Closed
Bug 1053487
Opened 10 years ago
Closed 10 years ago
Lock down solitude db netops on stage
Categories
(Cloud Services :: Operations: Marketplace, task, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: andy+bugzilla, Assigned: jason)
Details
Solitude db on prod is locked down by netops so that it can't access remote servers, such as https://webservices.bango.com. The stage servers can access remote servers and this brings up issues where by we deploy to prod and then find that solitude db is unable to do something in prod.
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → jthomas
Priority: -- → P1
Assignee | ||
Comment 1•10 years ago
|
||
I've locked solitude db on stage using iptables ipt_owner module. solitude db stage should now only have outbound access to payments-proxy vip. Chain OUTPUT (policy ACCEPT 10648 packets, 6366K bytes) pkts bytes target prot opt in out source destination 19 1288 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 8000 udp dpt:53 3 164 ACCEPT tcp -- * * 0.0.0.0/0 10.8.83.187 owner UID match 8000 tcp dpt:443 12 720 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 8000 -bash-4.1$ whoami sol_stage -bash-4.1$ host webservices.bango.com webservices.bango.com has address 185.35.88.2 -bash-4.1$ nc -w 1 -v webservices.bango.com 443 nc: connect to webservices.bango.com port 443 (tcp) timed out: Operation now in progress -bash-4.1$ host payments-proxy.allizom.org payments-proxy.allizom.org is an alias for payments-zlb.stage.addons.phx1.mozilla.com. payments-zlb.stage.addons.phx1.mozilla.com has address 10.8.83.187 -bash-4.1$ nc -w 1 -v 10.8.83.187 443 Connection to 10.8.83.187 443 port [tcp/https] succeeded! -bash-4.1$ nc -w 1 -v mozilla.org 443 nc: connect to mozilla.org port 443 (tcp) timed out: Operation now in progress nc: connect to mozilla.org port 443 (tcp) failed: Network is unreachable
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•