Puppet Class: profile::lvs::realserver::ipip
- Defined in:
- modules/profile/manifests/lvs/realserver/ipip.pp
Overview
SPDX-License-Identifier: Apache-2.0
Class profile::lvs::realserver::ipip.
Sets up the LVS realserver dependencies to handle IPIP encapsulated ingress traffic
Parameters
- pools
-
Pools in the format: {$lvs_name => { services => [$svc1,$svc2,…] } where the services listed are the ones that are needed to serve the lvs pool. So for example if you need both apache and php7 to serve a request from a pool, both should be included.
- enabled
-
Whether to use IPIP encapsulation or not. Allows fine control per host. defaults to false.
- ipv4_mss
-
TCP MSS value for IPv4 traffic. Defaults to 1400 bytes
- ipv6_mss
-
TCP MSS value for IPv6 traffic. Defaults to 1400 bytes
- interfaces
-
Network interfaces handling egress traffic on the realserver. Defaults to the primary interface
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
# File 'modules/profile/manifests/lvs/realserver/ipip.pp', line 20
class profile::lvs::realserver::ipip(
Hash $pools = lookup('profile::lvs::realserver::pools', {'default_value' => {}}),
Boolean $enabled = lookup('profile::lvs::realserver::ipip::enabled', {'default_value' => false}),
Integer[536, 1480] $ipv4_mss = lookup('profile::lvs::realserver::ipip::ipv4_mss', {'default_value' => 1400}),
Integer[1220, 1440] $ipv6_mss = lookup('profile::lvs::realserver::ipip::ipv6_mss', {'default_value' => 1400}),
Array[String, 1] $interfaces = lookup('profile::lvs::realserver::ipip::interfaces'),
) {
$present_pools = $pools.keys()
$services = wmflib::service::fetch(true).filter |$lvs_name, $svc| {$lvs_name in $present_pools}
$clamped_ipport = wmflib::service::get_ipport_for_ipip_services($services, $::site)
$ensure = stdlib::ensure($enabled)
# Provide ingress interfaces for both IPv4 and IPv6 traffic
interface::ipip { 'ipip_ipv4':
ensure => $ensure,
interface => 'ipip0',
family => 'inet',
address => '127.0.0.42',
}
interface::ipip { 'ipip_ipv6':
ensure => $ensure,
interface => 'ipip60',
family => 'inet6',
}
$interfaces.each |String $interface| {
interface::clsact { "clsact_${interface}":
ensure => $ensure,
interface => $interface,
}
}
# We need TCP MSS clamping here
package { 'tcp-mss-clamper':
ensure => $ensure,
}
$prometheus_addr = ':2200'
systemd::service { 'tcp-mss-clamper':
ensure => $ensure,
content => systemd_template('tcp-mss-clamper'),
monitoring_enabled => true,
monitoring_notes_url => 'https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments',
restart => false,
}
if $enabled {
exec { 'enable_tcp-mss-clamper_service':
command => '/usr/bin/systemctl enable tcp-mss-clamper.service',
unless => '/usr/bin/systemctl -q is-enabled tcp-mss-clamper.service',
require => Systemd::Service['tcp-mss-clamper'],
}
}
# Allow inbound IPIP && IP6IP6 traffic
ferm::rule { 'ipip':
ensure => $ensure,
rule => 'saddr 172.16.0.0/12 proto ipencap ACCEPT;',
domain => '(ip)',
}
ferm::rule { 'ip6ip6':
ensure => $ensure,
rule => 'saddr 0100::/64 proto ipv6 ACCEPT;',
domain => '(ip6)',
}
# monitor MSS values
prometheus::node_lvs_realserver_mss { 'lvs_clamped_ipport':
ensure => $ensure,
clamped_ipport => $clamped_ipport,
}
}
|