1148099 - Enable inbound access to NRPE (tcp/5666) on vcssync{1,2}

Status: RESOLVED FIXED

(Release Engineering :: General, defect)

Description

[hwine]

details are in bug 1135266 comment 5

Per arr in irc, current AWS security group doesn't allow. Likely a new one needs to be created and applied to these hosts.

Comment 1

[Amy Rich [:arr] [:arich]]

afaik, rail, catlee, and dustin are the ones with perms to update the cloud-tools repo.

Currently this uses the default sg which is ssh from anywhere. Hal, what hosts actually need to connect to port 22 on these two boxes?

Comment 2

[hwine]

(In reply to Amy Rich [:arich] [:arr] from comment #1)
> Currently this uses the default sg which is ssh from anywhere. Hal, what
> hosts actually need to connect to port 22 on these two boxes?

We don't have any admin or jump hosts for this role yet. All admins need access (dev-services + pmoore + me). Some sort of restricted access will be added when boxes moved to dev-services AWS account, but that isn't planned out at this time.

Neither of these hosts produce repositories that are used in official builds at this time.

Comment 3

[Amy Rich [:arr] [:arich]]

Attachment: securitygroups.yml.diff

If you don't need any special inbound ports, I suggest you just create a new SG with the standard inbound allowances.

This doesn't have anything to do with roles or accounts, it's just a restriction on inbound and outbound IP/port access.

Comment 4

[Amy Rich [:arr] [:arich]]

Can someone with access to merge this please check it in and merge it?

Comment 5

[Dustin J. Mitchell [:dustin] (he/him)]

Pushed (there's no merging in this repo) and deployed.

Comment 6

[Amy Rich [:arr] [:arich]]

Hal: you'll need to switch your instances to use the new security group.

Comment 7

[hwine]

Not done - per comment 0 needs to be applied to hosts, which requires console access, which I don't have.

Comment 8

[Dustin J. Mitchell [:dustin] (he/him)]

I can do it

Comment 9

[Dustin J. Mitchell [:dustin] (he/him)]

changed