Page MenuHomePhabricator
Create Task
Maniphest T374714

openstack: clarify IPv6 firewalling
Closed, ResolvedPublic
Actions

Description

A few things to clarify:

  • VMs are not protected by NAT anymore. Figure out the right firewalling semantics.
  • We need to make sure neutron security groups works as expected using IPv6.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
cloudgw: forward all VRF traffic without restrictions for IPv6operations/puppetproduction+4 -9
Customize query in gerrit

Related Objects
Search...

Event Timeline

aborrero created this task.Sep 13 2024, 12:48 PM
Restricted Application removed a subscriber: taavi. · View Herald TranscriptSep 13 2024, 12:48 PM
aborrero removed a subtask: T374715: openstack: work out IPv6 and designate integration.Sep 13 2024, 12:50 PM
aborrero mentioned this in T245495: CloudVPS: IPv6 in codfw1dev.Sep 13 2024, 12:54 PM
aborrero triaged this task as Medium priority.Sep 18 2024, 2:08 PM
ayounsi removed projects: Infrastructure-Foundations, netops.Sep 24 2024, 1:56 PM
taavi added a project: Cloud-VPS.Sep 28 2024, 11:33 AM
taavi moved this task from Unsorted to Network on the Cloud-VPS board.
aborrero renamed this task from openstack: verify security groups settings for IPv6 to openstack: clarify IPv6 firewalling.Oct 14 2024, 3:33 PM
aborrero updated the task description. (Show Details)
CodeReviewBot added a project: Patch-For-Review.Oct 14 2024, 3:33 PM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/96

codfw1dev: default secgroup: refresh IPv6 settings

aborrero changed the task status from Open to In Progress.Oct 14 2024, 3:34 PM
aborrero claimed this task.
aborrero edited projects, added User-aborrero; removed SRE.
aborrero moved this task from Backlog to Doing on the User-aborrero board.Oct 14 2024, 3:45 PM
CodeReviewBot added a comment.Oct 15 2024, 10:17 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/96

codfw1dev: default secgroup: refresh IPv6 settings

Maintenance_bot removed a project: Patch-For-Review.Oct 15 2024, 10:31 AM
CodeReviewBot added a project: Patch-For-Review.Oct 15 2024, 10:31 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/98

codfw1dev: default secgroup: fix ICMP in IPv6

CodeReviewBot added a comment.Oct 15 2024, 10:32 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/98

codfw1dev: default secgroup: fix ICMP in IPv6

gerritbot added a comment.Oct 15 2024, 11:27 AM

Change #1080267 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] cloudgw: forward all VRF traffic without restrictions for IPv6

https://gerrit.wikimedia.org/r/1080267

gerritbot added a comment.Oct 15 2024, 11:32 AM

Change #1080267 merged by Arturo Borrero Gonzalez:

[operations/puppet@production] cloudgw: forward all VRF traffic without restrictions for IPv6

https://gerrit.wikimedia.org/r/1080267

Stashbot added a comment.Oct 15 2024, 11:33 AM

Mentioned in SAL (#wikimedia-cloud) [2024-10-15T11:33:17Z] <arturo> cloudgw maintenance, firewall change for T374714

aborrero added a comment.Oct 15 2024, 12:12 PM

problem detected: remote_group_name parameter in tofu-infra security group rules is not getting resolved.

Maintenance_bot removed a project: Patch-For-Review.Oct 15 2024, 12:31 PM
aborrero added a comment.Oct 16 2024, 7:59 AM
In T374714#10228685, @aborrero wrote:

problem detected: remote_group_name parameter in tofu-infra security group rules is not getting resolved.

fixed with this https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/99

aborrero closed this task as Resolved.EditedOct 16 2024, 3:00 PM

For now, the semantics are:

  • the default neutron security group in each project will allow: all egress IPv6 traffic, inbound IPv6 traffic only from the same tenant
  • if the IPv6-enabled VM wants to be directly reachable from the internet in its IPv6 address, it can be configured via another security group.
  • the perimetral firewall at cloudgw does not enforce anything related to IPv6. All IPv6 traffic is free to flow at this point of the edge network, until we decide to introduce cloud-wide filters or whatever.
aborrero mentioned this in T377467: Decision Request - How to do the Cloud VPS VXLAN/IPv6 migration.Oct 24 2024, 7:50 AM
aborrero changed the status of subtask T377339: horizon: enable IPv6 security group panels from Open to In Progress.Nov 15 2024, 12:03 PM
aborrero closed subtask T377339: horizon: enable IPv6 security group panels as Resolved.Nov 15 2024, 12:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits