Page MenuHomePhabricator
Create Task
Maniphest T350995

[openstack] cloudservices + Designate are using different source addresses for local vs. remote updates
Closed, ResolvedPublic
Actions

Description

(follow-up from T346385)

The problem

In cloudservices hosts, /etc/designate/pools.yaml contains several configuration values for OpenStack Designate. These values dictate what Designate writes to the pdns MariaDB database, running on the same cloudservices hosts.

After adding the new "private" vlan, cloudservices are using different source addresses for local vs. remote updates, which is not possible to describe correctly in pools.yaml.

This means that when a cloudservices host is added/reimaged, the database must be edited manually to set the right values (details documented here).

More details

In eqiad1, we have the following setup:

HostAllowed Masters
cloudservices1005185.15.56.162 (itself), 172.20.1.5 (cloudservices1006)
cloudservices1006185.15.56.163 (itself), 172.20.2.4 (cloudservices1005)

The destination addresses for updates will be 185.15.56.162 (ns0 / 1005) and 185.15.56.163 (ns1 / 1006). As those addresses are in the 185.15.56.0/24 network, the hosts will use their cloud-private interface to get there, hence the 172.20.x addressing rather than 10.x.

Ideally we could just have 185.15.56.162 and 185.15.56.163 on both, covering the local and remote system in either case. But instead we need a different pair of IPs on each, as the systems are using different source addresses for local vs. remote updates. We could include all 4 IPs on both, but that doesn't seem to work because pdns then expects to see updates coming from both IPs and complains that "I'm not getting updates from xxx.xxx.xxx.xxxx".

Details

SubjectRepoBranchLines +/-
P:openstack: rabbitmq: remove designate_hosts entirelyoperations/puppetproduction+0 -9
OpenStack Designate: move from cloudservices to cloudcontrols in eqiadoperations/puppetproduction+23 -41
Remove memcached cruft from codfw1dev cloudservice nodesoperations/puppetproduction+0 -2
Allow pdns to query designate-mdns on private interfacesoperations/puppetproduction+2 -1
designate pools.yaml: better distinguish between designate and pdns hostsoperations/puppetproduction+2 -2
Yet further attempt to fix memcached port for designateoperations/puppetproduction+1 -1
Further attempt to fix memcached port for designateoperations/puppetproduction+2 -1
Designate: replace mcrouter as part of designate servicesoperations/puppetproduction+31 -31
OpenStack Designate: move from cloudservices to cloudcontrols in codfw1devoperations/puppetproduction+70 -70
Customize query in gerrit

Related Objects

Event Timeline

fnegri created this task.Nov 10 2023, 4:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 10 2023, 4:57 PM
fnegri mentioned this in T346385: cloudservices1006 using 10. address to send DNS NOTIFYs to cloudservices1005.Nov 10 2023, 4:58 PM
aborrero added a project: User-aborrero.Feb 1 2024, 11:14 AM
aborrero moved this task from Backlog to Radar/observer on the User-aborrero board.Feb 1 2024, 12:58 PM
Andrew renamed this task from [openstack] cloudservices are using different source addresses for local vs. remote updates to [openstack] cloudservices + Designate are using different source addresses for local vs. remote updates.Feb 2 2024, 11:08 PM
Andrew added a comment.Feb 2 2024, 11:12 PM

This is silly, but I think the solution to this is moving Designate services onto cloudcontrol nodes. If we keep pdns on cloudservices nodes then all the traffic governed by clouds.yaml will be between hosts rather than local to one host, and we can use the private 172.x addresses everywhere.

I don't think there's a compelling reason for designate to be the one openstack service that lives elsewhere anyway, so this change might make our setup slightly more comprehensible. It will definitely simplify arturo's concern about galera grants in T340446

gerritbot added a comment.Feb 2 2024, 11:24 PM

Change 995369 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] OpenStack Designate: move from cloudservices to cloudcontrols in codfw1dev

https://gerrit.wikimedia.org/r/995369

gerritbot added a project: Patch-For-Review.Feb 2 2024, 11:25 PM
gerritbot added a comment.Feb 5 2024, 7:05 PM

Change 995369 merged by Andrew Bogott:

[operations/puppet@production] OpenStack Designate: move from cloudservices to cloudcontrols in codfw1dev

https://gerrit.wikimedia.org/r/995369

gerritbot added a comment.Feb 5 2024, 7:25 PM

Change 997539 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Designate: replace mcrouter as part of designate services

https://gerrit.wikimedia.org/r/997539

gerritbot added a comment.Feb 5 2024, 7:47 PM

Change 997539 merged by Andrew Bogott:

[operations/puppet@production] Designate: replace mcrouter as part of designate services

https://gerrit.wikimedia.org/r/997539

gerritbot added a comment.Feb 5 2024, 8:16 PM

Change 997553 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Further attempt to fix memcached port for designate

https://gerrit.wikimedia.org/r/997553

gerritbot added a comment.Feb 5 2024, 8:16 PM

Change 997554 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Remove memcached cruft from codfw1dev cloudservice nodes

https://gerrit.wikimedia.org/r/997554

gerritbot added a comment.Feb 5 2024, 8:17 PM

Change 997553 merged by Andrew Bogott:

[operations/puppet@production] Further attempt to fix memcached port for designate

https://gerrit.wikimedia.org/r/997553

gerritbot added a comment.Feb 5 2024, 8:34 PM

Change 997561 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Yet further attempt to fix memcached port for designate

https://gerrit.wikimedia.org/r/997561

gerritbot added a comment.Feb 5 2024, 8:39 PM

Change 997561 merged by Andrew Bogott:

[operations/puppet@production] Yet further attempt to fix memcached port for designate

https://gerrit.wikimedia.org/r/997561

gerritbot added a comment.Feb 5 2024, 9:15 PM

Change 997576 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] designate pools.yaml: better distinguish between designate and pdns hosts

https://gerrit.wikimedia.org/r/997576

gerritbot added a comment.Feb 5 2024, 9:24 PM

Change 997576 merged by Andrew Bogott:

[operations/puppet@production] designate pools.yaml: better distinguish between designate and pdns hosts

https://gerrit.wikimedia.org/r/997576

gerritbot added a comment.Feb 5 2024, 10:28 PM

Change 997597 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Allow pdns to query designate-mdns on private interfaces

https://gerrit.wikimedia.org/r/997597

gerritbot added a comment.Feb 6 2024, 1:28 AM

Change 997597 merged by Andrew Bogott:

[operations/puppet@production] Allow pdns to query designate-mdns on private interfaces

https://gerrit.wikimedia.org/r/997597

gerritbot added a comment.Feb 6 2024, 8:22 PM

Change 997554 merged by Andrew Bogott:

[operations/puppet@production] Remove memcached cruft from codfw1dev cloudservice nodes

https://gerrit.wikimedia.org/r/997554

Maintenance_bot removed a project: Patch-For-Review.Feb 6 2024, 8:31 PM
gerritbot added a comment.Feb 6 2024, 9:54 PM

Change 997965 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] OpenStack Designate: move from cloudservices to cloudcontrols in eqiad

https://gerrit.wikimedia.org/r/997965

gerritbot added a project: Patch-For-Review.Feb 6 2024, 9:54 PM
fnegri moved this task from Unsorted to DNS (Designate + pdns-recursor) on the Cloud-VPS board.Feb 7 2024, 6:45 PM
gerritbot added a comment.Feb 27 2024, 5:53 PM

Change 997965 merged by Andrew Bogott:

[operations/puppet@production] OpenStack Designate: move from cloudservices to cloudcontrols in eqiad

https://gerrit.wikimedia.org/r/997965

Maintenance_bot removed a project: Patch-For-Review.Feb 27 2024, 6:30 PM
Andrew closed this task as Resolved.Feb 27 2024, 6:45 PM
Andrew claimed this task.

I've moved Designate to cloudcontrol nodes, with pdns services still running on cloudservices nodes. This means we now have consistent addressing everywhere.

gerritbot added a comment.Feb 28 2024, 9:49 AM

Change 1007292 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:openstack: rabbitmq: remove designate_hosts entirely

https://gerrit.wikimedia.org/r/1007292

gerritbot added a project: Patch-For-Review.Feb 28 2024, 9:49 AM
gerritbot added a comment.Feb 28 2024, 1:07 PM

Change 1007292 merged by Majavah:

[operations/puppet@production] P:openstack: rabbitmq: remove designate_hosts entirely

https://gerrit.wikimedia.org/r/1007292

Maintenance_bot removed a project: Patch-For-Review.Feb 28 2024, 1:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits