Page MenuHomePhabricator
Create Task
Maniphest T402372

magru: move sandbox vlan to routed Ganeti
Closed, ResolvedPublic
Actions

Description

The only hosts in the sandbox vlan are the RIPE Atlas anchors. Most of them VMs in the "old" Ganeti clusters, one (codfw) still a physical box.

Now that we're migrating Ganeti to routed Ganeti, we need to be able to have routed Anchors and decom the old sandbox vlan, re-using their IP spaces.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
asw1-b3-magru: remove sandbox firewalloperations/homer/publicmaster+0 -3
Routed ganeti: fix nftables typoesoperations/puppetproduction+6 -7
Routed ganeti: improve firewallingoperations/puppetproduction+51 -7
nftables: Configure a directory with rules affecting the forward chainoperations/puppetproduction+7 -0
Add magru sandbox prefixes to routed ganeti rangesoperations/homer/publicmaster+4 -0
Add sandbox vlan to routed ganetioperations/puppetproduction+12 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

ayounsi created this task.Aug 20 2025, 9:02 AM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptAug 20 2025, 9:02 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Aug 20 2025, 9:03 AM

Change #1180143 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/puppet@production] Add sandbox vlan to routed ganeti

https://gerrit.wikimedia.org/r/1180143

gerritbot added a project: Patch-For-Review.Aug 20 2025, 9:03 AM
ayounsi added a comment.Aug 20 2025, 9:07 AM

vlan sandbox1-b3-magru deleted as well as its switch IRB.
IP ranges converted to the virtual-machines role: https://netbox.wikimedia.org/ipam/prefixes/?q=sandbox&role_id=41&site_id=11

gerritbot added a comment.Aug 20 2025, 9:08 AM

Change #1180150 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] Add magru sandbox prefixes to routed ganeti ranges

https://gerrit.wikimedia.org/r/1180150

ayounsi updated the task description. (Show Details)Aug 20 2025, 9:11 AM
ayounsi updated the task description. (Show Details)
ayounsi added a subtask: T355042: Add source interface to firewall::service puppet class.
gerritbot added a comment.Aug 20 2025, 11:52 AM

Change #1180143 merged by Ayounsi:

[operations/puppet@production] Add sandbox vlan to routed ganeti

https://gerrit.wikimedia.org/r/1180143

gerritbot added a comment.Aug 20 2025, 12:01 PM

Change #1180150 merged by jenkins-bot:

[operations/homer/public@master] Add magru sandbox prefixes to routed ganeti ranges

https://gerrit.wikimedia.org/r/1180150

Maintenance_bot removed a project: Patch-For-Review.Aug 20 2025, 12:30 PM
gerritbot added a comment.Aug 20 2025, 2:45 PM

Change #1180579 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/puppet@production] [WIP] Routed ganeti: improve firewalling

https://gerrit.wikimedia.org/r/1180579

gerritbot added a project: Patch-For-Review.Aug 20 2025, 2:45 PM
MoritzMuehlenhoff triaged this task as Medium priority.Aug 20 2025, 2:48 PM
gerritbot added a comment.Aug 21 2025, 7:48 AM

Change #1180734 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] nftables: Configure a directory with rules affecting the forward chain

https://gerrit.wikimedia.org/r/1180734

gerritbot added a comment.Aug 21 2025, 8:45 AM

Change #1180734 merged by Muehlenhoff:

[operations/puppet@production] nftables: Configure a directory with rules affecting the forward chain

https://gerrit.wikimedia.org/r/1180734

gerritbot added a comment.Aug 25 2025, 12:28 PM

Change #1180579 merged by Ayounsi:

[operations/puppet@production] Routed ganeti: improve firewalling

https://gerrit.wikimedia.org/r/1180579

Maintenance_bot removed a project: Patch-For-Review.Aug 25 2025, 12:30 PM
gerritbot added a comment.Aug 25 2025, 12:43 PM

Change #1181696 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/puppet@production] Routed ganeti: fix nftables typoes

https://gerrit.wikimedia.org/r/1181696

gerritbot added a project: Patch-For-Review.Aug 25 2025, 12:43 PM
gerritbot added a comment.Aug 25 2025, 12:51 PM

Change #1181696 merged by Ayounsi:

[operations/puppet@production] Routed ganeti: fix nftables typoes

https://gerrit.wikimedia.org/r/1181696

Maintenance_bot removed a project: Patch-For-Review.Aug 25 2025, 1:31 PM
ayounsi updated the task description. (Show Details)Aug 25 2025, 2:04 PM
gerritbot added a comment.Aug 26 2025, 10:02 AM

Change #1182109 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] asw1-b3-magru: remove sandbox firewall

https://gerrit.wikimedia.org/r/1182109

gerritbot added a project: Patch-For-Review.Aug 26 2025, 10:02 AM
gerritbot added a comment.Aug 26 2025, 10:10 AM

Change #1182109 merged by jenkins-bot:

[operations/homer/public@master] asw1-b3-magru: remove sandbox firewall

https://gerrit.wikimedia.org/r/1182109

Maintenance_bot removed a project: Patch-For-Review.Aug 26 2025, 10:31 AM
ayounsi added a comment.Sep 2 2025, 4:17 PM

magru Anchor is back online. It did require some remote help from the RIPE team, especially to configure v6. v4 worked out of the box, even without the the proper netmask.

ayounsi closed this task as Resolved.Sep 3 2025, 8:08 AM
ayounsi claimed this task.
ayounsi updated the task description. (Show Details)
ayounsi mentioned this in T403580: esams: move sandbox vlan to routed Ganeti.Sep 3 2025, 8:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits