Closed Bug 1214356 Opened 10 years ago Closed 10 years ago

Open up flows for plan-b-bugzilla-stage replication back to scl3

Categories

(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps: DC ACL Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gozer, Assigned: scabral)

Details

Cleaner rework of bug 1204119: Flows for MySQL replication between AWS stage and SCL3: The flows should allow bi-directionnal mysql traffic on tcp/3306 SCL3 Stage DBs: bugzilla1.stage.db.scl3.mozilla.com(10.22.70.43) bugzilla2.stage.db.scl3.mozilla.com(10.22.70.44) AWS: us-east-1: StagePrivateSubnetAZ1Cidr(10.162.14.96/27) StagePrivateSubnetAZ2Cidr(10.162.14.128/27) StagePrivateSubnetAZ3Cidr(10.162.14.160/27) us-west-2: StagePrivateSubnetAZ1Cidr(10.164.14.96/27) StagePrivateSubnetAZ2Cidr(10.164.14.128/27) StagePrivateSubnetAZ3Cidr(10.164.14.160/27)
marking as assigned.
Status: NEW → ASSIGNED
Sheeri - please let me know when it is safe to configure the security policies to allow stage DBs in SCL3 talk to stage DBs in AWS? Thank you.
Flags: needinfo?(scabral)
Replication user 'repl' is configured to only use SSL, so it's safe to configure the security policies for bugzilla stage dbs in scl3 to talk to AWS stage dbs now.
Flags: needinfo?(scabral)
These security policies have been put into place. Policy: allow-nubis-stage-mysql, action-type: permit, State: enabled, Index: 150, Scope Policy: 0 Policy Type: Configured Sequence number: 2 From zone: db, To zone: vpc Source addresses: bugzilla2.stage.db.scl3: 10.22.70.44/32 bugzilla1.stage.db.scl3: 10.22.70.43/32 Destination addresses: us-west-2-stage-3: 10.164.14.160/27 us-west-2-stage-2: 10.164.14.128/27 us-west-2-stage-1: 10.164.14.96/27 us-east-1-stage-3: 10.162.14.160/27 us-east-1-stage-2: 10.162.14.128/27 us-east-1-stage-1: 10.162.14.96/27 Application: mysql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3306-3306] and Policy: allow-nubis-stage-mysql, action-type: permit, State: enabled, Index: 165, Scope Policy: 0 Policy Type: Configured Sequence number: 2 From zone: vpc, To zone: db Source addresses: us-west-2-stage-3: 10.164.14.160/27 us-west-2-stage-2: 10.164.14.128/27 us-west-2-stage-1: 10.164.14.96/27 us-east-1-stage-3: 10.162.14.160/27 us-east-1-stage-2: 10.162.14.128/27 us-east-1-stage-1: 10.162.14.96/27 Destination addresses: bugzilla2.stage.db.scl3: 10.22.70.44/32 bugzilla1.stage.db.scl3: 10.22.70.43/32 Application: mysql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3306-3306] and the diff: dcurado@fw1.ops.scl3.mozilla.net> show configuration | compare rollback 1 | no-more [edit security policies from-zone db to-zone vpc] policy allow-mysql-to-nubis-prod { ... } + /* 1214356 */ + policy allow-nubis-stage-mysql { + match { + source-address [ bugzilla1.stage.db.scl3 bugzilla2.stage.db.scl3 ]; + destination-address planb-stage; + application mysql; + } + then { + permit; + } + } [edit security policies from-zone vpc to-zone db] policy allow-mysql-from-nubis-prod { ... } + /* 1214356 */ + policy allow-nubis-stage-mysql { + match { + source-address planb-stage; + destination-address [ bugzilla1.stage.db.scl3 bugzilla2.stage.db.scl3 ]; + application mysql; + } + then { + permit; + } + } [edit security zones security-zone db address-book] address bugzilla8.db.scl3 { ... } + address bugzilla1.stage.db.scl3 10.22.70.43/32; + address bugzilla2.stage.db.scl3 10.22.70.44/32;
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
Assignee: dcurado → scabral
Flows verified working, now, all that's missing is the MySQL ACLs. :sheeri? ubuntu@ip-10-162-14-146:~$ telnet 10.22.70.44 3306 Trying 10.22.70.44... Connected to 10.22.70.44. Escape character is '^]'. FHost '10.162.14.146' is not allowed to connect to this MySQL server Connection closed by foreign host. ubuntu@ip-10-162-14-146:~$ telnet 10.22.70.43 3306 Trying 10.22.70.43... Connected to 10.22.70.43. Escape character is '^]'. FHost '10.162.14.146' is not allowed to connect to this MySQL server Connection closed by foreign host.
Added MySQL ACLs to the repl user with the STAGE password from these hosts: 10.162.13.96/255.255.255.224 10.162.13.128/255.255.255.224 10.162.13.160/255.255.255.224 10.164.13.96/255.255.255.224 10.164.13.128/255.255.255.224 10.164.13.160/255.255.255.224 Did not require any SSL, as they are going over a VPN pipe now. Resolving, I think that's all that was left here.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
(In reply to Sheeri Cabral [:sheeri] from comment #6) > Added MySQL ACLs to the repl user with the STAGE password from these hosts: Hosts look like the wrong ones: us-east-1: StagePrivateSubnetAZ1Cidr(10.162.14.96/255.255.224) StagePrivateSubnetAZ2Cidr(10.162.14.128/255.255.224) StagePrivateSubnetAZ3Cidr(10.162.14.160/255.255.224) us-west-2: StagePrivateSubnetAZ1Cidr(10.164.14.96/255.255.224) StagePrivateSubnetAZ2Cidr(10.164.14.128/255.255.224) StagePrivateSubnetAZ3Cidr(10.164.14.160/255.255.224)
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: FIXED → ---
ack, I did .13. instead of .14. Fixed, here's what I have now: mysql> select user,host from mysql.user where user='repl' and ssl_type=''; +------+-------------------------------+ | user | host | +------+-------------------------------+ | repl | 10.162.14.96/255.255.255.224 | | repl | 10.162.14.128/255.255.255.224 | | repl | 10.162.14.160/255.255.255.224 | | repl | 10.164.14.96/255.255.255.224 | | repl | 10.164.14.128/255.255.255.224 | | repl | 10.164.14.160/255.255.255.224 | +------+-------------------------------+ 6 rows in set (0.00 sec)
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.