Page MenuHomePhabricator
Create Task
Maniphest T282235

Configure Neutron VIP ports for tools and toolsbeta k8s haproxies
Closed, ResolvedPublic
Actions

Description

VIPs were created by Arturo:

261bee38-7b03-4af1-ba28-6c15c082f812 172.16.2.161 toolsbeta-k8s-haproxy-keepalived-vip
67189dc3-5d51-46b3-b431-7022905177d1 172.16.6.113 tools-k8s-haproxy-keepalived-vip

Now they need to be configured to VMs:

aborrero@cloudcontrol1005:~ $ sudo wmcs-openstack --os-project-id toolsbeta server list | grep haproxy
| 9f103a2a-dfde-470a-b2ae-06f44a9b9e98 | toolsbeta-test-k8s-haproxy-4       | ACTIVE | lan-flat-cloudinstances2b=172.16.6.136               | debian-10.0-buster                         | g3.cores2.ram4.disk20                |
| 4ba594d7-7474-47dd-b359-302335f57c1d | toolsbeta-test-k8s-haproxy-3       | ACTIVE | lan-flat-cloudinstances2b=172.16.3.41                | debian-10.0-buster                         | g3.cores2.ram4.disk20                |
| 95f23fb7-3b84-4f2b-9802-11b385247c1e | toolsbeta-test-k8s-haproxy-2       | ACTIVE | lan-flat-cloudinstances2b=172.16.0.169               | debian-10.0-buster (deprecated 2019-12-15) |                                      |
| ba228903-c8a6-41d2-bec0-c43aec863ad0 | toolsbeta-test-k8s-haproxy-1       | ACTIVE | lan-flat-cloudinstances2b=172.16.0.146               | debian-10.0-buster (deprecated 2019-12-15) |                                      |
aborrero@cloudcontrol1005:~ 3s $ sudo wmcs-openstack --os-project-id toolsbeta port list | grep 172.16.6.136
| 42eeea77-6d0d-4c71-aba8-a85cc2ba10d1 |                                                    | fa:16:3e:02:1f:c7 | ip_address='172.16.6.136', subnet_id='a69bdfad-d7d2-4cfa-8231-3d6d3e0074c9' | ACTIVE |
aborrero@cloudcontrol1005:~ $ sudo wmcs-openstack --os-project-id toolsbeta port list | grep 172.16.3.41
| 71846912-5bda-41d4-a9dd-c494835a1660 |                                                    | fa:16:3e:e6:85:de | ip_address='172.16.3.41', subnet_id='a69bdfad-d7d2-4cfa-8231-3d6d3e0074c9'  | ACTIVE |

But policy seems broken:

13:12:32 <arturo> the comnand is almost fine :-) however I'm hitting a policy filter
13:12:39 <arturo> aborrero@cloudcontrol1005:~ 2s 1 $ sudo wmcs-openstack --os-project-id toolsbeta port set --allowed-address ip-address=172.16.2.161 42eeea77-6d0d-4c71-aba8-a85cc2ba10d1
13:12:39 <arturo> HttpException: 403: Client Error for url: http://openstack.eqiad1.wikimediacloud.org:9696/v2.0/ports/42eeea77-6d0d-4c71-aba8-a85cc2ba10d1, (rule:update_port and (rule:update_port:allowed_address_pairs and (rule:update_port:allowed_address_pairs:ip_address))) is disallowed by policy

Related Objects

Event Timeline

taavi created this task.May 7 2021, 11:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 7 2021, 11:37 AM
aborrero assigned this task to Andrew.May 7 2021, 11:39 AM
aborrero added a subscriber: Andrew.

@Andrew might be the last person who updated the API policy, may know offhand what to modify.

taavi removed Andrew as the assignee of this task.May 7 2021, 11:39 AM
taavi assigned this task to Andrew.
taavi updated the task description. (Show Details)

(edit conflict)

Stashbot mentioned this in T281894: Cloud: designate: missing or misconfigured API policy for creating new domains.May 7 2021, 1:51 PM

Mentioned in SAL (#wikimedia-cloud) [2021-05-07T13:51:41Z] <andrewbogott> add inherited 'admin' right to novaadmin user throughout eqiad1. I was trying to narrow down the rights here but lack of admin breaks some workflows, e.g. T281894 and T282235

Andrew closed this task as Resolved.May 7 2021, 2:01 PM
In T282235#7069448, @Stashbot wrote:

Mentioned in SAL (#wikimedia-cloud) [2021-05-07T13:51:41Z] <andrewbogott> add inherited 'admin' right to novaadmin user throughout eqiad1. I was trying to narrow down the rights here but lack of admin breaks some workflows, e.g. T281894 and T282235

Should be fixed by that

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL