Solitude db on prod is locked down by netops so that it can't access remote servers, such as https://webservices.bango.com. The stage servers can access remote servers and this brings up issues where by we deploy to prod and then find that solitude db is unable to do something in prod.
I've locked solitude db on stage using iptables ipt_owner module. solitude db stage should now only have outbound access to payments-proxy vip. Chain OUTPUT (policy ACCEPT 10648 packets, 6366K bytes) pkts bytes target prot opt in out source destination 19 1288 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 8000 udp dpt:53 3 164 ACCEPT tcp -- * * 0.0.0.0/0 10.8.83.187 owner UID match 8000 tcp dpt:443 12 720 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 8000 -bash-4.1$ whoami sol_stage -bash-4.1$ host webservices.bango.com webservices.bango.com has address 22.214.171.124 -bash-4.1$ nc -w 1 -v webservices.bango.com 443 nc: connect to webservices.bango.com port 443 (tcp) timed out: Operation now in progress -bash-4.1$ host payments-proxy.allizom.org payments-proxy.allizom.org is an alias for payments-zlb.stage.addons.phx1.mozilla.com. payments-zlb.stage.addons.phx1.mozilla.com has address 10.8.83.187 -bash-4.1$ nc -w 1 -v 10.8.83.187 443 Connection to 10.8.83.187 443 port [tcp/https] succeeded! -bash-4.1$ nc -w 1 -v mozilla.org 443 nc: connect to mozilla.org port 443 (tcp) timed out: Operation now in progress nc: connect to mozilla.org port 443 (tcp) failed: Network is unreachable
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.