Closed
Bug 1132704
Opened 10 years ago
Closed 10 years ago
ship-it access for all masters
Categories
(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)
Infrastructure & Operations Graveyard
NetOps: DC ACL Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: jbarnell)
Details
On fw1.phx1, there's a rule,
security policies from-zone dc to-zone webapp policy-name shipit--http
which lists srv.releng.scl3 as a source range. We'd like to add to that the ranges
bb.releng.scl3 - 10.26.68.0/24
bb.releng.use1 - 10.26.134.0/24
bb.releng.usw2 - 10.26.132.0/24
Priority: today if possible --
17:28 <@nthomas> relman would like to start 36.0b9, so I think so
17:28 <@nthomas> late in cycle, time of essence, yada yada
|
Reporter | |
Comment 1•10 years ago
|
||
We'll want to loop back to remove srv.releng.scl3 tomorrow, but that's lower priority and might break stuff, so not today.
|
Assignee | |
Comment 3•10 years ago
|
||
jbarnell@fw1.phx1.mozilla.net# show | compare
[edit security policies from-zone dc to-zone webapp policy shipit--http match]
- source-address srv.releng.scl3;
+ source-address [ srv.releng.scl3 bb.releng.scl3 bb.releng.use1 bb.releng.usw2 ];
[edit security zones security-zone dc address-book]
address ldapmaster1.db.scl3 { ... }
+ address bb.releng.scl3 10.26.68.0/24;
+ address bb.releng.use1 10.26.134.0/24;
+ address bb.releng.usw2 10.26.132.0/24;
committing ...
|
|
Assignee | |
Updated•10 years ago
|
Assignee: network-operations → jbarnell
|
|
Assignee | |
Comment 4•10 years ago
|
||
please test and confirm the "add" functionality is working. we can discuss the deletes and cleanup tomorrow.
|
||
Comment 5•10 years ago
|
||
Sorry for the correction, but shouldn't that be:
bb.releng.use1 - 10.134.68.0/24
bb.releng.usw2 - 10.132.68.0/24
|
|
Reporter | |
Comment 6•10 years ago
|
||
Ugh, if I had a brain I would have written
bb.releng.scl3 - 10.26.68.0/24
bb.releng.use1 - 10.134.68.0/24
bb.releng.usw2 - 10.132.68.0/24
We can clean that up tomorrow when we delete. The add for bb.releng.scl3 was the critical one, and it's working.
|
|
Reporter | |
Updated•10 years ago
|
Severity: critical → normal
|
|
Assignee | |
Comment 7•10 years ago
|
||
Changed and committing
jbarnell@fw1.phx1.mozilla.net# show | compare
[edit security zones security-zone dc address-book]
address bb.releng.scl3 { ... }
- address bb.releng.use1 10.26.134.0/24;
+ address bb.releng.use1 10.134.68.0/24;
- address bb.releng.usw2 10.26.132.0/24;
+ address bb.releng.usw2 10.132.68.0/24;
Please test and verify in a couple of minutes
|
|
||
Comment 8•10 years ago
|
||
Verified on buildbot-master82.bb.releng.scl3.mozilla.com, buildbot-master94.bb.releng.use1.mozilla.com, buildbot-master115.bb.releng.usw2.mozilla.com. Thanks for the quick fix.
|
|
Assignee | |
Comment 9•10 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #1)
> We'll want to loop back to remove srv.releng.scl3 tomorrow, but that's lower
> priority and might break stuff, so not today.
Dustin did you want the above address entry removed from FW1.PHX1?
|
|
Reporter | |
Comment 10•10 years ago
|
||
Yes, please -- thanks for the poke.
|
|
Assignee | |
Comment 11•10 years ago
|
||
Config diff
jbarnell@fw1.phx1.mozilla.net# show | compare
[edit security policies from-zone dc to-zone webapp policy aus4-admin-dev--https match]
- source-address [ winbuild.releng.scl3 build.releng.scl3 mpt-vpn aws-aus4-set srv.releng.scl3 ];
- destination-address aus4-admin-dev;
- application https;
+ source-address [ winbuild.releng.scl3 build.releng.scl3 mpt-vpn aws-aus4-set ];
+ destination-address aus4-admin-dev;
+ application https;
[edit security policies from-zone dc to-zone webapp policy shipit--http match]
- source-address [ bb.releng.scl3 bb.releng.use1 bb.releng.usw2 srv.releng.scl3 ];
- destination-address ship-it-all;
- application [ junos-http junos-https ];
+ source-address [ bb.releng.scl3 bb.releng.use1 bb.releng.usw2 ];
+ destination-address ship-it-all;
+ application [ junos-http junos-https ];
[edit security policies from-zone dc to-zone webapp policy aus4-admin--https match]
- source-address [ winbuild.releng.scl3 build.releng.scl3 build-us-east-1a build-us-east-1b build-us-east-1c build-us-east-1d srv-us-east-1a srv-us-east-1b srv-us-east-1c srv-us-east-1d build-us-west-2a build-us-west-2b build-us-west-2c srv-us-west-2a srv-us-west-2b srv-us-west-2c build-us-east-1 build-us-west-2d srv.releng.scl3 ];
- destination-address aus4-admin-prod-zlb;
- application [ https junos-http ];
+ source-address [ winbuild.releng.scl3 build.releng.scl3 build-us-east-1a build-us-east-1b build-us-east-1c build-us-east-1d srv-us-east-1a srv-us-east-1b srv-us-east-1c srv-us-east-1d build-us-west-2a build-us-west-2b build-us-west-2c srv-us-west-2a srv-us-west-2b srv-us-west-2c build-us-east-1 build-us-west-2d ];
+ destination-address aus4-admin-prod-zlb;
+ application [ https junos-http ];
[edit security zones security-zone dc address-book]
- address srv.releng.scl3 10.26.48.0/22;
|
|
Assignee | |
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•3 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•