Closed
Bug 1053487
Opened 11 years ago
Closed 11 years ago
Lock down solitude db netops on stage
Categories
(Cloud Services :: Operations: Marketplace, task, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: andy+bugzilla, Assigned: jason)
Details
Solitude db on prod is locked down by netops so that it can't access remote servers, such as https://webservices.bango.com.
The stage servers can access remote servers and this brings up issues where by we deploy to prod and then find that solitude db is unable to do something in prod.
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → jthomas
Priority: -- → P1
Assignee | ||
Comment 1•11 years ago
|
||
I've locked solitude db on stage using iptables ipt_owner module. solitude db stage should now only have outbound access to payments-proxy vip.
Chain OUTPUT (policy ACCEPT 10648 packets, 6366K bytes)
pkts bytes target prot opt in out source destination
19 1288 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 8000 udp dpt:53
3 164 ACCEPT tcp -- * * 0.0.0.0/0 10.8.83.187 owner UID match 8000 tcp dpt:443
12 720 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 8000
-bash-4.1$ whoami
sol_stage
-bash-4.1$ host webservices.bango.com
webservices.bango.com has address 185.35.88.2
-bash-4.1$ nc -w 1 -v webservices.bango.com 443
nc: connect to webservices.bango.com port 443 (tcp) timed out: Operation now in progress
-bash-4.1$ host payments-proxy.allizom.org
payments-proxy.allizom.org is an alias for payments-zlb.stage.addons.phx1.mozilla.com.
payments-zlb.stage.addons.phx1.mozilla.com has address 10.8.83.187
-bash-4.1$ nc -w 1 -v 10.8.83.187 443
Connection to 10.8.83.187 443 port [tcp/https] succeeded!
-bash-4.1$ nc -w 1 -v mozilla.org 443
nc: connect to mozilla.org port 443 (tcp) timed out: Operation now in progress
nc: connect to mozilla.org port 443 (tcp) failed: Network is unreachable
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•