Netbox, so assigning a relevant variable name might be challenging
    • Existing fields could be leveraged (roles, sites, status, description, etc)
  • Fetching all hosts IPs from Netbox might be too slow for being an option
    • Might be better to “pre-compile” the list on Netbox hosts using a plugin
  • Policies use a custom syntax, something like YAML would have been better
  • Capirca’s code is complex (at least to me, even though I sent PRs years ago)

Other concerns

  • It might not be worth the efforts as our ACLs don’t change often
  • There are rumors of Capirca’ successor to be open-sourced by Google in the future

The scope of this task is to discuss network ACLs management in general, and evaluate Capirca for that role. Possibly other tools if any.

Details

SubjectRepoBranchLines +/-
Move core routers border-in filter to Capircaoperations/homer/publicmaster+194 -350
Move core routers loopback filter to Capircaoperations/homer/publicmaster+141 -248
Move sandbox filter to Capircaoperations/homer/publicmaster+278 -99
Bump Capirca to 2.0.4operations/software/homermaster+1 -1
Capirca: disable shade checkoperations/software/homermaster+2 -2
Capirca POCoperations/homer/publicmaster+1 K -2 K
Port cloud-in4 to Capircaoperations/homer/publicmaster+216 -326
Homer: get Capirca definitions from Netboxoperations/puppetproduction+2 -0
Add Capirca support to Homeroperations/software/homermaster+140 -9
Add Capirca definitions exporteroperations/software/netbox-extrasmaster+90 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedayounsiT273865 Investigate Capirca

Event Timeline

ayounsi triaged this task as Medium priority.Feb 4 2021, 10:59 AM
ayounsi created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 4 2021, 10:59 AM
Maintenance_bot added a project: SRE.Feb 4 2021, 11:45 AM
ayounsi added a subscriber: Jgreen.Feb 8 2021, 8:55 AM
gerritbot added a comment.Feb 11 2021, 10:25 AM

Change 663535 had a related patch set uploaded (by Ayounsi; owner: Ayounsi):
[operations/homer/public@master] Capirca POC

https://gerrit.wikimedia.org/r/663535

gerritbot added a project: Patch-For-Review.Feb 11 2021, 10:25 AM
gerritbot added a comment.Feb 11 2021, 10:28 AM

Change 663536 had a related patch set uploaded (by Ayounsi; owner: Ayounsi):
[operations/software/homer@master] Capirca POC

https://gerrit.wikimedia.org/r/663536

ayounsi added a comment.EditedFeb 11 2021, 11:15 AM

Limitations identified:

Some ACLs currently have Jinja code in them, which is not possible through Capirca.
The easiest cases have (or can) be mitigated by either:

  • removing the feature flag
  • moving the logic to Homer/Capirca. For example the ACLs needed only need eqiad/codfw can be specified with a local override:
capirca:
  - cr   #<- normal core router ACLs
  - cr-cloud   # <- core site addon

But one is currently more tricky:

{% if ping_offload_redirect | d(false)  %}
term offload-ping4 {
    from {
        destination-address {
            {{ ping_offload_vip }};
        }
        protocol icmp;
        icmp-type echo-request;
    }
    then {
        next-ip {{ ping_offload_redirect }}/32;
    }
}
{% endif %}

As it embed site specific IPs.
One possible way to work around it is to keep the term in a dedicated filter (in the current firewall.conf file) and import it in a generic way:

term offload-ping4  {
    filter offload-ping4 ;
}

Side advantage is that it can also be used in filter transport-in4.

2nd limitation is that we use per family prefix-list. Eg. wikimedia4 and wikimedia6 while Capirca is not able to use the relevant one depending on IP version in use.
One workaround (used in this POC), is to not use prefix-list in those cases, but have Capirca generate destination-address based on the definition files.

On the positive side, the current state of the POC doesn't show significant blockers. ACLs can progressively be ported to Capirca (doesn't need to be all or nothing). It also supports (untested) ACLs from homer-private

Next to test is how to generate the network definitions from Netbox, most likely using a plugin, and fetch it from Netbox at run time. https://gerrit.wikimedia.org/r/666876

If deemed viable:

  • put the Capirca in it's own Homer class and improve error handling
  • Test more extensively homer-private ACLs (and maybe network definitions)
  • figure out how to package Capirca (pypi version is old)
  • streamline directory structure
  • transition more ACLs
  • write doc/train people

Note that most of the above is out of scope for the POC.

gerritbot added a comment.Feb 25 2021, 12:00 PM

Change 666876 had a related patch set uploaded (by Ayounsi; owner: Ayounsi):
[operations/software/netbox-extras@master] Add Capirca definitions exporter

https://gerrit.wikimedia.org/r/666876

ayounsi mentioned this in T277146: Authoritative ports list.Mar 11 2021, 10:11 AM
Stashbot added a comment.Mar 22 2021, 7:51 AM

Mentioned in SAL (#wikimedia-operations) [2021-03-22T07:51:24Z] <elukey> stop/start mariadb instances on dbstore1004 to reduce buffer pool memory settings - T273865

gerritbot added a comment.Mar 25 2021, 4:31 PM

Change 666876 merged by Ayounsi:
[operations/software/netbox-extras@master] Add Capirca definitions exporter

https://gerrit.wikimedia.org/r/666876

ayounsi mentioned this in rOSNEb5bbc2d1638b: Add Capirca definitions exporter.Mar 25 2021, 4:33 PM
gerritbot added a comment.Apr 5 2021, 7:13 AM

Change 663536 merged by jenkins-bot:

[operations/software/homer@master] Add Capirca support to Homer

https://gerrit.wikimedia.org/r/663536

ayounsi mentioned this in rOSHO6fc6b4a7b641: Add Capirca support to Homer.Apr 5 2021, 7:14 AM
gerritbot added a comment.Apr 21 2021, 8:12 PM

Change 681775 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/puppet@production] Homer: get Capirca definitions from Netbox

https://gerrit.wikimedia.org/r/681775

gerritbot added a comment.Apr 27 2021, 8:23 AM

Change 681775 merged by Ayounsi:

[operations/puppet@production] Homer: get Capirca definitions from Netbox

https://gerrit.wikimedia.org/r/681775

Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
gerritbot added a comment.Jun 23 2021, 11:58 AM

Change 701085 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] Port cloud-in4 to Capirca

https://gerrit.wikimedia.org/r/701085

gerritbot added a comment.Jun 28 2021, 11:43 AM

Change 701085 merged by jenkins-bot:

[operations/homer/public@master] Port cloud-in4 to Capirca

https://gerrit.wikimedia.org/r/701085

ayounsi mentioned this in rOHPUde3d438b0473: Port cloud-in4 to Capirca.Jun 28 2021, 11:54 AM
ayounsi moved this task from Backlog to Work in Progress / Tasks to Do on the netbox board.Aug 10 2021, 1:40 PM
ayounsi moved this task from Backlog to In Progress on the Infrastructure-Foundations board.Aug 12 2021, 9:32 AM
joanna_borun changed the task status from Open to In Progress.Sep 21 2021, 4:00 PM
ayounsi changed the task status from In Progress to Stalled.Dec 6 2021, 3:39 PM

Waiting for Capirca upstream to merge PRs.

ayounsi changed the task status from Stalled to In Progress.Dec 17 2021, 9:57 AM

Finally merged!

gerritbot added a comment.Dec 17 2021, 10:05 AM

Change 748080 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] Move sandbox filter to Capirca

https://gerrit.wikimedia.org/r/748080

gerritbot added a comment.Dec 17 2021, 11:18 AM

Change 748098 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] Move core routers loopback filter to Capirca

https://gerrit.wikimedia.org/r/748098

gerritbot added a comment.Dec 17 2021, 12:25 PM

Change 748111 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] Move core routers border-in filter to Capirca

https://gerrit.wikimedia.org/r/748111

gerritbot added a comment.Dec 17 2021, 1:18 PM

Change 663535 abandoned by Ayounsi:

[operations/homer/public@master] Capirca POC

Reason:

Moved to Ic1c558b388f31f1c6454299b6f051c67cf030638 and next in chain.

https://gerrit.wikimedia.org/r/663535

gerritbot added a comment.Dec 23 2021, 10:08 AM

Change 749696 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/software/homer@master] Capirca: disable shade check

https://gerrit.wikimedia.org/r/749696

ayounsi added a parent task: Restricted Task.Jan 3 2022, 3:06 PM
gerritbot added a comment.Jan 4 2022, 9:25 AM

Change 749696 merged by jenkins-bot:

[operations/software/homer@master] Capirca: disable shade check

https://gerrit.wikimedia.org/r/749696

gerritbot added a comment.Jan 4 2022, 9:26 AM

Change 751391 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/software/homer@master] Bump Capirca to 2.0.4

https://gerrit.wikimedia.org/r/751391

ayounsi mentioned this in rOSHO59f6a7a8a773: Capirca: disable shade check.Jan 4 2022, 9:54 AM
gerritbot added a comment.Jan 17 2022, 6:52 PM

Change 751391 merged by jenkins-bot:

[operations/software/homer@master] Bump Capirca to 2.0.4

https://gerrit.wikimedia.org/r/751391

ayounsi mentioned this in rOSHO63bc1871a0e8: Bump Capirca to 2.0.4.Jan 17 2022, 7:17 PM
gerritbot added a comment.Jan 31 2022, 1:48 PM

Change 748080 merged by jenkins-bot:

[operations/homer/public@master] Move sandbox filter to Capirca

https://gerrit.wikimedia.org/r/748080

gerritbot added a comment.Feb 2 2022, 3:27 PM

Change 748098 merged by jenkins-bot:

[operations/homer/public@master] Move core routers loopback filter to Capirca

https://gerrit.wikimedia.org/r/748098

gerritbot added a comment.Feb 3 2022, 2:02 PM

Change 748111 merged by jenkins-bot:

[operations/homer/public@master] Move core routers border-in filter to Capirca

https://gerrit.wikimedia.org/r/748111

ayounsi closed this task as Resolved.Feb 4 2022, 9:15 AM

We're now using Capirca to manage most of our router ACLs

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL