Page MenuHomePhabricator
Create Task
Maniphest T411081

Improve how virt networks are configured in cloudgw
Closed, ResolvedPublic
Actions

Description

The cloudgw configuration for virt networks[0] is a bit of a mess, as the system was initially set up with a single v4-only network for Cloud VPS VMs and an another network for floating IPs. Over the years it has grown organically to support features like multiple networks and floating IP pools, IPv6, and most recently tenant networks with no internet connectivity (T394099)

The end result of that is a config that is spread across multiple manually maintained Hiera keys all using slightly different formats:

profile::wmcs::cloudgw::virt_subnets_cidr:
  # old legacy vlan-based subnet
  - 172.16.0.0/21
  # vxlan dualstak subnet
  - 172.16.16.0/21
  # vxlan ipv4 only subnet
  - 172.16.8.0/21
profile::wmcs::cloudgw::virt_subnets_cidr_v6:
  - 2a02:ec80:a000::/55
profile::wmcs::cloudgw::virt_internal_subnets_cidr:
  # octavia-lb-mgmt-net
  - 172.16.24.0/24
profile::wmcs::cloudgw::virt_floating: [185.15.56.0/25]

I propose transforming this to a single array with all of the different networks listed, perhaps something like this:

profile::wmcs::cloudgw::virt_subnets:
  # VLAN/legacy
  - networks:
      - 172.16.0.0/21
    type: default
  # VXLAN/IPv4-only
  - networks:
      - 172.16.8.0/21
    type: default
  # VXLAN/IPv6-dualstack
  - networks:
      - 172.16.16.0/21
      - 2a02:ec80:a000:1::/64
    type: default
  # octavia-lb-mgmt-net
  - networks:
      - 172.16.24.0/24
      - 2a02:ec80:a000:100::/64
    # no internet connectivity
    type: internal
  # cloud-eqiad1-floating
  - networks:
      - 185.15.56.0/25
    type: floating

While this has some benefits on its own (namely, a format that's a bit more friendly to work with as it resembles more the format used for the same data in other places), the main benefit is that this is relatively easy to transform to a format with more than one place to route the networks to, which'll be needed for Toolforge-on-Metal. This is even more of a hypothetical example and not a definite final version, but just as an example the end goal could be something like this:

profile::wmcs::cloudgw::virt_interfaces:
  vlan1107:
    own_ip4: 185.15.56.234
    # remaining configuration to bring the interface up moved here ...
  vlanNNNN:
    # configuration for the toolforge-on-metal interface here ...
profile::wmcs::cloudgw::virt_targets:
  neutron:
    peer:
      interface: vlan1107
      address4: 185.15.56.238
      address6: 2a02:ec80:a000:fe04::2:1
    networks:
      # VLAN/legacy
      - networks:
          - 172.16.0.0/21
        type: default
      # VXLAN/IPv4-only
      - networks:
          - 172.16.8.0/21
        type: default
      # VXLAN/IPv6-dualstack
      - networks:
          - 172.16.16.0/21
          - 2a02:ec80:a000:1::/64
        type: default
      # octavia-lb-mgmt-net
      - networks:
          - 172.16.24.0/24
          - 2a02:ec80:a000:100::/64
        # no internet connectivity
        type: internal
      # cloud-eqiad1-floating
      - networks:
          - 185.15.56.0/25
        type: floating
  toolforge:
    peer:
      interface: vlanNNN
      # ...
    networks:
      # ...
      - networks: [192.0.2.0/24]
        type: default

[0]: currently: subnets used by Cloud VPS virtual networks (Neutron), soon also including Toolforge-on-Metal related networks

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
P:wmcs::cloudgw: Implement new virt network config structureoperations/puppetproduction+95 -87
hieradata: cloudgw: Configure individual v6 networksoperations/puppetproduction+4 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

taavi created this task.Nov 26 2025, 10:23 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2025, 10:23 AM
taavi added a parent task: T407140: Plan networking for Toolforge-on-Metal experiment.Nov 26 2025, 10:23 AM
taavi added subscribers: cmooney, fgiunchedi.

/cc @cmooney @fgiunchedi, just wanted to get your opinion on whether this looks reasonable or whether I'm missing something obvious here before I start writing the patches for this.

fgiunchedi added a comment.Nov 26 2025, 10:31 AM

Looks good to me! Definitely good to refactor these bits

cmooney added a comment.Nov 26 2025, 1:11 PM

@taavi broadly this looks good to me, nicely done.

I wonder how binding interfaces to VRFs works here? Might it make sense to also have a key in profile::wmcs::cloudgw::virt_interfaces for each virtual interface which can define if it's a member of a VRF? (perhaps that's covered in "remaining configuration to bring the interface up moved here"?).

Certainly I'm not opposed to this at all, I think I probably need to have some bits explained as to how it all fits together but seems sane.

gerritbot added a comment.Nov 26 2025, 1:12 PM

Change #1211667 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] hieradata: cloudgw: Configure individual v6 networks

https://gerrit.wikimedia.org/r/1211667

gerritbot added a project: Patch-For-Review.Nov 26 2025, 1:12 PM
fgiunchedi added a comment.Nov 27 2025, 10:23 AM

Something I wanted to add: I'm not very familiar with that part of the puppet codebase though I was wondering if we can start referring to the networks and their attributes by name. It will enable us to have puppet code e.g. "give me the subnets for VXLAN/IPv6-dualstack, either v4 or v6 or both", in other words get to more understandable and manageable code/understanding. Ditto for other attributes/properties for a given network like its gateway, etc. Let me know what you think!

gerritbot added a comment.Dec 1 2025, 9:36 AM

Change #1211667 merged by Majavah:

[operations/puppet@production] hieradata: cloudgw: Configure individual v6 networks

https://gerrit.wikimedia.org/r/1211667

Maintenance_bot removed a project: Patch-For-Review.Dec 1 2025, 10:31 AM
taavi triaged this task as High priority.Dec 1 2025, 11:40 AM
gerritbot added a comment.Dec 1 2025, 11:56 AM

Change #1213436 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:wmcs::cloudgw: Implement new virt network config structure

https://gerrit.wikimedia.org/r/1213436

gerritbot added a project: Patch-For-Review.Dec 1 2025, 11:56 AM
akosiaris subscribed.Dec 1 2025, 3:10 PM
gerritbot added a comment.Dec 2 2025, 3:09 PM

Change #1213436 merged by Majavah:

[operations/puppet@production] P:wmcs::cloudgw: Implement new virt network config structure

https://gerrit.wikimedia.org/r/1213436

Maintenance_bot removed a project: Patch-For-Review.Dec 2 2025, 3:31 PM
taavi added a comment.Dec 2 2025, 3:32 PM
In T411081#11412295, @fgiunchedi wrote:

Something I wanted to add: I'm not very familiar with that part of the puppet codebase though I was wondering if we can start referring to the networks and their attributes by name. It will enable us to have puppet code e.g. "give me the subnets for VXLAN/IPv6-dualstack, either v4 or v6 or both", in other words get to more understandable and manageable code/understanding. Ditto for other attributes/properties for a given network like its gateway, etc. Let me know what you think!

That data is sort of already in Puppet in modules/network/data/data.yaml - if we want to make the network stuff re-usable by name then we should be extending that instead of building yet another thing.

taavi closed this task as Resolved.Dec 2 2025, 3:32 PM
taavi mentioned this in T411509: Octavia network public access inconsistency.Dec 2 2025, 3:37 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits