Closed Bug 1177102 Opened 10 years ago Closed 10 years ago

Allow access to carbon.hostedgraphite.com:2003 from cruncher.srv.releng.scl3.mozilla.com

Categories

(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps: DC ACL Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: catlee, Assigned: dcurado)

Details

Sometime around June 19th we stopped being able to post metrics to carbon.hostedgraphite.com:2003. Did something change with the firewall configs that would account for this?
set groups global-policies security policies from-zone <*> to-zone untrust policy hostedgraphite--carbon match source-address any set groups global-policies security policies from-zone <*> to-zone untrust policy hostedgraphite--carbon match destination-address hostedgraphite set groups global-policies security policies from-zone <*> to-zone untrust policy hostedgraphite--carbon match application carbon set groups global-policies security policies from-zone <*> to-zone untrust policy hostedgraphite--carbon then permit set security zones security-zone untrust address-book address hostedgraphite-1 88.198.22.7/32 set security zones security-zone untrust address-book address hostedgraphite-2 78.46.92.172/32 set security zones security-zone untrust address-book address hostedgraphite-3 78.46.93.167/32 set security zones security-zone untrust address-book address hostedgraphite-4 178.63.9.197/32 set security zones security-zone untrust address-book address-set hostedgraphite address hostedgraphite-1 set security zones security-zone untrust address-book address-set hostedgraphite address hostedgraphite-2 set security zones security-zone untrust address-book address-set hostedgraphite address hostedgraphite-3 set security zones security-zone untrust address-book address-set hostedgraphite address hostedgraphite-4 yet dustin@ramanujan ~ $ host carbon.hostedgraphite.com carbon.hostedgraphite.com has address 188.40.44.78 carbon.hostedgraphite.com has address 178.63.102.147 carbon.hostedgraphite.com has address 85.10.209.147 carbon.hostedgraphite.com has address 178.63.111.130 carbon.hostedgraphite.com has address 178.63.55.74 carbon.hostedgraphite.com has address 144.76.225.8 carbon.hostedgraphite.com has address 78.46.164.248 carbon.hostedgraphite.com has address 178.63.67.197 carbon.hostedgraphite.com has address 46.4.107.110 carbon.hostedgraphite.com has address 178.63.52.69 carbon.hostedgraphite.com has address 178.63.87.135 carbon.hostedgraphite.com has address 178.63.61.13 carbon.hostedgraphite.com has address 78.46.96.16 carbon.hostedgraphite.com has address 176.9.31.240 It seems we should contact hostedgraphite and find out if they have a stable set of IP addresses which we can whitelist.
hostedgraphite doesn't maintain stable IP addresses for their endpoints. they recommend regularly resolving the domain name and updating the whitelist with the A records. Can we update the firewalls with the current addresses for now?
netops: that's the list in comment 1, and should replace the existing "hostedgraphite" address-set To my knowledge, there's no way to make these changes automatically (e.g., firewall resolves the hostname periodically). If that's not the case, let me know! Please leave the bug open and I will update fwunit to verify that these remain correct. That will at least alert us when the address-set needs to be re-written
working on this... doing business with a SaaS company who can't maintain static IP addresses is (obviously) kind of a problem. Doesn't really scale for us. I recommend sending the vendor this feedback. I have updated the address-set to use the above listed 14 new IP addresses. dcurado@fw1.ops.releng.scl3.mozilla.net> ...security-zone untrust address-book address-set hostedgraphite address hostedgraphite-1; address hostedgraphite-2; address hostedgraphite-3; address hostedgraphite-4; address hostedgraphite-5; address hostedgraphite-6; address hostedgraphite-7; address hostedgraphite-8; address hostedgraphite-9; address hostedgraphite-10; address hostedgraphite-11; address hostedgraphite-12; address hostedgraphite-13; address hostedgraphite-14; Please let me know if there are any problems? Thanks -- Dave
Assignee: network-operations → dcurado
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.