1053487 - Lock down solitude db netops on stage

Status: RESOLVED FIXED

(Cloud Services :: Operations: Marketplace, task, P1)

Description

[Andy McKay]

Solitude db on prod is locked down by netops so that it can't access remote servers, such as https://webservices.bango.com. 

The stage servers can access remote servers and this brings up issues where by we deploy to prod and then find that solitude db is unable to do something in prod.

Comment 1

[Jason Thomas [:jason]]

I've locked solitude db on stage using iptables ipt_owner module. solitude db stage should now only have outbound access to payments-proxy vip.

Chain OUTPUT (policy ACCEPT 10648 packets, 6366K bytes)
 pkts bytes target     prot opt in     out     source               destination
   19  1288 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 8000 udp dpt:53
    3   164 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.8.83.187         owner UID match 8000 tcp dpt:443
   12   720 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 8000


-bash-4.1$ whoami
sol_stage
-bash-4.1$ host webservices.bango.com
webservices.bango.com has address 185.35.88.2
-bash-4.1$ nc -w 1 -v webservices.bango.com 443
nc: connect to webservices.bango.com port 443 (tcp) timed out: Operation now in progress
-bash-4.1$ host payments-proxy.allizom.org
payments-proxy.allizom.org is an alias for payments-zlb.stage.addons.phx1.mozilla.com.
payments-zlb.stage.addons.phx1.mozilla.com has address 10.8.83.187
-bash-4.1$ nc -w 1 -v 10.8.83.187 443
Connection to 10.8.83.187 443 port [tcp/https] succeeded!
-bash-4.1$ nc -w 1 -v mozilla.org 443
nc: connect to mozilla.org port 443 (tcp) timed out: Operation now in progress
nc: connect to mozilla.org port 443 (tcp) failed: Network is unreachable